An AlbConfig object is a CustomResourceDefinition (CRD) object that Container Service for Kubernetes (ACK) provides for the Application Load Balancer (ALB) Ingress controller. The ALB Ingress controller uses AlbConfig objects to configure ALB instances and listeners. This topic describes how to create and modify an AlbConfig object, and how to use an AlbConfig object to enable Log Service.

Background information

The ALB Ingress controller retrieves the changes to Ingresses from the API server and dynamically generates AlbConfig objects when Ingresses changes are detected. Then, the ALB Ingress controller performs the following operations in sequence: create ALB instances, configure listeners, create Ingress rules, and configure backend server groups. The Service, Ingress, and AlbConfig objects interact with each other in the following ways:

  • A Service is an abstraction of an application that is deployed in a group of replicated pods.
  • An Ingress contains reverse proxy rules. It controls to which Services HTTP or HTTPS requests are routed. For example, an Ingress routes requests to different Services based on the hosts and URLs in the requests.
  • An AlbConfig object is a CustomResourceDefinition (CRD) object that the ALB Ingress controller uses to configure ALB instances and listeners. An AlbConfig object corresponds to one ALB instance.
ALB Ingress

An AlbConfig object is used to configure an ALB instance. The ALB instance can be specified in forwarding rules of multiple Ingresses. Therefore, an AlbConfig object can be associated with multiple Ingresses.

Precautions

  • Kubernetes version ≥1.18.
  • If you use the Flannel network plug-in, the backend Services of the ALB Ingress must be of the NodePort or LoadBalancer type.

Create an AlbConfig object

An AlbConfig object is used to configure an ALB instance. If you want to configure multiple ALB instances, you must create multiple AlbConfig objects. Perform the following steps to create an AlbConfig object:

  1. Create a file named alb-test.yaml and copy the following content into the file. The file is used to create an AlbConfig Object. 
    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    name: alb-test
    addressType: Internet
    zoneMappings:
    - vSwitchId: vsw-uf6ccg2a9g71hx8go****
    - vSwitchId: vsw-uf6nun9tql5t8nh15****
    Parameter Description
    spec.config.name The name of the ALB. This parameter is optional.
    addressType The type of IP address that the ALB instance uses to provide services. This parameter is required. Valid values:
    • Internet: The ALB instance uses a public IP address. The domain name of the Ingress is resolved to the public IP address of the ALB instance. Therefore, the ALB instance is accessible over the Internet. This is the default value.
    • Intranet: The ALB instance uses a private IP address. The domain name of the Ingress is resolved to the private IP address of the ALB instance. Therefore, the ALB instance is accessible only within the virtual private cloud (VPC) where the ALB instance is deployed.
    zoneMappings The IDs of the vSwitches that are used by the ALB Ingress. You must specify at least two vSwitch IDs and the vSwitches must be deployed in different zones. The zones of the vSwitches must be supported by ALB Ingresses. This parameter is required. For more information about the regions and zones that are supported by ALB Ingresses, see Regions that support ALB.
  2. Run the following command to create an AlbConfig object: 
    kubectl apply -f alb-test.yaml
    Expected output:
    AlbConfig.alibabacloud.com/default created
  3. Run the following command to query the automatically created AlbConfig object: 
    kubectl -n kube-system get AlbConfig
    Expected output:
    NAME      AGE
default   87m
    The following content shows the configuration of the default AlbConfig object:
    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default                      # The name of the AlbConfig object. 
spec:
  config:
    accessLogConfig:
      logProject: ""
      logStore: ""
    addressAllocatedMode: Dynamic
    addressType: Internet
    billingConfig:
      internetBandwidth: 0
      internetChargeType: ""
      payType: PostPay
    deletionProtectionEnabled: true
    edition: Standard
    forceOverride: false
    zoneMappings:
    - vSwitchId: vsw-wz92lvykqj1siwvif****        # A vSwitch that is specified for the AlbConfig object. You must specify two vSwitches. 
    - vSwitchId: vsw-wz9mnucx78c7i6iog****        # A vSwitch that is specified for the AlbConfig object. 
status:
  loadBalancer:
    dnsname: alb-s2em8fr9debkg5****.cn-shenzhen.alb.aliyuncs.com
    id: alb-s2em8fr9debkg5****

Associate with an Ingress

You can associate an AlbConfig object with an Ingress by using an IngressClass. To do this, you must first create an IngressClass.

  1. Create a file named alb.yaml and copy the following content to the file: 
    apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
  name: alb
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: default
    apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: alb
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: default

  2. Run the following command to create an IngressClass: 
    kubectl apply -f alb.yaml
    Expected output:
    ingressclass.networking.k8s.io/alb created
  3. To associate an AlbConfig object with an Ingress, specify the alb IngressClass in the ingressClassName filed of the Ingress YAML template. 
    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      # Configure a context path. 
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      # Configure a context path. 
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80
    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress 
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      # Configure a context path. 
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      # Configure a context path. 
      - path: /coffee
        pathType: ImplementationSpecific
        backend:
          service:
            name: coffee-svc
            port: 
              number: 80

Change the name of an AlbConfig object

To change the name of an AlbConfig object, run the following command. The change is automatically applied after you save the modification. 
kubectl -n kube-system edit AlbConfig default
...
  spec:
    config:
      name: test   # The new name that you want to use. 
...

Change the vSwitches that are specified for an AlbConfig object

To change the vSwitches that are specified for an AlbConfig object, run the following command. The change is automatically applied after you save the modification. 
kubectl -n kube-system edit AlbConfig default
...
  zoneMappings:
    - vSwitchId: vsw-wz92lvykqj1siwvif****
    - vSwitchId: vsw-wz9mnucx78c7i6iog****
...

Specify a certificate for HTTPS connections

You can specify a certificate for an ALB instance by specifying the certificate ID in the listeners parameter of the corresponding AlbConfig object. The certificate is used for HTTPS connections. Perform the following steps:

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click SSL Certificates.
  3. On the SSL Certificates page, click the Manage Uploaded Certificates tab.
  4. Find the certificate that you want to use and choose more > Details in the Actions column. In the Certificate Details panel, you can obtain and record the certificate ID.
    Example:Example of certificate details
  5. Modify the AlbConfig YAML file and save the changes. 
    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    #...
  listeners:
  - caEnabled: false
    certificates:
    - CertificateId: 756****-cn-hangzhou
      IsDefault: true
    port: 443
    protocol: HTTPS
  #...
    The following table describes some of the parameters in the AlbConfig YAML file.
    Parameter Description
    CertificateId The ID of the certificate that you want to use. In this example, 756****-cn-hangzhou is specified. 756**** is the certificate ID that you obtained in the previous step.
    IsDefault Specifies whether to set the certificate as the default certificate. In this example, true is specified. The certificate is set as the default certificate.
    protocol The protocol that is used by listeners. In this example, HTTPS is specified. The HTTPS protocol is used by listeners.

Specify a TLS security policy

When you use an AlbConfig object to configure HTTPS listeners, you can specify a TLS security policy. Custom TLS security policies and default TLS security policies are supported. For more information, see TLS security policies. 

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    #...
  listeners:
  - port: 443
    protocol: HTTPS
    securityPolicyId: tls_cipher_policy_1_1
  #...

Enable Log Service for log collection

If you want to collect the access log of ALB Ingresses, set the logProject and logStore parameters in the AlbConfig configuration. 

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    accessLogConfig:
      logProject: "k8s-log-xz92lvykqj1siwvif****"
      logStore: "alb_****"
    #...
Note Set logStore to a value that starts with alb_. If the specified Logstore does not exist, the system automatically creates one with the specified name.

After you save the modification to the AlbConfig configuration, you can go to the Log Service console and view the collected log in the specified Logstore.

Reuse an existing ALB instance

If you want to reuse an existing ALB instance, specify the ID of the ALB instance in the AlbConfig configuration. 
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: reuse-alb
spec:
  config:
    id: ****
    forceOverride: false   # Specify whether to overwrite existing listeners. A value of true overwrites existing listeners. A value of false does not overwrite existing listeners.

Use multiple ALB instances

If you want to use multiple ALB instances, specify multiple IngressClasses in the spec.ingressClassName field of the Ingress configuration.

  1. Create a file named alb-demo2.yaml and copy the following content into the file: 
    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: demo
spec:
  config:
    name: alb-demo2        # The name of an ALB instance. 
    addressType: Internet  # The ALB instance has a public IP address. 
    zoneMappings:
    - vSwitchId: vsw-uf6ccg2a9g71hx8go****
    - vSwitchId: vsw-uf6nun9tql5t8nh15****
  2. Run the following command to create an AlbConfig object: 
    kubectl apply -f alb-demo2.yaml
    Expected output:
    AlbConfig.alibabacloud.com/demo created
  3. Create a file named alb.yaml and copy the following content to the file: 
    apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
  name: alb-demo2
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: demo
    apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: alb-demo2
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: demo
  4. Run the following command to create an IngressClass: 
    kubectl apply -f alb.yaml
    Expected output:
    ingressclass.networking.k8s.io/alb-demo2 created
  5. Specify multiple ALB instances in the ingressClassName field of the Ingress YAML template. 
    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb-demo2
  rules:
    - host: ""
      http:
        paths:
          - backend:
              serviceName: demo-service
              servicePort: 80
            path: /hello
            pathType: ImplementationSpecific
    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb-demo2
  rules:
    - host: ""
      http:
        paths:
          - backend:
             service:
              name: demo-service
              port:
                number: 80
            path: /hello
            pathType: ImplementationSpecific

Delete an ALB instance

An AlbConfig object is used to configure an ALB instance. Therefore, you can delete an ALB instance by deleting the corresponding AlbConfig object. Before you can delete an AlbConfig object, you must delete all Ingresses that are associated with the AlbConfig object. 

kubectl -n kube-system delete AlbConfig default

Replace default with the name of the AlbConfig object that you want to delete.