The latest articles on DEV Community by Hayder Sharhan (@hshar7). https://dev.to/hshar7 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F141404%2F690bf625-b1f4-47d3-8f65-05ff21672a66.jpeg https://dev.to/hshar7 en Hayder Sharhan Fri, 22 Jan 2021 19:34:27 +0000 https://dev.to/hshar7/how-to-get-an-alb-running-with-kops-in-2021-3jke https://dev.to/hshar7/how-to-get-an-alb-running-with-kops-in-2021-3jke <h1> Intro </h1> <p>Yesterday was a painful day because even though the folks who created <a href="https://github.com/kubernetes-sigs/aws-load-balancer-controller">https://github.com/kubernetes-sigs/aws-load-balancer-controller</a> are great developers. They're really shit at <a href="https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/">documenting</a></p> <p>I needed to use an ALB because ELBs don't support automatic http to https upgrades. And they have a ton more features that I'll use in the future. So in this guide I'll show you how to make your ALB do that auto redirect.</p> <h1> Getting your cluster ready </h1> <p>So let me guide you through the bs and save you 8+ hours of trial and error and intense research though github issues.</p> <p>Please keep in mind my kubernetes version is ~1.15 so I need to use some legacy things. You might need to use some more recent configs.</p> <h2> The subnets </h2> <p>You need to make sure you have at least two subnets setup for your kubernetes cluster and these subnets need to be in different availability zones. Take a look at <a href="https://kops.sigs.k8s.io/run_in_existing_vpc/">this</a> for more information but basically you need to do <code>kops edit cluster</code> and make sure your subnets look something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> subnets: - cidr: 172.20.32.0/19 name: us-east-1a type: Public zone: us-east-1a - cidr: 172.20.64.0/19 name: us-east-1b type: Public zone: us-east-1b </code></pre> </div> <p>Then run <code>kops update cluster --yes</code></p> <h2> The extra policies </h2> <p>For aws-load-balancer-controller to run properly, it needs extra policies to be attached to your cluster nodes so it can configure some things for you. To do that first we need to download this file which contains the policy description: <code>curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.1.0/docs/install/iam_policy.json</code></p> <p>Then creating a policy for it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws iam create-policy \ --policy-name AWSLoadBalancerControllerIAMPolicy \ --policy-document file://iam-policy.json </code></pre> </div> <p>Take note of the arn that gets returned.. something that looks like "aws:arn:iam:123456789000:policy:test-policy"</p> <p>Now go edit you cluster again <code>kops edit cluster</code> and attach the policy like so:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>spec: externalPolicies: node: - aws:arn:iam:123456789000:policy:test-policy </code></pre> </div> <p>Now hit it with a <code>kops update cluster --yes</code></p> <h1> Installing dependencies on your cluster </h1> <ul> <li>First you need to install cert manager which will allow you to manage certs for the different services and deployments that we'll be doing: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager-legacy.yaml </code></pre> </div> <ul> <li>Second installing the actual load balancer controller: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.1.0/docs/install/v2_1_0_full.yaml </code></pre> </div> <p>open that file and go to where it says --cluster-name= and change it to your cluster's name.</p> <p>save and run <code>kubectl apply -f v2_1_0_full.yaml</code></p> <h1> Configuring the ALB </h1> <p>Make sure you have your deployment looking something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: my-app name: my-app-deployment namespace: dev spec: replicas: 2 selector: matchLabels: app.kubernetes.io/name: my-app template: metadata: labels: app.kubernetes.io/name: my-app spec: containers: - image: my-app:latest imagePullPolicy: Always name: my-app ports: - containerPort: 3000 name: app-port protocol: TCP restartPolicy: Always </code></pre> </div> <p>Now you need a service classic LoadBalancer (I think this can be a NodePort instead) to point to this port:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apiVersion: v1 kind: Service metadata: namespace: dev name: my-app-service spec: ports: - port: 3000 targetPort: 3000 protocol: TCP type: LoadBalancer selector: app.kubernetes.io/name: my-app </code></pre> </div> <p>And the actual ALB ingress:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/certificate-arn: YOUR-ARN-CERT-HERE alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' name: my-app-alb namespace: dev spec: rules: - http: paths: - path: /* backend: serviceName: ssl-redirect servicePort: use-annotation - path: /* backend: serviceName: my-app-service servicePort: 3000 </code></pre> </div> <p>That's it! Run <code>kubectl -n dev get ingress</code> and go to that address. Enjoy it!</p> kubernetes alb kops aws