Skip to content
Terraform module for ALB, Route53 and nginx-ingress with kops on AWS
Branch: master
Clone or download
int128 Merge pull request #7 from int128/tfmodule
Refactor as a Terraform module
Latest commit 457d557 May 9, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci Validate tf files on CI May 9, 2019
examples Refactor as Terraform module May 9, 2019
images Refactor Jun 15, 2018
.editorconfig Manage components by Terraform Dec 27, 2017
.gitignore Validate tf files on CI May 9, 2019
LICENSE Create LICENSE Feb 20, 2018
README.md
alb_external.tf Refactor as Terraform module May 9, 2019
alb_external_route53.tf Refactor as Terraform module May 9, 2019
alb_internal.tf
alb_internal_route53.tf Refactor as Terraform module May 9, 2019
main.tf Refactor as Terraform module May 9, 2019
outputs.tf Refactor as Terraform module May 9, 2019
variables.tf Refactor as Terraform module May 9, 2019

README.md

terraform-aws-kops-alb CircleCI

This is a Terraform module which provides AWS ALB and Route53 for publishing services via nginx-ingress on kops.

It provides the following stack:

aws-diagram.png

HTTPS requests are transfered to a pod via the external ALB and the node port of nginx-ingress (e.g. tcp/30080).

This is an open source software licensed under Apache License 2.0. Feel free to bring up issues and pull requests.

Example

Bootstrap a Kubernetes cluster:

export AWS_DEFAULT_REGION="us-west-2"
export KOPS_CLUSTER_NAME="hello.k8s.local"
kubernetes_ingress_domain="hello.example.com"
state_store_bucket_name="state.hello.k8s.local"

# Create a public hosted zone for the domain
aws route53 create-hosted-zone --name "$kubernetes_ingress_domain" --caller-reference "$(date)"

# Request a certificate for the wildcard domain
aws acm request-certificate --domain-name "*.$kubernetes_ingress_domain" --validation-method DNS

# Create a bucket for the state store of kops and Terraform
aws s3api create-bucket \
  --bucket "$state_store_bucket_name" \
  --region "$AWS_DEFAULT_REGION" \
  --create-bucket-configuration "LocationConstraint=$AWS_DEFAULT_REGION"
aws s3api put-bucket-versioning \
  --bucket "$state_store_bucket_name" \
  --versioning-configuration "Status=Enabled"

# Create a cluster
kops create cluster --name "$KOPS_CLUSTER_NAME" --zones "${AWS_DEFAULT_REGION}a"
kops update cluster --yes

Load the module:

module "kops_alb" {
  source                    = "github.com/int128/terraform-aws-kops-alb"
  kops_cluster_name         = "hello.k8s.local"
  kubernetes_ingress_domain = "hello.example.com"
}

Run Terraform and then install nginx-ingress:

# Create AWS resources
terraform init
terraform apply

# Install Helm
kubectl create -f helm-service-account.yaml
helm init --service-account tiller --history-max 100

# Install nginx-ingress
helmfile sync

See examples for more.

Prerequisite

This module assumes the following resources exist:

  • Route53 hosted zone of the domain kubernetes_ingress_domain
  • ACM certificate of the wildcard domain *.kubernetes_ingress_domain
  • VPC for the cluster kops_cluster_name
  • Subnets for the cluster kops_cluster_name
  • Auto scaling group for the nodes of the cluster kops_cluster_name
  • Security group for the masters of the cluster kops_cluster_name
  • Security group for the nodes of the cluster kops_cluster_name

Inputs

Name Description Type Default Required
alb_external_allow_ip List of IP addresses to allow to the external ALB list <list> no
alb_internal_enabled Enable the internal ALB (needed if the external ALB is not public) string "false" no
kops_cluster_name Kubernetes cluster name string n/a yes
kops_ig_nodes_names List of name of instance-group nodes managed by kops list <list> no
kubernetes_ingress_domain Domain name for the external/internal ALB string n/a yes
kubernetes_ingress_port Node port of the ingress controller string "30080" no

Outputs

Name Description
kops_cluster_name Kubernetes cluster name
kops_subnet_ids IDs of subnets managed by kops
kops_vpc_id ID of VPC managed by kops
sgid_allow_from_nodes ID of security group which is allowed from Kubernetes nodes
You can’t perform that action at this time.