From 9a1de4477613adb5c96da02fc587233518f0aad6 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Mon, 6 May 2024 13:42:38 +0200 Subject: [PATCH] fixup! terraform: add missing policies for AWS ALB --- .github/actions/e2e_lb/action.yml | 13 +++++-------- docs/docs/workflows/lb.md | 15 ++++++++++++--- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/.github/actions/e2e_lb/action.yml b/.github/actions/e2e_lb/action.yml index 22c6bdc49..1a776e426 100644 --- a/.github/actions/e2e_lb/action.yml +++ b/.github/actions/e2e_lb/action.yml @@ -6,7 +6,7 @@ inputs: description: "The kubeconfig of the cluster to test." required: true cloudProvider: - description: TODO + description: "The CSP this test runs on. Some tests exercise functionality not supported everywhere." required: false runs: @@ -21,7 +21,9 @@ runs: run: | kubectl apply -f ns.yml kubectl apply -f lb.yml - - name: Add AWS Ingress + bazel run //e2e/internal/lb:lb_test + + - name: Test AWS Ingress if: inputs.cloudProvider == 'aws' shell: bash env: @@ -38,12 +40,7 @@ runs: echo "::error::Ingress did not become ready in the alloted time." kubectl describe ing -n lb-test exit 1 - - name: Run test - shell: bash - env: - KUBECONFIG: ${{ inputs.kubeconfig }} - run: | - bazel run //e2e/internal/lb:lb_test + - name: Delete deployment if: always() shell: bash diff --git a/docs/docs/workflows/lb.md b/docs/docs/workflows/lb.md index e50e4eb57..01ac1e3fb 100644 --- a/docs/docs/workflows/lb.md +++ b/docs/docs/workflows/lb.md @@ -4,9 +4,9 @@ Constellation integrates the native load balancers of each CSP. Therefore, to ex ## Internet-facing LB service on AWS -To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancing Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS. +To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS. -Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/nlb/). +Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/). For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html). @@ -16,4 +16,13 @@ Before terminating the cluster, all LB backed services should be deleted, so tha ## Ingress on AWS -TODO(burgerdev): document +The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`. +AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type). +The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation. +If a service can be exposed on a `NodePort`, the target type `instance` can be used. + +See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information. + +:::caution +Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they should not be handling sensitive traffic. +:::