Configuring the AWS Load Balancer Operator

To automate the provisioning of AWS Load Balancers for your applications, configure the AWS Load Balancer Operator. This setup ensures that the Operator correctly manages ingress resources and external access to your cluster.

Trusting the certificate authority of the cluster-wide proxy

You can configure the cluster-wide proxy in the AWS Load Balancer Operator. After configuring the cluster-wide proxy, Operator Lifecycle Manager (OLM) automatically updates all the deployments of the Operators with the environment variables.

Environment variables include HTTP_PROXY, HTTPS_PROXY, and NO_PROXY. These variables are populated to the managed controller by the AWS Load Balancer Operator.

Procedure

Create the config map to contain the certificate authority (CA) bundle in the aws-load-balancer-operator namespace by running the following command:
```
$ oc -n aws-load-balancer-operator create configmap trusted-ca
```
To inject the trusted CA bundle into the config map, add the config.openshift.io/inject-trusted-cabundle=true label to the config map by running the following command:
```
$ oc -n aws-load-balancer-operator label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true
```

Update the AWS Load Balancer Operator subscription to access the config map in the AWS Load Balancer Operator deployment by running the following command:

$ oc -n aws-load-balancer-operator patch subscription aws-load-balancer-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_CONFIGMAP_NAME","value":"trusted-ca"}],"volumes":[{"name":"trusted-ca","configMap":{"name":"trusted-ca"}}],"volumeMounts":[{"name":"trusted-ca","mountPath":"/etc/pki/tls/certs/albo-tls-ca-bundle.crt","subPath":"ca-bundle.crt"}]}}}'

After the AWS Load Balancer Operator is deployed, verify that the CA bundle is added to the aws-load-balancer-operator-controller-manager deployment by running the following command:

$ oc -n aws-load-balancer-operator exec deploy/aws-load-balancer-operator-controller-manager -c manager -- bash -c "ls -l /etc/pki/tls/certs/albo-tls-ca-bundle.crt; printenv TRUSTED_CA_CONFIGMAP_NAME"

Example output

-rw-r--r--. 1 root 1000690000 5875 Jan 11 12:25 /etc/pki/tls/certs/albo-tls-ca-bundle.crt
trusted-ca

Optional: Restart deployment of the AWS Load Balancer Operator every time the config map changes by running the following command:
```
$ oc -n aws-load-balancer-operator rollout restart deployment/aws-load-balancer-operator-controller-manager
```

Additional resources

Certificate injection using Operators

Adding TLS termination on the AWS Load Balancer

To secure traffic for your domain, configure TLS termination on the AWS Load Balancer. This setup routes traffic to the pods of a service while ensuring that encrypted connections are decrypted at the load balancer level.

Prerequisites

You have access to the OpenShift CLI (oc).

Procedure

Create a YAML file that defines the AWSLoadBalancerController resource:
Example add-tls-termination-albc.yaml file
```
apiVersion: networking.olm.openshift.io/v1
kind: AWSLoadBalancerController
metadata:
  name: cluster
spec:
  subnetTagging: Auto
  ingressClass: tls-termination
# ...
```
where:

spec.ingressClass

Specifies the ingress class name. If the ingress class is not present in your cluster the AWS Load Balancer Controller creates one. The AWS Load Balancer Controller reconciles the additional ingress class values if spec.controller is set to ingress.k8s.aws/alb.
Create a YAML file that defines the Ingress resource:
Example add-tls-termination-ingress.yaml file
```
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: <example>
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx
spec:
  ingressClassName: tls-termination
  rules:
  - host: example.com
    http:
        paths:
          - path: /
            pathType: Exact
            backend:
              service:
                name: <example_service>
                port:
                  number: 80
# ...
```
where:

metadata.name

Specifies the ingress name.

annotations.alb.ingress.kubernetes.io/scheme

Specifies the controller that provisions the load balancer for ingress. The provisioning happens in a public subnet to access the load balancer over the internet.

annotations.alb.ingress.kubernetes.io/certificate-arn

Specifies the Amazon Resource Name (ARN) of the certificate that you attach to the load balancer.

spec.ingressClassName

Specifies the ingress class name.

rules.host

Specifies the domain for traffic routing.

backend.service

Specifies the service for traffic routing.

Creating multiple ingress resources through a single AWS Load Balancer

To route traffic to different services within a single domain, configure multiple ingress resources on a single AWS Load Balancer. This setup allows each resource to provide different endpoints while sharing the same load balancing infrastructure.

Prerequisites

You have access to the OpenShift CLI (oc).

Procedure

Create an IngressClassParams resource YAML file, for example, sample-single-lb-params.yaml, as follows:
```
apiVersion: elbv2.k8s.aws/v1beta1
kind: IngressClassParams
metadata:
  name: single-lb-params
spec:
  group:
    name: single-lb
```
where:

apiVersion

Specifies the API group and version of the IngressClassParams resource.

metadata.name

Specifies the IngressClassParams resource name.

spec.group.name

Specifies the IngressGroup resource name. All of the Ingress resources of this class belong to this IngressGroup.
Create the IngressClassParams resource by running the following command:
```
$ oc create -f sample-single-lb-params.yaml
```
Create the IngressClass resource YAML file, for example, sample-single-lb-class.yaml, as follows:
```
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: single-lb
spec:
  controller: ingress.k8s.aws/alb
  parameters:
    apiGroup: elbv2.k8s.aws
    kind: IngressClassParams
    name: single-lb-params
```
where:

apiVersion

Specifies the API group and version of the IngressClass resource.

metadata.name

Specifies the ingress class name.

spec.controller

Specifies the controller name. The ingress.k8s.aws/alb value denotes that all ingress resources of this class should be managed by the AWS Load Balancer Controller.

parameters.apiGroup

Specifies the API group of the IngressClassParams resource.

parameters.kind

Specifies the resource type of the IngressClassParams resource.

parameters.name

Specifies the IngressClassParams resource name.
Create the IngressClass resource by running the following command:
```
$ oc create -f sample-single-lb-class.yaml
```
Create the AWSLoadBalancerController resource YAML file, for example, sample-single-lb.yaml, as follows:
```
apiVersion: networking.olm.openshift.io/v1
kind: AWSLoadBalancerController
metadata:
  name: cluster
spec:
  subnetTagging: Auto
  ingressClass: single-lb
```
where:

spec.ingressClass

Specifies the name of the IngressClass resource.
Create the AWSLoadBalancerController resource by running the following command:
```
$ oc create -f sample-single-lb.yaml
```

Create the Ingress resource YAML file, for example, sample-multiple-ingress.yaml, as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-1
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/group.order: "1"
    alb.ingress.kubernetes.io/target-type: instance
spec:
  ingressClassName: single-lb
  rules:
  - host: example.com
    http:
        paths:
        - path: /blog
          pathType: Prefix
          backend:
            service:
              name: example-1
              port:
                number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-2
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/group.order: "2"
    alb.ingress.kubernetes.io/target-type: instance
spec:
  ingressClassName: single-lb
  rules:
  - host: example.com
    http:
        paths:
        - path: /store
          pathType: Prefix
          backend:
            service:
              name: example-2
              port:
                number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-3
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/group.order: "3"
    alb.ingress.kubernetes.io/target-type: instance
spec:
  ingressClassName: single-lb
  rules:
  - host: example.com
    http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: example-3
              port:
                number: 80

where:

metadata.name: Specifies the ingress name.
alb.ingress.kubernetes.io/scheme: Specifies the load balancer to provision in the public subnet to access the internet.
alb.ingress.kubernetes.io/group.order: Specifies the order in which the rules from the multiple ingress resources are matched when the request is received at the load balancer.
alb.ingress.kubernetes.io/target-type: Specifies that the load balancer will target OpenShift Container Platform nodes to reach the service.
spec.ingressClassName: Specifies the ingress class that belongs to this ingress.
rules.host: Specifies a domain name used for request routing.
http.paths.path: Specifies the path that must route to the service.
backend.service.name: Specifies the service name that serves the endpoint configured in the Ingress resource.
port.number: Specifies the port on the service that serves the endpoint.

Create the Ingress resource by running the following command:
```
$ oc create -f sample-multiple-ingress.yaml
```

AWS Load Balancer Operator logs

To troubleshoot the AWS Load Balancer Operator, view the logs using the oc logs command. By viewing the logs, you can diagnose issues and monitor the activity of the Operator.

Procedure

View the logs of the AWS Load Balancer Operator by running the following command:

$ oc logs -n aws-load-balancer-operator deployment/aws-load-balancer-operator-controller-manager -c manager