使用 Helm 建立 AWS network load balancer

Sep 1, 2021 · 2 min read · kubernetes  ·
Share on:

Kubernetes 揭露服務有多種方式,例如 Ingres、NodePort、LoadBalancer。 次篇紀錄使用 Helm 來安裝 ingress-nginx 與 AWS 的 network load balancer,將流量通道指定的 Pods 上。

Kubernetes ingress controllers 的供應商很多,目前服務使用 Nginx 和 Traefik 來做 ingress controllers。另外 Istio service mesh 也是滿知名的 controllers 之一。

Add ingress-nginx repository

要先加入 ingress-nginx repo 至 Helm 中。

1helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
2
3# show repository list
4bash$ helm repo list
5NAME                    URL
6ingress-nginx           https://kubernetes.github.io/ingress-nginx
7stable                  https://charts.helm.sh/stable
8prometheus-community    https://prometheus-community.github.io/helm-charts
9jetstack                https://charts.jetstack.io

Install ingress-nginx

透過 Helm 安裝 ingress-nginx,其中有一併設定 annotations 跟 config。

annotations:是宣吿在安裝時配置為 AWS network load balancer。

config:是 Nginx config 的相關配置。

1helm install ingress-nginx-nlb ingress-nginx/ingress-nginx -n kube-system \
2--set controller.service.annotations."service\.beta\.kubernetes\.io\/aws-load-balancer-type"="nlb" \
3--set controller.config."use-proxy-protocol"="true" \
4--set controller.config."ssl-redirect"="false"

由於 network load balancer 是 OSI Layer 4,所以取 client real IP 會取用到 private IP。可以看到下面的 X-Real-Ip 欄位。

 1bash$ curl https://justin.example.com/server | jq
 2{
 3  "clientIP": "10.0.75.140",
 4  "header": {
 5    "Accept": [
 6      "*/*"
 7    ],
 8    "User-Agent": [
 9      "curl/7.64.1"
10    ],
11    "X-Forwarded-For": [
12      "10.0.75.140"
13    ],
14    "X-Forwarded-Host": [
15      "justin.example.com"
16    ],
17    "X-Forwarded-Port": [
18      "443"
19    ],
20    "X-Forwarded-Proto": [
21      "https"
22    ],
23    "X-Forwarded-Scheme": [
24      "https"
25    ],
26    "X-Real-Ip": [
27      "10.0.75.140"
28    ],
29    "X-Request-Id": [
30      "8c4991c13d1497362ddb513e02f3c859"
31    ],
32    "X-Scheme": [
33      "https"
34    ]
35  }
36}

為了抓取正確的 real IP,需要開啟 network load balancer 的 Proxy protocol v2 功能,等配置生效後即可看到取到 client real IP。可以看到下面的 X-Real-Ip 欄位。

 1bash$ curl https://justin.example.com/server | jq
 2{
 3  "clientIP": "1.34.113.121",
 4  "header": {
 5    "Accept": [
 6      "*/*"
 7    ],
 8    "User-Agent": [
 9      "curl/7.64.1"
10    ],
11    "X-Forwarded-For": [
12      "1.34.113.121"
13    ],
14    "X-Forwarded-Host": [
15      "justin.example.com"
16    ],
17    "X-Forwarded-Port": [
18      "443"
19    ],
20    "X-Forwarded-Proto": [
21      "https"
22    ],
23    "X-Forwarded-Scheme": [
24      "https"
25    ],
26    "X-Real-Ip": [
27      "1.34.113.121"
28    ],
29    "X-Request-Id": [
30      "f4c4490b0919271b5e9d5d0a5dc37089"
31    ],
32    "X-Scheme": [
33      "https"
34    ]
35  }
36}
comments powered by Disqus