All Products
Search

This Product

    CloudOps Orchestration Service:Use a security domain name of DingTalk Open Platform to expose an application in ACK

    Document Center

    CloudOps Orchestration Service:Use a security domain name of DingTalk Open Platform to expose an application in ACK

    Last Updated:Jun 12, 2023

    Overview

    This topic describes how to use a security domain name of DingTalk Open Platform to expose an application in a Container Service for Kubernetes (ACK) cluster. To do so, you need to configure a LoadBalancer Service in the ACK cluster, associate an internal-facing Server Load Balancer (SLB) instance with the Service, and then associate the internal-facing SLB instance with a security domain name in DingTalk Open Platform.

    • If no existing SLB instance is available, the Cloud Controller Manager (CCM) of ACK automatically creates an SLB instance for the LoadBalancer Service and manages the SLB instance.

    • If an existing internal-facing SLB instance is available, you can associate the SLB instance with the LoadBalancer Service in the ACK cluster. After that, you can associate the SLB instance with the security domain name in DingTalk Open Platform. This way, you can use the security domain name of DingTalk Open Platform to expose the application in the ACK cluster.

    Prerequisites

    If you want to associate an existing SLB instance with a LoadBalancer Service, the following requirements must be met:

    • An internal-facing SLB instance is created.

    • An ACK cluster is available.

    • The ACK cluster and the SLB instance reside in the same virtual private cloud (VPC) and region.

    Procedure

    You can associate an SLB instance with a LoadBalancer Service by using the ACK console or kubectl.

    Associate an SLB instance with a LoadBalancer Service by using the ACK console

    Step 1: Create an application

    1. Log on to the ACK console.

    2. On the Clusters page, find the cluster in which you want to create an application and click Applications in the Actions column.

    3. On the Deployments page, click Create from Image in the upper-right corner.

    4. On the Create page, configure basic information and container information based on your business requirements.

    5. View the created application on the Deployments page. In this example, an application named my-nginx is created.

    Step 2: Create a LoadBalancer Service to be associated with an existing SLB instance

    1. In the left-side navigation pane on the details page of the cluster, choose Network > Services.

    2. On the Services page, click Create in the upper-right corner.

    3. In the Create Service dialog box, set the parameters for the Service. For more information, see Use an existing SLB instance to expose an application.

    • Type: Select Server Load Balancer, Internal Access, and Use Existing SLB Instance from the drop-down lists in sequence. Select an existing SLB instance in the same VPC.

    • Overwrite Existing Listeners: Specify whether to overwrite the listeners of the selected SLB instance. If you select this check box but the SLB instance does not have listeners, the system automatically creates listeners for the SLB instance. We recommend that you do not overwrite existing listeners in the following situations:

      • The existing listeners of the SLB instance are associated with applications. In this case, access to the applications may be interrupted after the listeners are overwritten.

      • Complex backend configurations are required. The CCM supports limited backend configurations and cannot handle complex configurations. If you require complex backend configurations, you can manually configure listeners in the SLB console without overwriting the existing listeners.

    • Backend: Select the created application to associate the application with the Service.

    • External Traffic Policy: Select a policy to distribute external traffic.

      • Local: routes traffic only to pods on the node on which the Service is deployed.

      • Cluster: routes network traffic to pods on other nodes in the cluster.

    • Port Mapping: Specify a Service port and a container port. The Service port corresponds to the port field in the YAML file of the Service. The container port corresponds to the targetPort field in the YAML file of the Service. The container port must be the same as the one that is exposed in the backend pod.

    • Annotations: You can add one or more annotations to the Service to configure the SLB instance. You can select Custom Annotation or Alibaba Cloud Annotation from the Type drop-down list. In this example, an annotation is added to specify that the Service is charged based on the usage of traffic. For more information about annotations, see Use annotations to configure load balancing.

    1. View the created Service on the Services page. You can access the application that is associated with the Service by using the external endpoint of the Service over the internal network.

    Associate an SLB instance with a LoadBalancer Service by using kubectl

    Step 1: Use kubectl to connect to an ACK cluster

    You can use one of the following methods to connect to an ACK cluster:

    To use kubectl to connect to an ACK cluster, make sure that public access to the API Server of the ACK cluster is enabled. If you did not specify an Elastic IP address (EIP) to be associated with the ACK cluster when you create the cluster, click the Basic Information tab on the Cluster Information page. In the Cluster Information section, click Associate EIP.

    In the Associate EIP dialog box, select an EIP and click OK. After the EIP is associated with the cluster, a public IP address appears on the right side of the API Server Public Endpoint field.

    Step 2: Create an application

    You can create an application by using the ACK console or kubectl. The section shows you how to create an application by using kubectl.

    1. Create a file named my-nginx.yaml with the following YAML template: 

      apiVersion: apps/v1 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: my-nginx    # The name of the application. 
  labels:
    app: nginx
spec:
  replicas: 3       # The number of replicated pods. 
  selector:
    matchLabels:
      app: nginx     # You must specify the same value in the selector of the Service that is used to expose the application. 
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: registry.aliyuncs.com/acs/netdia:latest     # Replace the value with the image address that you want to use. Format: <image_name:tags>. 
        ports:
        - containerPort: 80                                # The port that you want to expose in the Service.

    2. Run the following command to deploy the my-nginx application: 

      kubectl apply -f my-nginx.yaml

    3. Run the following command to check the status of the application: 

      kubectl get deployment my-nginx

    4. Check the response. Sample success response:

      NAME       READY   UP-TO-DATE   AVAILABLE   AGE
my-nginx   0/3     3            0           103s

    Step 3: Create a LoadBalancer Service to be associated with an existing SLB instance

    1. Create a file named my-nginx-svc.yaml and copy the following content to the file:

    • Replace the value ${YOUR_LB_ID} of service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id with the ID of the SLB instance that you created in the SLB console.

    • If you use an existing SLB instance, the CCM does not create listeners for the SLB instance or overwrite the listeners of the SLB instance by default. If you want the CCM to create new listeners or overwrite existing listeners, set the service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners parameter to true. In this example, a new SLB instance is created and new listeners must be created. Therefore, this annotation is set to true. For more information about annotations, see Use annotations to configure load balancing.

    • To associate the Service with the backend application that you created, set selector to the value of the matchLabels field in the my-nginx.yaml file. In this example, the value is set to app: nginx.

    1. Run the following command to create a Service named my-nginx-svc and use the Service to expose the application: 

      kubectl apply -f my-nginx-svc.yaml

    2. Run the following command to check whether the LoadBalancer Service is created: 

      kubectl get svc my-nginx-svc

      Check the response. Sample success response:

      NAME           TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
my-nginx-svc   LoadBalancer   192.168.25.11   10.32.0.132   80:31664/TCP   19s

    3. The Service is associated with an internal-facing SLB instance. No public IP address is available to access the application outside the VPC. You can associate an EIP with the SLB instance and use the EIP to access the application.

    Import ACK resources to Compute Nest

    1. After you complete the preceding steps, you obtain an ACK cluster whose Service is associated with an SLB instance. In the ACK console, view the details of the ACK cluster and obtain the labels.

    2. In the Compute Nest console, create an application group in the region in which the ACK cluster resides. Specify Select Tag as the method to import resources, and enter a label key and a label value of the ACK cluster.

    3. After the application group is created, view the imported ACK resources in the Application Management console.