Attachment mechanism for Yandex Cloud Gwin integration with an existing Yandex Application Load Balancer infrastructure
Attachment is a mechanism whereby an Application Load Balancer infrastructure is created in Terraform, while Gwin connects it with Kubernetes resources using annotations. In this case, Gwin only arranges updating the load balancer resources, while Terraform, creating and deleting them.
This enables handling the following tasks:
-
Routing traffic from a single load balancer:
- To multiple Managed Service for Kubernetes clusters.
- To a Managed Service for Kubernetes cluster and other services.
-
Integrating Gwin with an existing Application Load Balancer infrastructure.
-
Switching from Application Load Balancer-based routing in Instance Groups to services in Kubernetes while using the same load balancer.
-
Configuring Gateway API using Terraform and not Kubernetes manifests.
Setting up backend groups and target groups
When using attachment, setting up backend groups and target groups is identical. With a target group as an example, the setup looks like this:
-
Create a target group using Terraform.
In the resource description, add a
lifecyclesection with theignore_changes = allparameter so that Terraform does not overwrite the changes made by Gwin. -
Add the gwin.yandex.cloud/attach.targetGroup.id annotation to the Service Kubernetes resource. The annotation must specify the target group ID in Terraform.
When the Service Kubernetes resource changes, the Gwin controller updates the load balancer resources as follows:
-
Locates a target group by its annotation.
If no matching target group is found, returns an error message.
-
Updates the target group:
- Adds the
gwin-attached: truelabel. - Modifies the target group configuration based on the service in Kubernetes.
- Adds the
When updating resources, if Gwin finds a resource that has the gwin-attached: true label while there is no corresponding service existing in Kubernetes, it returns a warning.
Warning
If a service is attached (using attachment), you cannot specify it as a backend for other resources (such as Ingress or HTTPRoute ones).
Attachment use cases
Attaching an HTTPRoute resource to a backend group
To attach an HTTPRoute resource to a backend group:
-
In Terraform, create a backend group and a target group:
Terraformresource "yandex_alb_backend_group" "demo-attach-httproute-bg-bg" { name = "demo-attach-httproute-bg-bg" folder_id = <folder_ID> http_backend { name = "placeholder-backend" target_group_ids = [yandex_alb_target_group.demo-attach-httproute-bg-placeholder-tg.id] } lifecycle { ignore_changes = all } } resource "yandex_alb_target_group" "demo-attach-httproute-bg-placeholder-tg" { name = "demo-attach-httproute-bg-placeholder-tg" folder_id = <folder_ID> } -
Add the gwin.yandex.cloud/rule.demo-rule.attach.backendGroup.id annotation to the HTTPRoute resource:
apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: demo-http-route namespace: demo-ns annotations: gwin.yandex.cloud/rule.demo-rule.attach.backendGroup.id: ${yandex_alb_backend_group.demo-attach-httproute-bg-bg.id} labels: app: demo-attachment spec: parentRefs: - group: gwin.yandex.cloud kind: Attach name: attach rules: - name: demo-rule backendRefs: - name: hello-world port: 80 weight: 100
Attaching an IngressBackendGroup resource to a backend group
To attach an IngressBackendGroup resource to a backend group:
-
In Terraform, create a backend group and a target group:
Terraformresource "yandex_alb_backend_group" "demo-attach-ingbg-bg-bg" { name = "demo-attach-ingbg-bg-bg" folder_id = <folder_ID> http_backend { name = "placeholder-backend" target_group_ids = [yandex_alb_target_group.demo-attach-ingbg-bg-placeholder-tg.id] } lifecycle { ignore_changes = all } } resource "yandex_alb_target_group" "demo-attach-ingbg-bg-placeholder-tg" { name = "demo-attach-ingbg-bg-placeholder-tg" folder_id = <folder_ID> } -
In the IngressBackendGroup resource, add the backend group ID to the attach field:
apiVersion: gwin.yandex.cloud/v1 kind: IngressBackendGroup metadata: name: demo-ingressbackendgroup namespace: demo-ns spec: type: HTTP attach: backendGroup: id: ${yandex_alb_backend_group.demo-attach-ingbg-bg-bg.id} backends: - name: demo-backend weight: 60 backendRef: group: "" kind: Service name: hello-world port: 80 weight: 100
Attaching a Service resource to a target group
To attach a Service resource to a target group:
-
In Terraform, create a backend group and a target group:
Terraformresource "yandex_alb_backend_group" "demo-attach-service-tg-bg" { name = "demo-attach-service-tg-bg" folder_id = <folder_ID> http_backend { name = "demo-backend" port = 30081 target_group_ids = [yandex_alb_target_group.demo-attach-service-tg-tg.id] healthcheck { healthcheck_port = 30501 // Port used by Gwin for `nodecheck` healthy_threshold = 3 unhealthy_threshold = 1 timeout = "3s" interval = "3s" http_healthcheck { path = "/nodecheck?service_namespace=<Service_resource_namespace>&service_name=<Service_resource_name>" } } } } resource "yandex_alb_target_group" "demo-attach-service-tg-tg" { name = "demo-attach-service-tg-tg" folder_id = <folder_ID> lifecycle { ignore_changes = all } } -
Add the gwin.yandex.cloud/attach.targetGroup.id annotation to the Service resource:
apiVersion: v1 kind: Service metadata: name: demo-attach-service-tg-service namespace: demo-ns annotations: gwin.yandex.cloud/attach.targetGroup.id: ${yandex_alb_target_group.demo-attach-service-tg-tg.id} spec: selector: app: hello-world ports: - port: 80 targetPort: 80 nodePort: 30081 type: NodePort