alb controller, istio

curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/install/iam_policy.json

aws iam create-policy \
    --policy-name AWSLoadBalancerControllerIAMPolicy \
    --policy-document file://iam_policy.json

변수 설정 및 aws loadBalancer controller 용 service account 생성

export region=ap-southeast-1
export clusterName=main


eksctl create iamserviceaccount \
  --region ${region} \
  --name aws-load-balancer-controller \
  --namespace kube-system \
  --cluster ${clusterName} \
  --attach-policy-arn <생성한AWSLoadBalancerControllerIAMPolicy arn> \
  --override-existing-serviceaccounts \
  --approve

arn 자동으로 찾아내는 거 추가했는데 검증 필요

export region=ap-southeast-1
echo "Region: ${region}"

export clusterName=main
echo "Cluster Name: ${clusterName}"

export policyArn=$(aws iam create-policy \
 --policy-name AWSLoadBalancerControllerIAMPolicy \
 --policy-document file://iam_policy.json \
 --query 'Policy.Arn' \
 --output text)
echo "Policy ARN: ${policyArn}"

eksctl create iamserviceaccount \
 --region ${region} \
 --name aws-load-balancer-controller \
 --namespace kube-system \
 --cluster ${clusterName} \
 --attach-policy-arn ${policyArn} \
 --override-existing-serviceaccounts \
 --approve

helm 차트 설치 및 업데이트

helm repo add eks https://aws.github.io/eks-charts

helm repo update

helm을 사용해 aws-loadbalancer-controller 설치

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  --namespace kube-system \
  --set clusterName=${clusterName} \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller

helm 차트 설치 및 업데이트

helm repo add istio https://istio-release.storage.googleapis.com/charts

helm 차트로 istio 설치

helm install istio-base istio/base -n istio-system --create-namespace

helm install istiod istio/istiod -n istio-system

helm install istio-ingressgateway istio/gateway -n istio-system

istio-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-alb
  namespace: istio-system
  annotations:
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/certificate-arn: 
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    kubernetes.io/ingress.class: alb
spec:
  rules:
  - http:
      paths:
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
  - http:
      paths:
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 443

alb.ingress.kubernetes.io/certificate-arn 변수 처리 만들었는데 검증 필요

export DOMAIN_NAME="meiko.co.kr"
export CERT_ARN=$(aws acm list-certificates --query "CertificateSummaryList[?DomainName=='${DOMAIN_NAME}'].CertificateArn" --output text)
echo "Certificate ARN for domain ${DOMAIN_NAME}: ${CERT_ARN}"

cat <<EOF > ingress-alb.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-alb
  namespace: istio-system
  annotations:
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/certificate-arn: ${CERT_ARN}
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    kubernetes.io/ingress.class: alb
spec:
  rules:
  - http:
      paths:
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
  - http:
      paths:
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 443
EOF

Ingress 적용을 통해 application LoadBalancer 적용

kubectl apply -f ingress-alb.yaml

service의 Type을 NodePort로 변경하여 nlb 속성 제거

helm upgrade istio-ingressgateway istio/gateway -n istio-system --set service.type=NodePort

aws Route53

레코드 이름 입력 > 레코드 유형 A 레코드 >

별칭 toggle 활성화 > Application/Classic LoadBalancer 에 대한 별칭 선택 > 리전 선택 (싱가폴) > 클러스터에 할당된 ALB 선택

후에 [레코드 생성] 버튼 클릭

레코드 이름: *.{#1에서 등록한 레코드} 입력 > 레코드 유형 CNAME > 값 : {#1에서 등록한 레코드} 등록

Previouseks provisioning NextEFS

Last updated 1 year ago

Was this helpful?