Configuring an Yandex Application Load Balancer L7 load balancer using an Ingress controller

1. Create a backend group with a bucket:

   1. Create a public bucket in Object Storage.
   2. Configure the website home page and error page.

2. Create a configuration file named demo-app-1.yaml for your application:

   demo-app-1.yaml

   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: alb-demo-1
   data:
     nginx.conf: |
       worker_processes auto;
       events {
       }
       http {
         server {
           listen 80 ;
           location = /_healthz {
             add_header Content-Type text/plain;
             return 200 'ok';
           }
           location / {
             add_header Content-Type text/plain;
             return 200 'Index';
           }
           location = /app1 {
             add_header Content-Type text/plain;
             return 200 'This is APP#1';
           }
         }
       }
   ---
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: alb-demo-1
     labels:
       app: alb-demo-1
       version: v1
   spec:
     replicas: 2
     selector:
       matchLabels:
         app: alb-demo-1
     strategy:
       type: RollingUpdate
       rollingUpdate:
         maxSurge: 1
         maxUnavailable: 0
     template:
       metadata:
         labels:
           app: alb-demo-1
           version: v1
       spec:
         terminationGracePeriodSeconds: 5
         volumes:
           - name: alb-demo-1
             configMap:
               name: alb-demo-1
         containers:
           - name: alb-demo-1
             image: nginx:latest
             ports:
               - name: http
                 containerPort: 80
             livenessProbe:
               httpGet:
                 path: /_healthz
                 port: 80
               initialDelaySeconds: 3
               timeoutSeconds: 2
               failureThreshold: 2
             volumeMounts:
               - name: alb-demo-1
                 mountPath: /etc/nginx
                 readOnly: true
             resources:
               limits:
                 cpu: 250m
                 memory: 128Mi
               requests:
                 cpu: 100m
                 memory: 64Mi
   ---
   apiVersion: v1
   kind: Service
   metadata:
     name: alb-demo-1
   spec:
     selector:
       app: alb-demo-1
     type: NodePort
     ports:
       - name: http
         port: 80
         targetPort: 80
         protocol: TCP
         nodePort: 30081
   

3. In a separate directory, create a file named http-group.yaml with the HttpBackendGroup resource settings:

   apiVersion: alb.yc.io/v1alpha1
   kind: HttpBackendGroup
   metadata:
     name: example-backend-group
   spec:
     backends: # List of backends.
       - name: alb-demo-1
         weight: 70 # Backend relative weight when distributing traffic. The load will be distributed in proportion to the weights of the group's other backends. Specify the weight even if you have only one backend in the group.
         service:
            name: alb-demo-1
            port:
              number: 80
       - name: bucket-backend
         weight: 30
         storageBucket:
           name: <bucket_name>
   

   (Optional) Enter the advanced settings for the backend group:

   • spec.backends.useHttp2: HTTP/2 mode.
   • spec.backends.tls: Certificate from the certificate authority the load balancer will trust when establishing a secure connection with backend endpoints. Specify the certificate contents in the trustedCa field in plain text.

   For more information, see Backend groups.

4. In the same directory, create a file named ingress-http.yaml and specify in it the previously delegated domain name, ID of the certificate obtained earlier, and settings for the Application Load Balancer L7 load balancer:

   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: alb-demo-tls
     annotations:
       ingress.alb.yc.io/subnets: <list_of_subnet_IDs>
       ingress.alb.yc.io/security-groups: <list_of_security_group_IDs>
       ingress.alb.yc.io/external-ipv4-address: <IP_address_assignment_method>
       ingress.alb.yc.io/group-name: my-ingress-group
   spec:
     tls:
       - hosts:
         - <domain_name>
         secretName: yc-certmgr-cert-id-<TLS_certificate_ID>
     rules:
       - host: <domain_name>
         http:
           paths:
             - path: /app1
               pathType: Exact
               backend:
                 resource:
                   apiGroup: alb.yc.io
                   kind: HttpBackendGroup
                   name: example-backend-group
   

   Where:

   • ingress.alb.yc.io/subnets: One or more subnets hosting the Application Load Balancer L7 load balancer.

   • ingress.alb.yc.io/security-groups: One or more security groups for the load balancer. If you skip this parameter, the default security group will be used. At least one of the security groups must allow an outgoing TCP connection to port 10501 in the Managed Service for Kubernetes node group subnet or to its security group.

   • ingress.alb.yc.io/external-ipv4-address: Public access to the load balancer from the internet. Enter the IP address you got earlier or set auto to get a new IP address automatically.

     If you set auto, deleting the load balancer from the cloud will also delete the IP address. To avoid this, use an existing reserved IP address.

   • ingress.alb.yc.io/group-name: Group name. Ingress resources are grouped together, each group served by a separate load balancer.

     You can replace my-ingress-group with any group name you like. Make sure it meets the naming requirements.

   (Optional) Enter the advanced settings for the load balancer.

   Note

   The settings listed below will only apply to the virtual hosts of the Ingress resource in which the corresponding annotations are configured.

   They will not apply to the virtual hosts of the group's other Ingress resources.

   Available settings:

   • ingress.alb.yc.io/group-settings-name: Name for the Ingress resource group settings to be described in the optional IngressGroupSettings resource. For more information, see Configure the Ingress resource group.

   • ingress.alb.yc.io/internal-ipv4-address: Provide internal access to the load balancer. Enter the internal IP address or use auto to obtain the IP address automatically.

     Note

     You can only use one type of access to the load balancer at a time: ingress.alb.yc.io/external-ipv4-address or ingress.alb.yc.io/internal-ipv4-address.

   • ingress.alb.yc.io/internal-alb-subnet: Subnet to host the load balancer. This parameter is required if the ingress.alb.yc.io/internal-ipv4-address parameter is selected.

   • ingress.alb.yc.io/protocol: Connection protocol used between the load balancer and backends:

     • http: HTTP/1.1. Default
     • http2: HTTP/2
     • grpc: gRPC

   • ingress.alb.yc.io/prefix-rewrite: Replace the path for the specified value.

   • ingress.alb.yc.io/upgrade-types: Valid values of the Upgrade HTTP header, e.g., websocket.

   • ingress.alb.yc.io/request-timeout: Maximum period for which a connection can be established.

   • ingress.alb.yc.io/idle-timeout: Maximum connection keep-alive time without data transmission.

     The request-timeout and idle-timeout values must be specified with units of measurement, e.g., 300ms or 1.5h. Valid units of measurement:

     • ns, nanoseconds
     • us, microseconds
     • ms, milliseconds
     • s, seconds
     • m, minutes
     • h, hours

   • ingress.alb.yc.io/security-profile-id: Support for Yandex Smart Web Security that allows you to get protected against DDoS attacks and bots, plus enable WAF and limit the load on the resource you are protecting.

     To enable support for Yandex Smart Web Security, specify the previously created Smart Web Security security profile in the Ingress annotation:

     ingress.alb.yc.io/security-profile-id: <security_profile_ID>
     

     Note

     To connect your security profile to an Application Load Balancer virtual host, the service account used to operate the Ingress controller must have the smart-web-security.editor role for the folder hosting Application Load Balancer and Smart Web Security resources. For more information, see Assigning a role to a service account.

   • ingress.alb.yc.io/use-regex: Support for RE2 regular expressions when matching the request path. If the true string is provided, the support is enabled. Only applies if the pathType parameter is set to Exact.

   For more information about the Ingress resource settings, see Ingress resource fields and annotations.

5. Create the Kubernetes app, HttpBackendGroup resource, and Ingress resource:

   kubectl apply -f .
   

ALB Ingress Controller will automatically deploy the L7 load balancer using Ingress resource configuration.

1. Wait until the Application Load Balancer L7 load balancer is created and gets a public IP address. This may take several minutes.

   To follow the load balancer's creation and make sure it is error-free, open the logs of the pod the creation process was run in:

   1. In the management console, navigate to the folder page and select Managed Service for Kubernetes.

   2. Click your cluster's name and select Workload in the left-hand panel.

   3. Select one of the alb-demo-*** pods the load balancer's creation was run in.

   4. Go to the Logs tab on the pod page.

      The load balancer's creation logs are generated and displayed in real time. Any errors that occur will also be logged.

2. Make sure the load balancer was created. To do this, run the appropriate command and check that the command output shows the following value in the ADDRESS field:

   kubectl get ingress alb-demo-tls
   

   Result:

   NAME          CLASS   HOSTS           ADDRESS     PORTS    AGE
   alb-demo-tls  <none>  <domain_name>  <IP_address>  80,443  15h