[incubator-openwhisk-deploy-kube] branch master updated: ingress instructions for deploying on AWS EKS (#306)

Tue, 09 Oct 2018 14:19:02 -0700 

This is an automated email from the ASF dual-hosted git repository.

dgrove pushed a commit to branch master
in repository 
https://gitbox.apache.org/repos/asf/incubator-openwhisk-deploy-kube.git


The following commit(s) were added to refs/heads/master by this push:
     new d6b394f  ingress instructions for deploying on AWS EKS (#306)
d6b394f is described below

commit d6b394f18d4ff81630b5accdde2323fa841644d4
Author: David Grove <[email protected]>
AuthorDate: Tue Oct 9 17:18:34 2018 -0400

    ingress instructions for deploying on AWS EKS (#306)
---
 docs/ingress.md                                 | 59 +++++++++++++++++++++++++
 helm/openwhisk/templates/NOTES.txt              |  7 +++
 helm/openwhisk/templates/clusterConfigMaps.yaml | 10 +++++
 helm/openwhisk/templates/nginx.yaml             |  4 +-
 helm/openwhisk/templates/nginxConfigMap.yaml    |  7 ++-
 helm/openwhisk/templates/nginxSecret.yaml       |  4 +-
 6 files changed, 86 insertions(+), 5 deletions(-)

diff --git a/docs/ingress.md b/docs/ingress.md
index c7ec209..c358651 100644
--- a/docs/ingress.md
+++ b/docs/ingress.md
@@ -247,3 +247,62 @@ whisk:
 
 Please submit Pull Requests with instructions for configuing the
 `standard` ingress for other cloud providers.
+
+# LoadBalancer
+
+AWS's Elastic Kubernetes Service (EKS) does not support the standard
+ingress type.  Instead, it relies on provisioning Elastic Load
+Balancers (ELBs) outside of the EKS cluster to direct traffic to
+exposed services running in the cluster.  Because the `wsk` cli
+expects be able to use TLS to communicate securely with the OpenWhisk
+server, you will first need to ensure that you have a certificate
+available for your ELB instance to use in AWS's IAM service. For
+development and testing purposes, you can use a self-signed
+certificate (for example the `openwhisk-server-cert.pem` and
+`openwhisk-server-key.pem` that are generated when you build OpenWhisk
+from source and can be found in the
+`$OPENWHISK_HOME/ansible/roles/nginx/files` directory. Upload these to
+IAM using the aws cli:
+```shell
+aws iam upload-server-certificate --server-certificate-name ow-self-signed 
--certificate-body file://openwhisk-server-cert.pem --private-key 
file://openwhisk-server-key.pem
+```
+Verify that the upload was successful by using the command:
+```shell
+aws iam list-server-certificates
+```
+A typical output would be as shown below
+```
+{
+    "ServerCertificateMetadataList": [
+        {
+            "ServerCertificateId": "ASCAJ4HPCCVA65ZHD5TFQ",
+            "ServerCertificateName": "ow-self-signed",
+            "Expiration": "2019-10-01T20:50:02Z",
+            "Path": "/",
+            "Arn": 
"arn:aws:iam::12345678901:server-certificate/ow-self-signed",
+            "UploadDate": "2018-10-01T21:27:47Z"
+        }
+    ]
+}
+```
+Add the following to your mycluster.yaml, using your certificate's Arn
+instead of the example one:
+```yaml
+whisk:
+  ingress:
+    type: LoadBalancer
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
+      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 
arn:aws:iam::12345678901:server-certificate/ow-self-signed
+```
+
+Shortly after you deploy your helm chart, an ELB should be
+automatically created. You will can determine its hostname by issuing
+the command `kubectl get services  -o wide`. Use the value in the
+the EXTERNAL-IP column for the nginx service and port 443 to define
+your wsk apihost.
+
+NOTE: It may take several minutes after the ELB is reported as being
+available before the hostname is actually properly registered in DNS.
+Be patient and keep trying until you stop getting `no such host`
+errors from `wsk` when attempting to access it.
diff --git a/helm/openwhisk/templates/NOTES.txt 
b/helm/openwhisk/templates/NOTES.txt
index 95007e4..724589c 100644
--- a/helm/openwhisk/templates/NOTES.txt
+++ b/helm/openwhisk/templates/NOTES.txt
@@ -7,8 +7,15 @@ This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).
 
 To configure your wsk cli to connect to it, set the apihost property
+{{- if eq .Values.whisk.ingress.type "LoadBalancer" }}
+by running the command `kubectl get services  -o wide` and
+use the hostname of the `EXTERNAL-IP` of the {{ .Values.nginx.name }} service
+and port 443 in the command below:
+$ wsk property set --apihost NGINX_SERVICE_EXTERNAL_IP:443
+{{- else }}
 using the command below:
   $ wsk property set --apihost {{ .Values.whisk.ingress.api_host_name -}}:{{- 
.Values.whisk.ingress.api_host_port }}
+{{- end }}
 
 Your release is named {{ .Release.Name }}.
 
diff --git a/helm/openwhisk/templates/clusterConfigMaps.yaml 
b/helm/openwhisk/templates/clusterConfigMaps.yaml
index 1957479..49a5457 100644
--- a/helm/openwhisk/templates/clusterConfigMaps.yaml
+++ b/helm/openwhisk/templates/clusterConfigMaps.yaml
@@ -4,9 +4,11 @@
 # There are some variables that a user must define for their deployment.
 # Check for those values here and attempt to give helpful error messages.
 #
+{{- if ne .Values.whisk.ingress.type "LoadBalancer" }}
 # whisk.ingress.type is {{ required "You must provide a value for 
whisk.ingress.type (See docs/ingress.md)" .Values.whisk.ingress.type }}
 # whisk.ingress.api_host_name is {{ required "You must provide a value for 
whisk.ingress.api_host_name (See docs/ingress.md)" 
.Values.whisk.ingress.api_host_name }}
 # whisk.ingress.api_host_port is {{ required "You must provide a value for 
whisk.ingress.api_host_port (See docs/ingress.md)" 
.Values.whisk.ingress.api_host_port }}
+{{- end }}
 
 ---
 apiVersion: v1
@@ -19,11 +21,19 @@ data:
   whisk_info_buildNo: {{ .Values.whisk.versions.tag | quote }}
   whisk_cli_version_tag: {{ .Values.whisk.versions.cli | quote }}
   whisk_system_namespace: {{ .Values.whisk.systemNameSpace | quote }}
+{{- if eq .Values.whisk.ingress.type "LoadBalancer" }}
+  whisk_api_host_proto: "https"
+  whisk_api_host_port: {{ .Values.nginx.httpsPort | quote }}
+  whisk_api_host_name: "{{ .Values.nginx.name }}.{{ .Release.Namespace 
}}.svc.{{ .Values.k8s.domain }}"
+  whisk_api_host_nameAndPort: "{{ .Values.nginx.name }}.{{ .Release.Namespace 
}}.svc.{{ .Values.k8s.domain }}:{{ .Values.nginx.httpsPort }}"
+  whisk_api_host_url: "https://{{ .Values.nginx.name }}.{{ .Release.Namespace 
}}.svc.{{ .Values.k8s.domain }}:{{ .Values.nginx.httpsPort }}"
+{{- else }}
   whisk_api_host_proto: {{ .Values.whisk.ingress.api_host_proto | quote }}
   whisk_api_host_port: {{ .Values.whisk.ingress.api_host_port | quote }}
   whisk_api_host_name: {{ .Values.whisk.ingress.api_host_name | quote }}
   whisk_api_host_nameAndPort: "{{ .Values.whisk.ingress.api_host_name }}:{{ 
.Values.whisk.ingress.api_host_port }}"
   whisk_api_host_url: "{{ .Values.whisk.ingress.api_host_proto }}://{{ 
.Values.whisk.ingress.api_host_name }}:{{ .Values.whisk.ingress.api_host_port 
}}"
+{{- end }}
 
 ---
 apiVersion: v1
diff --git a/helm/openwhisk/templates/nginx.yaml 
b/helm/openwhisk/templates/nginx.yaml
index 562ef7e..ef93432 100644
--- a/helm/openwhisk/templates/nginx.yaml
+++ b/helm/openwhisk/templates/nginx.yaml
@@ -9,7 +9,9 @@ metadata:
   labels:
     name: {{ .Values.nginx.name | quote }}
 spec:
-  {{- if .Values.nginx.httpsNodePort }}
+  {{- if eq .Values.whisk.ingress.type "LoadBalancer" }}
+  type: LoadBalancer
+  {{- else if .Values.nginx.httpsNodePort }}
   type: NodePort
   {{- end }}
   selector:
diff --git a/helm/openwhisk/templates/nginxConfigMap.yaml 
b/helm/openwhisk/templates/nginxConfigMap.yaml
index 5246a8a..b25140a 100644
--- a/helm/openwhisk/templates/nginxConfigMap.yaml
+++ b/helm/openwhisk/templates/nginxConfigMap.yaml
@@ -29,6 +29,9 @@ data:
       proxy_set_header Connection "";
 
       server {
+{{- if eq .Values.whisk.ingress.type "LoadBalancer" }}
+        listen 80;
+{{- end }}
         listen 443 default ssl;
 
         # match namespace, note while OpenWhisk allows a richer character set 
for a
@@ -50,11 +53,11 @@ data:
         # Hack to convince nginx to dynamically resolve the dns entries.
         resolver kube-dns.kube-system;
         set $controllers {{ include "controller_host" . }};
-{{- if eq .Values.whisk.ingress.type "NodePort" }}
+{{- if or (eq .Values.whisk.ingress.type "NodePort") (eq 
.Values.whisk.ingress.type "LoadBalancer") }}
         set $apigw {{ include "apigw_host" . }};
 {{- end }}
 
-{{- if eq .Values.whisk.ingress.type "NodePort" }}
+{{- if or (eq .Values.whisk.ingress.type "NodePort") (eq 
.Values.whisk.ingress.type "LoadBalancer") }}
         location /api/v1/web {
             if ($namespace) {
                 rewrite    /(.*) /api/v1/web/${namespace}/$1 break;
diff --git a/helm/openwhisk/templates/nginxSecret.yaml 
b/helm/openwhisk/templates/nginxSecret.yaml
index 48f563a..20b0c26 100644
--- a/helm/openwhisk/templates/nginxSecret.yaml
+++ b/helm/openwhisk/templates/nginxSecret.yaml
@@ -8,5 +8,5 @@ metadata:
   namespace: {{ .Release.Namespace | quote }}
 type: tls
 data:
-  tls.crt: 
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrekNDQWVPZ0F3SUJBZ0lKQU1IQ0FaQk1LRmxxTUEwR0NTcUdTSWIzRFFFQkN3VUFNQlF4RWpBUUJnTlYKQkFNTUNXeHZZMkZzYUc5emREQWVGdzB4TnpBNE1UWXdOek0yTXpKYUZ3MHhPREE0TVRZd056TTJNekphTUJReApFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBUHVrZndBbjZXb0xBTWNqSnpQemR2NGlPQ1g5bHR4cVpGeEFjUHhBS1BQcE16dWJnOG1ObjhZWllzQ3oKbjRTUjdRYndZK0RTRHVsczZaekRxaGdpa1hDOUs1L2doRm9zS1FaY0gzVERSSUNsS2ZDeFdlb04xc0tEQ1RCdQpia2YzRkNqL
 [...]
-  tls.key: 
LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRRDdwSDhBSitscUN3REgKSXljejgzYitJamdsL1piY2FtUmNRSEQ4UUNqejZUTTdtNFBKalovR0dXTEFzNStFa2UwRzhHUGcwZzdwYk9tYwp3Nm9ZSXBGd3ZTdWY0SVJhTENrR1hCOTB3MFNBcFNud3NWbnFEZGJDZ3drd2JtNUg5eFFvL3hnRVc4U3pOdDdmCjlmM2FQNE5UZmtMOWNlRnYzb3VYNkpGOU9iVEtteXE3T3ZMdTBzaFlSV2pPdHJ6NjEzckVRMStaeFZjc3lZNGUKd0pjNUkxUmpJcHZUWmRvWjl4aC9sZVJKTDdrOC9Ob0ZkQTJNUFBBRnFLRGpmR3JpbzRrUGVVR0FYUnBFeGxPNApDWXpYYXNZd
 [...]
+  tls.crt: 
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLakNDQWhJQ0NRQ3JWVW52eWpMdHpEQU5CZ2txaGtpRzl3MEJBUVVGQURCWE1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1Rsa3hFVEFQQmdOVkJBY01DRmx2Y210MGIzZHVNUkl3RUFZRFZRUUtEQWxQY0dWdQpWMmhwYzJzeEZEQVNCZ05WQkFNTUN5b3ViRzlqWVd4b2IzTjBNQjRYRFRFNE1UQXdNVEl3TlRBd01sb1hEVEU1Ck1UQXdNVEl3TlRBd01sb3dWekVMTUFrR0ExVUVCaE1DVlZNeEN6QUpCZ05WQkFnTUFrNVpNUkV3RHdZRFZRUUgKREFoWmIzSnJkRzkzYmpFU01CQUdBMVVFQ2d3SlQzQmxibGRvYVhOck1SUXdFZ1lEVlFRRERBc3FMbXh2WTJGcwphRzl6ZERDQ
 [...]
+  tls.key: 
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMVhrMTZjYXFBZGNmM05JVFZjRnNxWEhjZVFmMTBsUGpsS1Q1RGcrYmJKUHdTKzlwCnFBc1lPbTB2TFA0RjcyUzcvQTlJZmdNc2t5VWJSc3VtSmx4U3pSNUplNG9iTVZRUUNCQjVmejkwUnpLZGFxSXMKclpkd2htb0JmcjlWZFVxT0pqY1VQZTBUTzJGVzdRSE8wcFAxV3dJUUJmdjI5bjFpdGtpTGxNWk9KZ05TV2NtRgpZN0hnai83V0RNK3dNL1hXdzlsS0NGM0o5R3NYczluQTcwQWxmLytidmxiUGZTVmdLM1Q0c0ljQlpsMWIrT3ZLCnMrMzR6cjJ4R2pXN1pidjFTK01XbEcvMzQyYkVsRm9UcStOMUtnUkxIMXJUUGRIWmZZL3FoM2hZZUJONDE2eEIKb1E3M
 [...]

Reply via email to