開源定律:官方文件永遠裝不起來
雖然 Contour 本身就可以 TLS Termination,但是採用 AWS NLB 做 TLS Termination 有些好處:
- 分離傳輸加密跟流量調度
- 簡化憑證管理
AWS Network Load Balancer TLS Termination with Contour (projectcontour.io) 雖然官網有這篇文章,新世紀開源戰士當然總是碰到初號機不會動的窘境。(Sep 2021)
這是不動的官網寫法
apiVersion: v1
kind: Service
metadata:
name: envoy
namespace: projectcontour
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:185309785115:certificate/7610ed7d-5a81-4ea2-a18a-7ba1606cca3e"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
spec:
externalTrafficPolicy: Local
ports:
- port: 80
name: http
protocol: TCP
selector:
app: envoy
type: LoadBalancer
這是會動的寫法
apiVersion: v1
kind: Service
metadata:
name: envoy
namespace: projectcontour
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:185309785115:certificate/7610ed7d-5a81-4ea2-a18a-7ba1606cca3e"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
externalTrafficPolicy: Local
ports:
- port: 443
name: https
protocol: TCP
targetPort: 8080
selector:
app: envoy
type: LoadBalancer