Installation guide (kubernetes-sigs#1509)

* installation guide

* controller configuration options

* subnet auto-discovery

* update configuration guide

* Add documentation from the v1 release

* reformat installation guide

* reword IAM permissions section

Author: kishorj

CONTRIBUTING.md

@@ -11,7 +11,7 @@ We also have more documentation on how to get started contributing here:
 
 - [Contributor License Agreement](https://git.k8s.io/community/CLA.md) Kubernetes projects require that you sign a Contributor License Agreement (CLA) before we can accept your pull requests
 - [Kubernetes Contributor Guide](http://git.k8s.io/community/contributors/guide) - Main contributor documentation, or you can just jump directly to the [contributing section](http://git.k8s.io/community/contributors/guide#contributing)
-- [Contributor Cheat Sheet](https://github.com/kubernetes/community/blob/master/contributors/guide/contributor-cheatsheet/README.md) - Common resources for existing developers
+- [Contributor Cheat Sheet](https://git.k8s.io/community/contributors/guide/contributor-cheatsheet.md) - Common resources for existing developers
 
 ## Mentorship
 

docs/assets/images/controller-design.png

@@ -14,8 +14,8 @@ rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get","watch","list"]
-- apiGroups: ["extensions"] 
-  resources: ["ingresses"] 
+- apiGroups: ["extensions"]
+  resources: ["ingresses"]
   verbs: ["get","watch","list"]
 - apiGroups: [""]
   resources: ["nodes"]

docs/assets/images/subnet-tags.png

@@ -1 +1,93 @@
-TODO: describes the controller configurations, i.e. the controller flags
+# AWS Load Balancer controller configuration options
+This document covers configuration of the AWS Load Balancer controller
+
+## AWS API Access
+To perform operations, the controller must have required IAM role capabilities for accessing and
+provisioning ALB resources. There are many ways to achieve this, such as loading `AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY` as environment variables or using [kube2iam](https://github.com/jtblin/kube2iam).
+
+Refer to the [installation guide](installation.md) for installing the controller in your kubernetes cluster and for the minimum required IAM permissions.
+
+## Setting Ingress Resource Scope
+You can limit the ingresses ALB ingress controller controls by combining following two approaches:
+
+### Limiting ingress class
+Setting the `--ingress-class` argument constrains the controller's scope to ingresses with matching `kubernetes.io/ingress.class` annotation.
+This is especially helpful when running multiple ingress controllers in the same cluster. See [Using Multiple Ingress Controllers](https://github.com/nginxinc/kubernetes-ingress/tree/master/examples/multiple-ingress-controllers#using-multiple-ingress-controllers) for more details.
+
+An example of the container spec portion of the controller, only listening for resources with the class "alb", would be as follows.
+
+```yaml
+spec:
+  containers:
+  - args:
+    - --ingress-class=alb
+```
+
+Now, only ingress resources with the appropriate annotation are picked up, as seen below.
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: echoserver
+  namespace: echoserver
+  annotations:
+    kubernetes.io/ingress.class: "alb"
+spec:
+    ...
+```
+
+If the ingress class is not specified, the controller will reconcile Ingress objects without the ingress class specified or ingress class `alb`.
+
+### Limiting Namespaces
+Setting the `--watch-namespace` argument constrains the controller's scope to a single namespace. Ingress events outside of the namespace specified are not be seen by the controller.
+
+An example of the container spec, for a controller watching only the `default` namespace, is as follows.
+
+```yaml
+spec:
+  containers:
+  - args:
+    - --watch-namespace=default
+```
+
+> Currently, you can set only 1 namespace to watch in this flag. See [this Kubernetes issue](https://github.com/kubernetes/contrib/issues/847) for more details.
+
+## Controller command line flags
+
+!!!warning ""
+    The --cluster-name flag is mandatory and the value must match the name of the kubernetes cluster. If you specify an incorrect name, the subnet auto-discovery will not work.
+
+|Flag                                   | Type                            | Default         | Description |
+|---------------------------------------|---------------------------------|-----------------|-------------|
+|aws-api-throttle                       | AWS Throttle Config             | [default value](#Default throttle config ) | throttle settings for AWS APIs, format: serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst |
+|aws-max-retries                        | int                             | 10              | Maximum retries for AWS APIs |
+|aws-region                             | string                          | [instance metadata](#Instance metadata)    | AWS Region for the kubernetes cluster |
+|aws-vpc-id                             | string                          | [instance metadata](#Instance metadata)    | AWS VPC ID for the Kubernetes cluster |
+|cluster-name                           | string                          |                 | Kubernetes cluster name|
+|enable-leader-election                 | boolean                         | true            | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. |
+|enable-pod-readiness-gate-inject       | boolean                         | true            | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods. |
+|enable-shield                          | boolean                         | true            | Enable Shield addon for ALB |
+|enable-waf                             | boolean                         | true            | Enable WAF addon for ALB |
+|enable-wafv2                           | boolean                         | true            | Enable WAF V2 addon for ALB |
+|ingress-class                          | string                          |                 | Name of the ingress class this controller satisfies |
+|ingress-max-concurrent-reconciles      | int                             | 3               | Maximum number of concurrently running reconcile loops for ingress |
+|kubeconfig                             | string                          | in-cluster config | Path to the kubeconfig file containing authorization and API server information |
+|leader-election-id                     | string                          | aws-load-balancer-controller-leader | Name of the leader election ID to use for this controller |
+|leader-election-namespace              | string                          |                 | Name of the leader election ID to use for this controller |
+|log-level                              | string                          | info            | Set the controller log level - info, debug |
+|metrics-bind-addr                      | string                          | :8080           | The address the metric endpoint binds to |
+|service-max-concurrent-reconciles      | int                             | 3               | Maximum number of concurrently running reconcile loops for service |
+|sync-period                            | duration                        | 1h0m0s          | Period at which the controller forces the repopulation of its local object stores|
+|targetgroupbinding-max-concurrent-reconciles | int                       | 3               | Maximum number of concurrently running reconcile loops for targetGroupBinding |
+|watch-namespace                        | string                          |                 | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. |
+|webhook-bind-port                      | int                             | 9443            | The TCP port the Webhook server binds to |
+
+
+### Default throttle config
+```
+WAF Regional:^AssociateWebACL|DisassociateWebACL=0.5:1,WAF Regional:^GetWebACLForResource|ListResourcesForWebACL=1:1,WAFV2:^AssociateWebACL|DisassociateWebACL=0.5:1,WAFV2:^GetWebACLForResource|ListResourcesForWebACL=1:1
+```
+
+### Instance metadata
+If running on EC2, the default values are obtained from the instance metadata service.

docs/examples/external-dns.yaml

@@ -1,10 +1,10 @@
-# How ALB ingress controller works
+# How AWS Load Balancer controller works
 
 ## Design
 
 The following diagram details the AWS components this controller creates. It also demonstrates the route ingress traffic takes from the ALB to the Kubernetes cluster.
 
-![controller-design](../../imgs/controller-design.png)
+![controller-design](../../assets/images/controller-design.png)
 
 ### Ingress Creation
 
@@ -32,7 +32,7 @@ Along with the above, the controller also...
   recover if the controller were to be restarted.
 
 ### Ingress Traffic
-ALB Ingress controller supports two traffic modes:
+AWS Load Balancer controller supports two traffic modes:
 * Instance mode
 * IP mode
 

docs/guide/controller/configurations.md

@@ -1 +1,69 @@
-TODO: describes how to install the controller.
+# AWS Load Balancer Controller Installation guide
+
+## Via Helm
+Follow the instructions in [aws-load-balancer-controller](https://github.com/aws/eks-charts/tree/master/stable/aws-load-balancer-controller) helm chart.
+
+## Via Yaml manifests
+
+### Migrating from AWS ALB Ingress controller
+If AWS ALB Ingress controller is installed, refer to [migrating from v1 to v2](../upgrade/migrate_v1_v2.md)
+
+!!!warning ""
+    AWS ALB Ingress controller must be uninstalled before installing AWS Load Balancer controller.
+
+!!! Note
+    Existing Ingress resources do not need to be deleted for migration.
+
+### IAM permissions
+The controller runs on the worker nodes, so it needs access to the AWS ALB/NLB resources via IAM permissions. The
+ IAM permissions can either be setup via IAM roles for ServiceAccount or can be attached directly to the worker node IAM roles.
+
+#### Setup IAM for ServiceAccount
+1. Create IAM OIDC provider
+    ```
+    eksctl utils associate-iam-oidc-provider \
+        --region <region-code> \
+        --cluster <your-cluster-name> \
+        --approve
+    ```
+1. Download IAM policy for the AWS Load Balancer Controller
+    ```
+    curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v2_ga/docs/install/iam_policy.json
+    ```
+1. Create an IAM policy called AWSLoadBalancerControllerIAMPolicy
+    ```
+    aws iam create-policy \
+        --policy-name AWSLoadBalancerControllerIAMPolicy \
+        --policy-document file://iam-policy.json
+    ```
+    Take note of the policy ARN that is returned
+
+1. Create a IAM role and ServiceAccount for the Load Balancer controller, use the ARN from the step above
+    ```
+    eksctl create iamserviceaccount \
+    --cluster=<cluster-name> \
+    --namespace=kube-system \
+    --name=aws-load-balancer-controller \
+    --attach-policy-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:policy/AWSLoadBalancerControllerIAMPolicy \
+    --approve
+    ```
+#### Setup IAM manually
+If not setting up IAM for ServiceAccount, apply the IAM policies from the following URL at minimum.
+```
+https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v2_ga/docs/install/iam_policy.json
+```
+
+#### Upgrading from ALB ingress controller
+If migrating from ALB ingress controller, grant [additional IAM permissions](../../install/iam_policy_v1_to_v2_additional.json).
+
+### Install cert-manager
+- For Kubernetes 1.16+: `kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.2/cert-manager.yaml`
+- For Kubernetes <1.16: `kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.2/cert-manager-legacy.yaml`
+
+### Download and apply the yaml spec
+- curl -o https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v2_ga/config/samples/install_v2_0_0.yaml
+- Edit the saved yaml file, go to the Deployment spec, and set the controller --cluster-name arg value to your EKS cluster name
+- Apply the yaml file kubectl apply -f install_v2_0_0.yaml
+
+!!!note ""
+    If you use iamserviceaccount, it is recommended that you delete the ServiceAccount from the yaml spec. Doing so will preserve the eksctl created iamserviceaccount if you delete the installation.

docs/guide/controller/how-it-works.md

@@ -1 +1,30 @@
-TODO: describes how to do subnet auto discovery.
+# Subnet Auto Discovery
+AWS Load Balancer controller auto discovers network subnets for ALB or NLB by default. ALB requires at least two subnets across Availability Zones, NLB requires one subnet.
+The subnets must be tagged appropriately for the auto discovery to work. The controller chooses one subnet from each Availability Zone. In case of multiple tagged subnets in
+an Availability Zone, the controller will choose the first one in lexicographical order by the Subnet IDs. If you use `eksctl` or an Amazon EKS AWS CloudFormation template to
+ create your VPC after March 26, 2020, then the subnets are tagged appropriately when they're created. For more information about the Amazon EKS AWS CloudFormation VPC templates,
+ see [Creating a VPC for your Amazon EKS cluster](https://docs.aws.amazon.com/eks/latest/userguide/create-public-private-vpc.html).
+
+## Public subnets
+Public subnets are used for internet-facing load balancers. These subnets must have the following tags:
+
+| Key                                     | Value                 |
+| --------------------------------------- | --------------------- |
+| `kubernetes.io/role/elb`                | `1`  or ``            |
+
+## Private subnets
+Private subnets are used for internal load balancers. These subnets must have the following tags:
+
+| Key                                     | Value                 |
+| --------------------------------------- | --------------------- |
+|  `kubernetes.io/role/internal-elb`      |  `1`  or ``           |
+
+
+## Common tag
+Both the public and private subnets must be tagged with the cluster name as follows:
+
+| Key                                     | Value                 |
+| --------------------------------------- | --------------------- |
+| `kubernetes.io/cluster/${cluster-name}` | `owned` or `shared`   |
+
+ `${cluster-name}` is the name of the kubernetes cluster

docs/guide/controller/installation.md

@@ -1,5 +1,5 @@
 # Ingress specification
-This document covers how ingress resources work in relation to The ALB Ingress Controller.
+This document covers how ingress resources work in relation to The AWS Load Balancer Controller.
 
 An example ingress, from [example](../../examples/2048/2048-ingress.yaml) is as follows.
 
@@ -24,8 +24,8 @@ spec:
               servicePort: 80
 ```
 
-The host field specifies the eventual Route 53-managed domain that will route to this service. 
+The host field specifies the eventual Route 53-managed domain that will route to this service.
 
 The service, service-2048, must be of type NodePort in order for the provisioned ALB to route to it.(see [echoserver-service.yaml](../../examples/echoservice/echoserver-service.yaml))
 
-For details on purpose of annotations seen above, see [Annotations](annotation.md).
+For details on purpose of annotations seen above, see [Annotations](annotations.md).

docs/guide/controller/subnet_discovery.md

@@ -1 +1,67 @@
-TODO:
+# Setup External DNS
+[external-dns](https://github.com/kubernetes-incubator/external-dns) provisions DNS records based on the host information. This project will setup and manage records in Route 53 that point to controller deployed ALBs.
+
+## Prerequisites
+### Role Permissions
+Adequate roles and policies must be configured in AWS and available to the node(s) running the external-dns. See https://github.com/kubernetes-incubator/external-dns/blob/master/docs/tutorials/aws.md#iam-permissions.
+
+## Installation
+1. Download sample `external-dns` manifest
+
+    ```bash
+    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.0.0/docs/examples/external-dns.yaml
+    ```
+
+2. Edit the `--domain-filter` flag to include your hosted zone(s)
+
+    The following example is for a hosted zone `test-dns.com`:
+
+    ```yaml
+    args:
+    - --source=service
+    - --source=ingress
+    - --domain-filter=test-dns.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
+    - --provider=aws
+    - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
+    - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
+    - --registry=txt
+    - --txt-owner-id=my-identifier
+    ```
+
+3. Deploy external-dns
+
+    ```bash
+    kubectl apply -f external-dns.yaml
+    ```
+
+4. Verify it deployed successfully.
+
+    ```bash
+    kubectl logs -f $(kubectl get po | egrep -o 'external-dns[A-Za-z0-9-]+')
+    ```
+
+    Should display output similar to the following:
+    ```
+    time="2019-12-11T10:26:05Z" level=info msg="config: {Master: KubeConfig: RequestTimeout:30s IstioIngressGateway:istio-system/istio-ingressgateway Sources:[service ingress] Namespace: AnnotationFilter: FQDNTemplate: CombineFQDNAndAnnotation:false Compatibility: PublishInternal:false PublishHostIP:false ConnectorSourceServer:localhost:8080 Provider:aws GoogleProject: DomainFilter:[test-dns.com] ZoneIDFilter:[] AlibabaCloudConfigFile:/etc/kubernetes/alibaba-cloud.json AlibabaCloudZoneType: AWSZoneType:public AWSAssumeRole: AWSBatchChangeSize:4000 AWSBatchChangeInterval:1s AWSEvaluateTargetHealth:true AzureConfigFile:/etc/kubernetes/azure.json AzureResourceGroup: CloudflareProxied:false InfobloxGridHost: InfobloxWapiPort:443 InfobloxWapiUsername:admin InfobloxWapiPassword: InfobloxWapiVersion:2.3.1 InfobloxSSLVerify:true DynCustomerName: DynUsername: DynPassword: DynMinTTLSeconds:0 OCIConfigFile:/etc/kubernetes/oci.yaml InMemoryZones:[] PDNSServer:http://localhost:8081 PDNSAPIKey: PDNSTLSEnabled:false TLSCA: TLSClientCert: TLSClientCertKey: Policy:upsert-only Registry:txt TXTOwnerID:my-identifier TXTPrefix: Interval:1m0s Once:false DryRun:false LogFormat:text MetricsAddress::7979 LogLevel:info TXTCacheInterval:0s ExoscaleEndpoint:https://api.exoscale.ch/dns ExoscaleAPIKey: ExoscaleAPISecret: CRDSourceAPIVersion:externaldns.k8s.io/v1alpha CRDSourceKind:DNSEndpoint ServiceTypeFilter:[] RFC2136Host: RFC2136Port:0 RFC2136Zone: RFC2136Insecure:false RFC2136TSIGKeyName: RFC2136TSIGSecret: RFC2136TSIGSecretAlg: RFC2136TAXFR:false}"
+    time="2019-12-11T10:26:05Z" level=info msg="Created Kubernetes client https://10.100.0.1:443"
+    ```
+
+## Usage
+1. To create a record set in the subdomain, from your ingress which has been created by the ingress-controller, simply add the following annotation in the ingress object specification and apply the manifest:
+
+    ```yaml
+    annotations:
+      kubernetes.io/ingress.class: alb
+      alb.ingress.kubernetes.io/scheme: internet-facing
+
+      # for creating record-set
+      external-dns.alpha.kubernetes.io/hostname: my-app.test-dns.com # give your domain name here
+    ```
+
+2. Similar entries should appear in the ExternalDNS pod log:
+
+    ```
+    time="2019-12-11T10:26:08Z" level=info msg="Desired change: CREATE my-app.test-dns.com A"
+    time="2019-12-11T10:26:08Z" level=info msg="Desired change: CREATE my-app.test-dns.com TXT"
+    time="2019-12-11T10:26:08Z" level=info msg="2 record(s) in zone my-app.test-dns.com. were successfully updated"
+    ```