LoadBalancer
Truefoundry by default provisions a single external load-balancer for one Kubernetes cluster. This is provisioned automatically by the tfy-istio-ingress helm chart installed by Truefoundry which creates a Kubernetes service of type LoadBalancer
. You can see find the configuration of this service in Deployments > Helm > tfy-istio-ingress (Make sure you are filtering for the desired cluster)
You can click on the three dots to understand the configuration.
If you want to modify any of your load-balancer settings, you will have to edit this configuration according to the guide mentioned below.
Modifying your load balancer configuration
The loadbalancer can be modified using annotations on the gateway object. Below is an example of possible modifications that you can do. To get a complete list of annoations - check here
AWS
gateway:
annotations:
# Denotes that this is a network load balancer. We use NLB so that TCP protocol can also be
# supported. Also, NLB has lower latency and costs than ALB (Application Load Balancer)
service.beta.kubernetes.io/aws-load-balancer-type: nlb
# This is the default setting - It makes the loadbalancer external. If you want to create an internal
# load-balancer, you can remove this annotations
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
# Use this only when you want to make the loadbalancer internal. Else remove this annotation
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# ACM cert arn to attach to the load balancer. If you have your own custom certificate, then you can remove this annotation.
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:XXXXXXX:certificate/XXXXX-XXXXX-XXXXXX
# You can let these settings as it is
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-alpn-policy: HTTP2Preferred
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
tfyGateway:
name: tfy-wildcard
spec:
servers:
- tls:
httpsRedirect: true
port:
name: http-tfy-wildcard
number: 80
protocol: HTTP
hosts:
- "*"
- port:
name: https-tfy-wildcard
number: 443
protocol: HTTP
hosts:
- "*"
selector:
istio: tfy-istio-ingress
As mentioned above, if you want the loadbalancer to be external, add the following annotation:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
If you want it to be external, the following annotation should be added:
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
If you convert the load balancer from internal to external or vice-versa, the loadbalancer will be recreated and you will have to remap your DNS.
GCP
The default configuration creates an external load-balancer:
gateway:
tolerations:
- key: "cloud.google.com/gke-spot"
value: "true"
effect: NoSchedule
operator: Equal
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: cloud.google.com/gke-spot
values:
- "true"
operator: In
tfyGateway:
name: 'tfy-wildcard'
spec:
selector:
istio: 'tfy-istio-ingress'
servers:
- hosts:
- "*"
port:
name: http-tfy-wildcard
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- "*"
port:
name: https-tfy-wildcard
number: 443
protocol: HTTP
To make the loadbalancer internal, add the annotation as follows:
gateway:
annotations:
networking.gke.io/load-balancer-type: "Internal"
Azure
The default configuration creates an external load balancer with the below configuration
gateway:
tolerations:
- key: CriticalAddonsOnly
value: "true"
effect: NoSchedule
operator: Equal
tfyGateway:
name: 'tfy-wildcard'
spec:
selector:
istio: 'tfy-istio-ingress'
servers:
- hosts:
- "*"
port:
name: http-tfy-wildcard
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- "*"
port:
name: https-tfy-wildcard
number: 443
protocol: HTTP
To make the load balancer internal
gateway:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
Deploy multiple load balancers
Each installation of tfy-istio-ingress
creates a load balancer. If you want to deploy multiple multiple load-balancers, for e.g. one internal and one external, you can clone the current tfy-istio-ingress
application in the same namespace istio-system
, change the tfyGateway.Name
to something else other then default tfy-wildcard
and update the tfyGateway.spec.Selector
with the new name of the application.
For e.g. if you clone the tfy-istio-ingress
a new application with the name tfy-istio-ingress-1
will be created , update the tfyGateway.Name
to a new name and the tfyGateway.spec.Selector
to
tfyGateway:
spec:
selector:
app: "tfy-istio-ingress-1"
Once the ingress is installed, it will automatically create another loadbalancer whose IP you can get using kubectl get svc -n istio-system
.
Add authentication to all services behind a load balancer
Coming Soon
Updated 9 days ago