- LB컨트롤러 미리 설치해두기
IAM role 생성
- 정책
recommended-policy-arn - trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${account_number}:oidc-provider/oidc.eks.${region}.amazonaws.com/id/${oidc}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.${region}.amazonaws.com/id/${oidc}:sub": "system:serviceaccount:ack-system:ack-apigatewayv2-controller",
"oidc.eks.${region}.amazonaws.com/id/${oidc}:aud": "sts.amazonaws.com"
}
}
}
]
}Install
- helm 3.12.3버전으로 변경함 ( helm 3.13.1버전 이슈있음 )
헬름 values.yaml
- helm install
kubectl create ns ack-system
aws ecr-public get-login-password --region us-east-1 | helm registry login --username AWS --password-stdin public.ecr.aws
helm install -n ack-system ack-apigw-controller oci://public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart --version=v0.0.2 --values values.yaml
cat values.yaml
# Default values for ack-apigatewayv2-controller.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
image:
repository: public.ecr.aws/aws-controllers-k8s/controller
tag: apigatewayv2-v0.0.2
pullPolicy: IfNotPresent
pullSecrets: []
nameOverride: ""
fullnameOverride: ""
deployment:
annotations: {}
labels: {}
containerPort: 8080
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "100m"
aws:
# If specified, use the AWS region for AWS API calls
region: "us-east-1"
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
name: ack-apigatewayv2-controller
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::${account_number}:role/${role_name}sample 설치
#sample
wget https://github.com/aws-samples/amazon-apigateway-ingress-controller-blog/raw/Mainline/apigw-ingress-controller-blog/echoserver.yml
wget https://github.com/aws-samples/amazon-apigateway-ingress-controller-blog/raw/Mainline/apigw-ingress-controller-blog/author-deployment.yml
- lb 생성된것 확인
vpc link 생성
AGW_VPCLINK_SG=$(aws ec2 create-security-group --description "SG for VPC Link" --group-name SG_VPC_LINK --vpc-id ${vpcid} --region us-east-1 --output text --query 'GroupId' )
kubectl apply -f vpclink.yaml
cat vpclink.yaml
apiVersion: apigatewayv2.services.k8s.aws/v1alpha1
kind: VPCLink
metadata:
name: nlb-internal
spec:
name: nlb-internal
securityGroupIDs:
- ${sg id}
subnetIDs:
- ${subnet id tag:kubernetes.io/role/internal-elb,Values=1}
- ${subnet id tag:kubernetes.io/role/internal-elb,Values=1}- vpc links 하나 생성됨.
aws apigatewayv2 get-vpc-links --region us-east-1apigw생성
cat > apigw-api.yaml<<EOF
apiVersion: apigatewayv2.services.k8s.aws/v1alpha1
kind: API
metadata:
name: apitest-private-nlb
spec:
body: '{
"openapi": "3.0.1",
"info": {
"title": "ack-apigwv2-import-test-private-nlb",
"version": "v1"
},
"paths": {
"/\$default": {
"x-amazon-apigateway-any-method" : {
"isDefaultRoute" : true,
"x-amazon-apigateway-integration" : {
"payloadFormatVersion" : "1.0",
"connectionId" : "$(kubectl get vpclinks.apigatewayv2.services.k8s.aws \
nlb-internal \
-o jsonpath="{.status.vpcLinkID}")",
"type" : "http_proxy",
"httpMethod" : "GET",
"uri" : "$(aws elbv2 describe-listeners \
--load-balancer-arn $(aws elbv2 describe-load-balancers \
--region $AGW_AWS_REGION \
--query "LoadBalancers[?contains(DNSName, '$(kubectl get service authorservice \
-o jsonpath="{.status.loadBalancer.ingress[].hostname}")')].LoadBalancerArn" \
--output text) \
--region $AGW_AWS_REGION \
--query "Listeners[0].ListenerArn" \
--output text)",
"connectionType" : "VPC_LINK"
}
}
},
"/meta": {
"get": {
"x-amazon-apigateway-integration": {
"uri" : "$(aws elbv2 describe-listeners \
--load-balancer-arn $(aws elbv2 describe-load-balancers \
--region $AGW_AWS_REGION \
--query "LoadBalancers[?contains(DNSName, '$(kubectl get service echoserver \
-o jsonpath="{.status.loadBalancer.ingress[].hostname}")')].LoadBalancerArn" \
--output text) \
--region $AGW_AWS_REGION \
--query "Listeners[0].ListenerArn" \
--output text)",
"httpMethod": "GET",
"connectionId": "$(kubectl get vpclinks.apigatewayv2.services.k8s.aws \
nlb-internal \
-o jsonpath="{.status.vpcLinkID}")",
"type": "HTTP_PROXY",
"connectionType": "VPC_LINK",
"payloadFormatVersion": "1.0"
}
}
}
},
"components": {}
}'
EOF
kubectl apply -f apigw-api.yaml- 생성후 확인
apiVersion: apigatewayv2.services.k8s.aws/v1alpha1
kind: API
metadata:
name: apitest-private-nlb
spec:
body: '{
"openapi": "3.0.1",
"info": {
"title": "ack-apigwv2-import-test-private-nlb",
"version": "v1"
},
"paths": {
"/$default": {
"x-amazon-apigateway-any-method" : {
"isDefaultRoute" : true,
"x-amazon-apigateway-integration" : {
"payloadFormatVersion" : "1.0",
"connectionId" : "${vpc link id}",
"type" : "http_proxy",
"httpMethod" : "GET",
"uri" : "${lb listener arn}",
"connectionType" : "VPC_LINK"
}
}
},
"/meta": {
"get": {
"x-amazon-apigateway-integration": {
"uri" : "${lb listener arn}",
"httpMethod": "GET",
"connectionId": "${vpc link id}",
"type": "HTTP_PROXY",
"connectionType": "VPC_LINK",
"payloadFormatVersion": "1.0"
}
}
}
},
"components": {}
}'- 콘솔에서도 확인 가능
stage 생성
echo "
apiVersion: apigatewayv2.services.k8s.aws/v1alpha1
kind: Stage
metadata:
name: "apiv1"
spec:
apiID: $(kubectl get apis.apigatewayv2.services.k8s.aws apitest-private-nlb -o=jsonpath='{.status.apiID}')
stageName: api
autoDeploy: true
" | kubectl apply -f -
stage.apigatewayv2.services.k8s.aws/apiv1 createdendpoint 확인
kubectl get api apitest-private-nlb -o jsonpath="{.status.apiEndpoint}"
Are you nervous? Don't be