標籤 kubernetes 下的所有文章

Kustomize replacement on annotations

留言

The magic of fieldPaths is metadata.annotations.[external-dns.alpha.kubernetes.io/hostname]

NOT metadata.annotations.external-dns.alpha.kubernetes.io/hostname
NOT metadata.annotations[external-dns.alpha.kubernetes.io/hostname]
NOT metadata.annotations.external-dns\.alpha.\kubernetes\.io/hostname

Version:kustomize/v4.4.0 GitCommit:63ec6bdb3d737a7c66901828c5743656c49b60e1

cat parameters.env

FQDN=host.domain.tld

cat ingress.yaml

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  ports:
    - name: "8000"
      port: 8000
  type: NodePort
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: "my-service-ingress"
  annotations:
    external-dns.alpha.kubernetes.io/hostname:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01
    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
spec:
  rules:
    - host:
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 8000

cat kustomizaiton.yaml

replacements:
- source:
    kind: ConfigMap
    fieldPath: data.FQDN
  targets:
  - select:
      kind: Ingress
      name: my-service-ingress
    fieldPaths:
      - spec.rules.0.host
      - metadata.annotations.[external-dns.alpha.kubernetes.io/hostname]

TLS Termination on AWS NLB to avoid managing certs in contour

留言

開源定律:官方文件永遠裝不起來

雖然 Contour 本身就可以 TLS Termination,但是採用 AWS NLB 做 TLS Termination 有些好處:

  • 分離傳輸加密跟流量調度
  • 簡化憑證管理

AWS Network Load Balancer TLS Termination with Contour (projectcontour.io) 雖然官網有這篇文章,新世紀開源戰士當然總是碰到初號機不會動的窘境。(Sep 2021)

這是不動的官網寫法

apiVersion: v1
kind: Service
metadata:
  name: envoy
  namespace: projectcontour
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:185309785115:certificate/7610ed7d-5a81-4ea2-a18a-7ba1606cca3e"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
spec:
  externalTrafficPolicy: Local
  ports:
  - port: 80
    name: http
    protocol: TCP
  selector:
    app: envoy
  type: LoadBalancer

這是會動的寫法

apiVersion: v1
kind: Service
metadata:
  name: envoy
  namespace: projectcontour
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:185309785115:certificate/7610ed7d-5a81-4ea2-a18a-7ba1606cca3e"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
  externalTrafficPolicy: Local
  ports:
  - port: 443
    name: https
    protocol: TCP
    targetPort: 8080
  selector:
    app: envoy
  type: LoadBalancer