add docs for NLB TLS termination #2680
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @geoffcline. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
Codecov Report
@@ Coverage Diff @@
## main #2680 +/- ##
=======================================
Coverage 53.99% 53.99%
=======================================
Files 144 144
Lines 8214 8214
=======================================
Hits 4435 4435
Misses 3461 3461
Partials 318 318
Continue to review full report at Codecov.
|
|
@M00nF1sh can I get a review for this addition to the docs? |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| type: LoadBalancer | ||
| ``` | ||
|
|
||
| !!! warning |
There was a problem hiding this comment.
TLS configuration should not cause duplicate NLB resources. Did you encounter any issues modifying existing service resources?
There was a problem hiding this comment.
Yes. I tried adding TLS termination to an existing NLB. It didn't show the cert in the NLB console until I deleted the NLB, and the controller recreated it.
|
|
||
| ``` | ||
| NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE | ||
| envoy LoadBalancer 10.100.24.154 a7ea2bbde8a164036a7e4c1ed5700cdf-154fb911d990bb1f.elb.us-east-2.amazonaws.com 443:31606/TCP 40d |
There was a problem hiding this comment.
By default, an NLB provisioned by this controller has the name format k8s-<namespace>-<name>-<hash>. Looking at the name it appears to be provisioned by kcm. Lets provide an example from a service provisioned by this controller to avoid confusion.
There was a problem hiding this comment.
excellent point thank you
Do you think I should remove this from the figure, or just mention these requirements? |
|
revised, thanks again @kishorj !! |
|
I did testing. This time updating the annotations worked. I think I misunderstood what annotations can/can't be updated after creation. I revised and this should be good to go @kishorj :) |
kishorj
added
the
tide/merge-method-squash
|
squashed, rebased, reworded, and revised |
|
|
||
| The NLB decrypts the request, and transmits it on to your cluster on port 80. It follows the standard request routing configured within the cluster. Notably, the request received within the cluster includes the actual origin IP address of the external client. | ||
|
|
||
| Alternate ports may be configured. End-to-end encryption technically requires the segment between the NLB and cluster pods be encrypted also. A follow-up post will describe the NLB originating TLS based on a cluster certificate. |
There was a problem hiding this comment.
You can configure backend encryption via the annotation service.beta.kubernetes.io/aws-load-balancer-backend-protocol.
Lets also not mention a follow-up-post. We can add the new live doc page once we have it.
There was a problem hiding this comment.
good point, I revised.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: geoffcline, kishorj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
* add use case documentation for NLB TLS termination * fixup
Issue
none.Description
add docs for NLB TLS termination
Checklist
README.md, or thedocsdirectory)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯