Enterprise Distributed Application Service (EDAS) allows you to create an application load balancer (ALB) Ingress for an application. An ALB Ingress can help manage ingress traffic in a more efficient manner based on an ALB instance. An ALB Ingress is compatible with an NGINX Ingress, and supports complex routing and automatic certificate discovery.

Prerequisites

  • Add a Service
  • The ALB Ingress controller is installed.
    • You can install the ALB Ingress controller when you create a cluster by setting the Ingress parameter to ALB Ingress on the Component Configurations wizard page.
    • You can also install the ALB Ingress controller for an existing cluster in which no ALB Ingress controller is installed. For more information, see Manage system components.

Background information

The ALB Ingress controller retrieves the changes to Ingresses from the API server and dynamically generates AlbConfig objects when Ingress changes are detected. Then, the ALB Ingress controller performs the following operations in sequence: create ALB instances, configure listeners, create Ingress rules, and configure backend server groups. The Service, Ingress, and AlbConfig objects interact with each other in the following ways:
  • A Service is an abstraction of an application that is deployed in a group of replicated pods.
  • An Ingress contains reverse proxy rules and specifies the Service to which HTTP or HTTPS requests are routed. For example, an Ingress routes requests to different Services based on the hostnames and URLs in the requests.
  • An AlbConfig object is a custom resource definition (CRD) object that the ALB Ingress controller uses to configure ALB instances and listeners. An AlbConfig object corresponds to one ALB instance.
ae

Limits

  • ALB instances that serve Ingresses are fully managed in EDAS. To avoid service interruptions caused by Ingress errors, we recommend that you do not modify these ALB instances in the ALB console.
  • You cannot modify the Ingress resources created by EDAS. These resources have the following labels: edas-domain: edas-admin and edas-domain. You cannot modify or delete IngressClass and AlbConfig objects associated with Ingresses. These objects are named in the edas-{alb_id} format.
  • The cluster that uses a Flannel network plug-in supports only NodePort and LoadBalancer Services.
  • If you need to configure HTTPS-based routing for an ALB Ingress, you must turn on Open The TLS for all routing rules of the Ingress.
  • An ALB Ingress supports automatic certificate discovery. After you turn on Open The TLS for a routing rule of the ALB Ingress, you do not need to configure a Secret. However, you must purchase a unique certificate for the corresponding domain name in SSL Certificates Service. The certificate can be a wildcard certificate or single-domain certificate.
  • To create an ALB Ingress for an application, you must bind an existing standard ALB instance to the Ingress. After you create the Ingress, the ALB instance bound to the Ingress cannot be reused by other clusters.

Procedure

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, click Application Routing.
  3. On the Application Routing (Kubernetes Ingress) page, select a region in the top menu bar. Then, select a microservice namespace.
  4. On the Application Routing (Kubernetes Ingress) page, click CreateALB Ingress.
  5. In the CreateALB Ingress panel, set the K8s Cluster, K8s namespace, Application route name, and ALB Instance parameters. Click Add forwarding rule, set required parameters, and then click Yes.
    gd
    Parameter Description
    K8s Cluster The Kubernetes cluster for which you want to create the Ingress. Select the Kubernetes cluster from the drop-down list.
    K8s namespace The Kubernetes namespace of the cluster. Internal system objects are allocated to different Kubernetes namespaces to form logically isolated projects, groups, or user groups. This way, different groups can be separately managed and can share the resources of the entire cluster. Valid values:
    • default: the default Kubernetes namespace. If no Kubernetes namespace is specified for an object, the default Kubernetes namespace is used.
    • kube-system: the Kubernetes namespace for the objects that are created by the system.
    • kube-public: the Kubernetes namespace that is automatically created and can be read by all users, including users who are not authenticated.

    In this example, default is selected.

    Redirect to HTTPS Specifies whether to redirect HTTP requests to HTTPS. If you turn on Redirect to HTTPS, HTTP requests are redirected to HTTPS.
    Application route name The name of the Ingress. The name must be unique in the selected namespace.

    The name can contain lowercase letters, digits, and hyphens (-). It must start with a letter and end with a letter or a digit.

    ALB Instance

    The ALB instance to be bound to the Ingress. The ALB Instance drop-down list displays only ALB instances that reside in the same virtual private cloud (VPC) as the selected Kubernetes cluster.

    If no ALB instance exists, create one. For more information, see Create an ALB instance.

    Note
    • Only standard ALB instances are supported.
    • After an ALB instance is bound to an ALB Ingress in a Kubernetes cluster, the ALB instance cannot be bound to Ingresses in other Kubernetes clusters.
    • You can bind an ALB instance to multiple ALB Ingresses in a cluster.
    Forwarding rules
    Note The one or more routing rules of the ALB Ingress. When you create routing rules, take note of the following items:
    • You can create multiple routing rules for an Ingress.
      • The combination of a specific domain name and a specific path can be used as the address of only one Service.
      • A Service can correspond to multiple combinations of domain names and paths.
    • You can create the same routing rules for different Ingresses.
    domain name The domain name to be accessed.
    Path The path to be accessed. The path must start with a forward slash (/).
    Application The application to be accessed in the selected Kubernetes cluster. Select the application from the drop-down list.
    Service name The Service of the application to be accessed. Select the required Service from the drop-down list.
    Service port The port of the Service.
    Open The TLS If you turn on Open The TLS, external HTTPS requests are allowed to be routed to internal Services.

    To allow external HTTPS requests, you must specify the Transport Layer Security (TLS) certificate. To do this, choose Configuration Management > Kubernetes Configurations in the left-side navigation pane of the EDAS console. On the page that appears, click the Secrets tab in the left-side pane. In the Secret list, select the Secret that stores the information about the TLS certificate. If you have not created such a Secret, click Create Secrets to create one. For more information about how to create a Secret, see Create a Secret.

    After the Ingress is created, the Ingress appears in the Ingress list. You can perform various operations on the Ingress. For example, you can view the details of the Ingress, modify the routing rules, and delete the Ingress.