英文:
consul-api-gateway load balancer always shows registered target un healthy in aws eks environment
问题
我正在尝试在AWS EKS集群中为Keycloak服务创建一个Consul API网关(Gateway)资源,使用HttpRoute进行配置。我以一种使API网关和Keycloak服务运行在不同的命名空间的方式进行配置。但是,当使用下面的部署YAML创建Consul API网关资源时,它会创建一个AWS负载均衡器,其中注册的目标显示为不健康。不确定是什么原因导致它始终不健康。
请注意,我只翻译了您的描述,不包括代码部分。
英文:
I am trying to create a consul-api-gateway (Gateway) resource with HttpRoute for keycloak service in aws eks cluster. I am configuring in a way that the api-gateway and keycloak service are running in different namespaces. But when consul-api-gateway resource created with below deployment yaml, it is creating aws load balancer with the registered target showing as unhealthy. Not sure what makes this as unhealthy always.
Consul-server-and-ui-deployment.yaml
---
global:
name: consul
imagePullSecrets:
- name: "***"
image: /hashicorp/consul:1.12.0
imageEnvoy: /envoyproxy/envoy:v1.22.2
imageK8S: /hashicorp/consul-k8s-control-plane:0.44.0
metrics:
enabled: true
server:
replicas: 3
bootstrapExpect: 3
extraLabels:
tags.datadoghq.com/source: consul
tags.datadoghq.com/service: consul-server
annotations: |
"tags.datadoghq.com/source": "consul"
"tags.datadoghq.com/service": "consul-server"
updatePartitions: 3
disruptionBudget:
maxUnavailable: 1
tolerations: >
-
key: "taint_for_consul_xor_vault"
operator: "Equal"
value: "true"
effect: "NoSchedule"
nodeSelector: |
'eks.amazonaws.com/capacityType': 'ON_DEMAND'
'purpose': 'consul-server'
storage: 50G
priorityClassName: high-priority
client:
enabled: true
grpc: true
exposeGossipPorts: false
priorityClassName: high-priority
resources:
requests:
memory: 1G
cpu: "1"
limits:
memory: 1G
cpu: "1"
healthChecks:
enabled: true
hostNetwork: false
extraConfig: |
{
"advertise_reconnect_timeout": "15m",
"limits": {
"http_max_conns_per_client": -1
}
}
extraLabels:
tags.datadoghq.com/source: consul
tags.datadoghq.com/service: consul-client
annotations: |
"tags.datadoghq.com/source": "consul"
"tags.datadoghq.com/service": "consul-client"
updateStrategy: |
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
ui:
enabled: true
service:
type: LoadBalancer
additionalSpec: "'ports': [{'name': 'http', 'protocol': 'TCP', 'port': 8500,
'targetPort': 8500}, {'name': 'https', 'protocol': 'TCP', 'port': 8501,
'targetPort': 8501}]"
annotations: |
'service.beta.kubernetes.io/aws-load-balancer-scheme': 'internal'
'service.beta.kubernetes.io/aws-load-balancer-type': 'nlb-ip'
controller:
enabled: true
prometheus:
enabled: true
grafana:
enabled: true
terminatingGateways:
enabled: true
priorityClassName: high-priority
defaults:
replicas: 2
apiGateway:
enabled: true
image: /hashicorp/consul-api-gateway:0.3.0
controller:
replicas: 2
priorityClassName: high-priority
connectInject:
enabled: true
priorityClassName: high-priority
transparentProxy:
defaultEnabled: true
default: false
syncCatalog:
enabled: true
priorityClassName: high-priority
default: false
toConsul: true
toK8S: false
Consul-api-gateway-deployment.yaml
apiVersion: api-gateway.consul.hashicorp.com/v1alpha1
kind: GatewayClassConfig
metadata:
name: consul-common-gateway-class-config
spec:
logLevel: 'info'
copyAnnotations:
service:
- service.beta.kubernetes.io/aws-load-balancer-scheme
- service.beta.kubernetes.io/aws-load-balancer-type
consul:
scheme: 'http'
ports:
http: 8500
grpc: 8502
serviceType: LoadBalancer
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GatewayClass
metadata:
name: consul-common-gateway-class
spec:
controllerName: 'hashicorp.com/consul-api-gateway-controller'
parametersRef:
group: api-gateway.consul.hashicorp.com
kind: GatewayClassConfig
name: consul-common-gateway-class-config
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: common-api-gateway
annotations:
'service.beta.kubernetes.io/aws-load-balancer-scheme': 'internal'
'service.beta.kubernetes.io/aws-load-balancer-type': 'nlb-ip'
spec:
gatewayClassName: consul-common-gateway-class
listeners:
- protocol: HTTP
port: 80
name: http
allowedRoutes:
namespaces:
from: All
HttpRoute-keycloak-deployment.yaml
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: gateway-keycloak-route
namespace: app-ns
spec:
parentRefs:
- name: common-api-gateway
namespace: consul
rules:
- matches:
- path:
type: PathPrefix
value: /auth
backendRefs:
- kind: Service
name: keycloak
port: 80
namespace: app-ns
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ReferencePolicy
metadata:
name: reference-policy-keycloak
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: app-ns
to:
- group: ""
kind: Service
name: keycloak
I wanted api-gateway load balancer running in aws eks to be with healthy registered targets and wanted to run Keycloak service have proper routes to api-gateway
答案1
得分: 0
I've had a very similar issue today, and spend hours trying to figure it out.
我今天遇到了一个非常类似的问题,花了很多时间来解决它。
I also had a very similar setup with a Consul API Gateway behind an internal AWS load balancer.
我也使用了与您类似的设置,将Consul API Gateway放在内部的AWS负载均衡器后面。
What solved it for me, was changing the load balancer type from ip to instance.
对我来说,解决问题的方法是将负载均衡器类型从IP更改为实例。
In my case , I was using the AWS Load balancer controller, which seems to be the recommended way to go.
在我的情况下,我正在使用AWS负载均衡器控制器,这似乎是推荐的方式。
So, I defined the annotations on Gateway like this like this:
所以,我像这样在Gateway上定义了注释:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance"
And, of course, adding the service.beta.kubernetes.io/aws-load-balancer-nlb-target-type to the list of annotations to copy.
当然,还要将service.beta.kubernetes.io/aws-load-balancer-nlb-target-type添加到要复制的注释列表中。
If you don't wish to install it, I think you can simply change the value of service.beta.kubernetes.io/aws-load-balancer-type from nlb-ip to nlb. I haven't tested it, but it should be the equivalent setting for the built-in Kubernetes load balancer controller.
如果您不想安装它,我认为您可以简单地将service.beta.kubernetes.io/aws-load-balancer-type的值从nlb-ip更改为nlb。我没有测试过,但这应该是内置的Kubernetes负载均衡器控制器的等效设置。
Hope this helps!
希望这有所帮助!
Also I have a few suggestions which are probably not related to the issue but might help you maintain a cleaner code.
另外,我有一些建议,可能与问题无关,但可能有助于保持更干净的代码。
You should change the deprecated ReferencePolicy object to a ReferenceGrant.
您应该将已弃用的ReferencePolicy对象更改为ReferenceGrant。
In addition, you might not need to define a custom GatewayClass and GatewayClassConfig, since you can control many of the settings of the load balancer through the values.yaml file you use to deploy Consul, making your configuration shorter and simpler.
此外,您可能不需要定义自定义的GatewayClass和GatewayClassConfig,因为您可以通过用于部署Consul的values.yaml文件来控制负载均衡器的许多设置,从而使您的配置更短更简单。
For example, this is the relevant part from my file:
例如,这是我的文件中相关的部分:
apiGateway:
enabled: true
image: "hashicorp/consul-api-gateway:0.5.1"
# Configuration settings for the default GatewayClass which Consul will use.
managedGatewayClass:
serviceType: LoadBalancer
copyAnnotations:
service:
annotations: |
- service.beta.kubernetes.io/aws-load-balancer-type
- service.beta.kubernetes.io/aws-load-balancer-scheme
- service.beta.kubernetes.io/aws-load-balancer-nlb-target-type
And then in the Gateway I just set gatewayClassName: consul-api-gateway which is the default class.
然后,在Gateway中,我只需设置gatewayClassName: consul-api-gateway,这是默认的类。
英文:
I've had a very similar issue today, and spend hours trying to figure it out.
I also had a very similar setup with a Consul API Gateway behind an internal AWS load balancer.
What solved it for me, was changing the load balancer type from ip to instance.
In my case , I was using the AWS Load balancer controller, which seems to be the recommended way to go.
So, I defined the annotations on Gateway like this like this:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance"
And, of course, adding the service.beta.kubernetes.io/aws-load-balancer-nlb-target-type to the list of annotations to copy.
If you don't wish to install it, I think you can simply change the value of
'service.beta.kubernetes.io/aws-load-balancer-type from 'nlb-ip' to 'nlb'. I haven't tested it, but it should be the equivalent setting for the built-in kubernetes load balancer controller.
Hope this helps!
Also I have a few suggestion which are probably not related to the issue but might help you maintain a cleaner code.
You should change the deprecated ReferencePolicy object to a ReferenceGrant.
In addition, you might not need to define a custom GatewayClass and GatewayClassConfig, since you can control many of the settings of the load balancer through the values.yaml file you use to deploy consul, making your configuration shorter and simpler.
For example, this is the relevant part from my file
apiGateway:
enabled: true
image: "hashicorp/consul-api-gateway:0.5.1"
# Configuration settings for the default GatewayClass which consul will use.
managedGatewayClass:
serviceType: LoadBalancer
copyAnnotations:
service:
annotations: |
- service.beta.kubernetes.io/aws-load-balancer-type
- service.beta.kubernetes.io/aws-load-balancer-scheme
- service.beta.kubernetes.io/aws-load-balancer-nlb-target-type
And then in the Gateway I just set gatewayClassName: consul-api-gateway which is the default class.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论