Configuring ingress cluster traffic on AWS

OKD provides methods for communicating from outside the cluster with services running in the cluster. This method uses load balancers on AWS, specifically a Network Load Balancer (NLB) or a Classic Load Balancer (CLB). Both types of load balancers can forward the client’s IP address to the node, but a CLB requires proxy protocol support, which OKD automatically enables.

You can configure these load balancers on a new or existing AWS cluster.

Configuring Classic Load Balancer timeouts on AWS

OKD provides a method for setting a custom timeout period for a specific route or Ingress Controller. Additionally, an AWS Classic Load Balancer (CLB) has its own timeout period with a default time of 60 seconds.

If the timeout period of the CLB is shorter than the route timeout or Ingress Controller timeout, the load balancer can prematurely terminate the connection. You can prevent this problem by increasing both the timeout period of the route and CLB.

Configuring route timeouts

You can configure the default timeouts for an existing route when you have services in need of a low timeout, which is required for Service Level Availability (SLA) purposes, or a high timeout, for cases with a slow back end.

Prerequisites

  • You need a deployed Ingress Controller on a running cluster.

Procedure

  1. Using the oc annotate command, add the timeout to the route:

    1. $ oc annotate route <route_name> \
    2. --overwrite haproxy.router.openshift.io/timeout=<timeout><time_unit> (1)
    1Supported time units are microseconds (us), milliseconds (ms), seconds (s), minutes (m), hours (h), or days (d).

    The following example sets a timeout of two seconds on a route named myroute:

    1. $ oc annotate route myroute --overwrite haproxy.router.openshift.io/timeout=2s

Configuring Classic Load Balancer timeouts

You can configure the default timeouts for a Classic Load Balancer (CLB) to extend idle connections.

Prerequisites

  • You must have a deployed Ingress Controller on a running cluster.

Procedure

  1. Set an AWS connection idle timeout of five minutes for the default ingresscontroller by running the following command:

    1. $ oc -n openshift-ingress-operator patch ingresscontroller/default \
    2. --type=merge --patch='{"spec":{"endpointPublishingStrategy": \
    3. {"type":"LoadBalancerService", "loadBalancer": \
    4. {"scope":"External", "providerParameters":{"type":"AWS", "aws": \
    5. {"type":"Classic", "classicLoadBalancer": \
    6. {"connectionIdleTimeout":"5m"}}}}}}}'
  2. Optional: Restore the default value of the timeout by running the following command:

    1. $ oc -n openshift-ingress-operator patch ingresscontroller/default \
    2. --type=merge --patch='{"spec":{"endpointPublishingStrategy": \
    3. {"loadBalancer":{"providerParameters":{"aws":{"classicLoadBalancer": \
    4. {"connectionIdleTimeout":null}}}}}}}'

You must specify the scope field when you change the connection timeout value unless the current scope is already set. When you set the scope field, you do not need to do so again if you restore the default timeout value.

Configuring ingress cluster traffic on AWS using a Network Load Balancer

OKD provides methods for communicating from outside the cluster with services that run in the cluster. One such method uses a Network Load Balancer (NLB). You can configure an NLB on a new or existing AWS cluster.

Replacing Ingress Controller Classic Load Balancer with Network Load Balancer

You can replace an Ingress Controller that is using a Classic Load Balancer (CLB) with one that uses a Network Load Balancer (NLB) on AWS.

This procedure causes an expected outage that can last several minutes due to new DNS records propagation, new load balancers provisioning, and other factors. IP addresses and canonical names of the Ingress Controller load balancer might change after applying this procedure.

Procedure

  1. Create a file with a new default Ingress Controller. The following example assumes that your default Ingress Controller has an External scope and no other customizations:

    Example ingresscontroller.yml file

    1. apiVersion: operator.openshift.io/v1
    2. kind: IngressController
    3. metadata:
    4. creationTimestamp: null
    5. name: default
    6. namespace: openshift-ingress-operator
    7. spec:
    8. endpointPublishingStrategy:
    9. loadBalancer:
    10. scope: External
    11. providerParameters:
    12. type: AWS
    13. aws:
    14. type: NLB
    15. type: LoadBalancerService

    If your default Ingress Controller has other customizations, ensure that you modify the file accordingly.

  2. Force replace the Ingress Controller YAML file:

    1. $ oc replace --force --wait -f ingresscontroller.yml

    Wait until the Ingress Controller is replaced. Expect serveral of minutes of outages.

Configuring an Ingress Controller Network Load Balancer on an existing AWS cluster

You can create an Ingress Controller backed by an AWS Network Load Balancer (NLB) on an existing cluster.

Prerequisites

  • You must have an installed AWS cluster.

  • PlatformStatus of the infrastructure resource must be AWS.

    • To verify that the PlatformStatus is AWS, run:

      1. $ oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.type}'
      2. AWS

Procedure

Create an Ingress Controller backed by an AWS NLB on an existing cluster.

  1. Create the Ingress Controller manifest:

    1. $ cat ingresscontroller-aws-nlb.yaml

    Example output

    1. apiVersion: operator.openshift.io/v1
    2. kind: IngressController
    3. metadata:
    4. name: $my_ingress_controller(1)
    5. namespace: openshift-ingress-operator
    6. spec:
    7. domain: $my_unique_ingress_domain(2)
    8. endpointPublishingStrategy:
    9. type: LoadBalancerService
    10. loadBalancer:
    11. scope: External(3)
    12. providerParameters:
    13. type: AWS
    14. aws:
    15. type: NLB
    1Replace $my_ingress_controller with a unique name for the Ingress Controller.
    2Replace $my_unique_ingress_domain with a domain name that is unique among all Ingress Controllers in the cluster.
    3You can replace External with Internal to use an internal NLB.
  2. Create the resource in the cluster:

    1. $ oc create -f ingresscontroller-aws-nlb.yaml

Before you can configure an Ingress Controller NLB on a new AWS cluster, you must complete the Creating the installation configuration file procedure.

Configuring an Ingress Controller Network Load Balancer on a new AWS cluster

You can create an Ingress Controller backed by an AWS Network Load Balancer (NLB) on a new cluster.

Prerequisites

  • Create the install-config.yaml file and complete any modifications to it.

Procedure

Create an Ingress Controller backed by an AWS NLB on a new cluster.

  1. Change to the directory that contains the installation program and create the manifests:

    1. $ ./openshift-install create manifests --dir <installation_directory> (1)
    1For <installation_directory>, specify the name of the directory that contains the install-config.yaml file for your cluster.
  2. Create a file that is named cluster-ingress-default-ingresscontroller.yaml in the <installation_directory>/manifests/ directory:

    1. $ touch <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml (1)
    1For <installation_directory>, specify the directory name that contains the manifests/ directory for your cluster.

    After creating the file, several network configuration files are in the manifests/ directory, as shown:

    1. $ ls <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml

    Example output

    1. cluster-ingress-default-ingresscontroller.yaml
  3. Open the cluster-ingress-default-ingresscontroller.yaml file in an editor and enter a custom resource (CR) that describes the Operator configuration you want:

    1. apiVersion: operator.openshift.io/v1
    2. kind: IngressController
    3. metadata:
    4. creationTimestamp: null
    5. name: default
    6. namespace: openshift-ingress-operator
    7. spec:
    8. endpointPublishingStrategy:
    9. loadBalancer:
    10. scope: External
    11. providerParameters:
    12. type: AWS
    13. aws:
    14. type: NLB
    15. type: LoadBalancerService
  4. Save the cluster-ingress-default-ingresscontroller.yaml file and quit the text editor.

  5. Optional: Back up the manifests/cluster-ingress-default-ingresscontroller.yaml file. The installation program deletes the manifests/ directory when creating the cluster.

Additional resources