[ istio ] ALB 설정 (Internal,Internet-facing)

istio Ingress ALB을 사용하는 이유는
WAF은 ALB에 연결할 수 있기 때문에 ALB으로 구성합니다.

istio Ingress ALB을 Internal과 Internet-facing으로 (Private/Public)으로 구분해서 생성한다.
- Internal ALB(Private)에는 Admin 페이지 등 VPN을 통해서 내부 사용자만 접근 할 수 있게 설정한다.
- Internet-facing ALB(public)은 외부에 공개한 웹페이지 서비스를 연결할때 설정한다.

 

 

 

 

[ 작업 순서 ]

 

1. istio 배포

• istio 설치 방법 가이드 : https://dongwook35.tistory.com/72 
• 특이사항 : istio 설치할때 Service를 NodePort으로 구성한다.

 

 

2. istio Ingress (ALB) 배포

• internal Ingress 설치(private) : 내부 사용자만 접근용도

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":
      { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-southeast-1:xxx:certificate/xxx-xxx
    alb.ingress.kubernetes.io/group.name: istio-ingressgateway-alb-in
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/load-balancer-name: istio-ingressgateway-alb-in
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-FS-1-2-Res-2020-10
    kubernetes.io/ingress.class: alb
  name: istio-ingressgateway-alb-in
  namespace: istio-system
spec:
  rules:
  - host: admin.dongwook.com
    http:
      paths:
      - backend:
          service:
            name: istio-ingressgateway
            port:
              name: https
        path: /*
        pathType: ImplementationSpecific
  - host: stage-admin.dongwook.com
    http:
      paths:
      - backend:
          service:
            name: istio-ingressgateway
            port:
              name: https
        path: /*
        pathType: ImplementationSpecific        
  - host: stage.dongwook.com
    http:
      paths:
      - backend:
          service:
            name: istio-ingressgateway
            port:
              name: https
        path: /*
        pathType: ImplementationSpecific

 

• internet-facing Ingress 설치(public) : 공개 서비스 접근용도

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":
      { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-southeast-1:xxx:certificate/xxx-xxx
    alb.ingress.kubernetes.io/group.name: istio-ingressgateway-alb
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/load-balancer-name: istio-ingressgateway-alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-FS-1-2-Res-2020-10
    kubernetes.io/ingress.class: alb
  name: istio-ingressgateway-alb
  namespace: istio-system
spec:
  rules:
  - host: www.dongwook.com
    http:
      paths:
      - backend:
          service:
            name: istio-ingressgateway
            port:
              name: https
        path: /*
        pathType: ImplementationSpecific
  - host: dongwook.com
    http:
      paths:
      - backend:
          service:
            name: istio-ingressgateway
            port:
              name: https
        path: /*
        pathType: ImplementationSpecific
  - host: app.dongwook.com
    http:
      paths:
      - backend:
          service:
            name: istio-ingressgateway
            port:
              name: https
        path: /*
        pathType: ImplementationSpecific

 

 

[ Flow ]