是否有可能将kubernetes入口ALB与terraform managed alb/route 53连接,同时在同一dns名称上服务请求?
我在AWS中设置了不同的lambdas -都是由terraform管理的。现在只有像https://example.com/home或https://example.com/blog这样的路径的请求才会被转发到不同的AWS lambda,使用不同规则的route53记录和ALB -这里是/home/ path的一个示例:
resource "aws_route53_record" "dns-record" {
name = "example.com"
zone_id = var.zone_id
type = "CNAME"
ttl = "300"
records = [aws_lb.alb.dns_name]
}
resource "aws_lb" "alb" {
name = "my-alb..."
........
}
resource "aws_lb_listener" "alb-in-443" {
load_balancer_arn = aws_lb.alb.arn
port = "443"
protocol = "HTTPS"
........
default_action {
type = "fixed-response"
fixed_response {
content_type = "text/plain"
message_body = "Fixed response content"
status_code = "200"
}
}
resource "aws_lb_listener_rule" "home-in-443" {
listener_arn = aws_lb_listener.alb-in-443.arn
priority = 100
action {
type = "forward"
target_group_arn = aws_lb_target_group.home-alb-tg.arn
}
condition {
path_pattern {
values = ["/home/*"]
}
}
}
resource "aws_lb_target_group" "home-alb-tg" {
name = "home-alb-tg-lambda"
target_type = "lambda"
vpc_id = data.aws_vpc.vpc.id
}
resource "aws_lambda_permission" "home-lb-lambda-permission" {
......
}
resource "aws_lb_target_group_attachment" "home-alb-tg-attachment" {
.....
}到目前为止一切正常,但现在我需要添加AWS EKS集群,并将所有请求转发到https://example.com到EKS -同时继续使用AWS lambda为/home或/blog提供服务。我可以用AWS Load balancer controller创建另一个ALB,然后在我的服务前面使用这样的入口资源转发请求,配置如下:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress-service
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
labels:
app: my-app
spec:
rules:
- host: "example.com"
http:
paths:
- path: /*
backend:
serviceName: my-service
servicePort: 80但是该ALB将从route53分离,并且此外,这样的路径将与上面描述的terraform负载均衡器规则中定义的路径冲突。另一方面,我可以在上面的入口配置中为所有路径(/home、/blog等)定义所有条件-但我不能将它们与lambda绑定。
所以,问题是--从EKS提供服务的主url和带有lambda的不同路径的这种设置是可能的吗?也许这可以通过aws cloudfront以某种方式完成?
回答 1
Stack Overflow用户
发布于 2021-02-26 23:28:11
嗯,看起来这在Cloudfront技术上是可行的--这是我使用的配置。我创建了2个不同的来源-one指向dns名称从k8s ALB和另一个指向dns名称从ALB创建与terraform。配置如下:
data "aws_lb" "eks-lb" {
name = "k8s-default-appservi-3f93453" -- we need to get alb name created in k8s - this doesn't look good but we can't specify alb name right now
}
resource "aws_cloudfront_distribution" "my-distribution" {
enabled = true
is_ipv6_enabled = true
aliases = "example.com"
origin {
domain_name = data.aws_lb.eks-lb.dns_name - use DNS name from eks alb here
origin_id = "my-app"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}
origin {
domain_name = aws_lb.alb.dns_name - use DNS name from "alb" lb created in terraform above
origin_id = "home"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "my-app"
forwarded_values {
headers = [ "Host" , "Origin"]
query_string = true
cookies {
forward = "all"
}
}
min_ttl = 0
default_ttl = 0
max_ttl = 0
viewer_protocol_policy = "redirect-to-https"
}
ordered_cache_behavior {
path_pattern = "/home/*"
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "home"
forwarded_values {
headers = [ "Host", "Origin" ]
query_string = true
cookies {
forward = "all"
}
}
min_ttl = 0
default_ttl = 0
max_ttl = 0
viewer_protocol_policy = "redirect-to-https"
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
acm_certificate_arn = "cert.arn"
ssl_support_method = "sni-only"
}
}但我不喜欢这个解决方案,因为aws ALB dns名称应该是硬编码的,而且我们还有k8s资源(ALB和目标组),这些资源不是由Terraform管理的,即使我删除了aws负载均衡器控制器和入口服务(github issue),这些资源仍然保留在帐户中。因此,也许更好的解决方案是将AWS负载均衡器控制器更改为之前带有NLB的ingress nginx,并使用外部dns来创建将在cloudfront配置中使用的dns记录。
https://stackoverflow.com/questions/66367651
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号