Ambassador: AWS docs need work

Created on 8 Aug 2018  路  8Comments  路  Source: datawire/ambassador

@plombardi89 from https://github.com/datawire/ambassador/pull/703#issuecomment-411403594

I think we should drop random Forge-ified sample at the top of the page and show complete examples for different configurations. Along with the above change we should actually use the standard Ambassador Kubernetes service manifest from the Getting Started instead of the Forge templated one so that it's easy for people to follow the differences between what we ship by default and what they need to do.

I'm wondering if we should create a Matrix that helps people determine which configuration they need. Maybe not needed. I think the sections/examples at a minimum should be laid out based on questions tend to actually ask in Slack?

How do I terminate SSL/TLS at the ELB and support both HTTP->HTTPS redirect and websockets?
A: Use this configuration shown below.

How do I terminate SSL/TLS at Ambassador and support both HTTP->HTTPS redirect and websockets?
A: Use this slightly different configuration. (Also show a link to setting up TLS certificates)

I want to use an NLB instead of an ELB with Ambassador. Is that possible?
A: Yes, use this configuration shown below...

stale

Most helpful comment

Does this doc exist yet? I'm struggling with this.

All 8 comments

Does this doc exist yet? I'm struggling with this.

Hello and thank you for your efforts here.

It would be very helpful for folks not familiar with ambassador working in AWS to have a few complete ambassador kube manifest files to correctly configure POC (proof of concept / demo) common use cases such as AWS ELB L7 TLS termination, etc.
Perhaps a workshop/demo style walkthrough with a few demo services that would allow folks to simply plug in their ARN's and kubectl apply -f?

Understand there is now this page (and thanks for creating/maintaining):
ambassador-with-aws/#l7-load-balancer
which mentions what needs to be done, but having a few complete working service config files from the developers who validated the functionality would be extremely helpful for the community and would facilitate greater ambassador usage--especially with the current state of kubernetes ingress and its rapid deltas, etc.

I.e., Assuming from the docs that this would be the correct manifest config for AWS ELB L7 term?

apiVersion: v1
kind: Service
metadata:
  name: ambassador
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:iam::01234567890123:server-certificate/foo-com-crt"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "*"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v0
      kind:  Module
      name:  ambassador
      config:
        use_proxy_proto: true
        use_remote_address: true
        x_forwarded_proto_redirect: true
spec:
  type: LoadBalancer
  ports:
  - name: ambassador
    port: 443
    targetPort: 80
  selector:
    service: ambassador

I missed the _separate_ section for x_forwarded_proto_redirect: true which is currently at the bottom of that page initially.

It would be helpful to have complete files for AWS L7 and L4 along with a few complete sample/demo kube service manifest files (hello ambassador world) with correct annotations, labels, etc., so that folks could quickly get going and test/evaluate/implement ambassador with TLS in AWS, (and other cloud providers) etc.

I tried searching for 'ambassador aws l7 tls' and didn't find much other than the official docs.
Thank you

Any update on this? I'm not able to follow the docs and correctly configure Ambassador to play nice with TLS termination at a L4 ELB. Can someone point me in the right direction?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

/bump

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Outside opinion here -- looking at this issue, I am unclear what the ask is -- seems like AWS documentation, which means specifically how to configure the AWS LoadBalancer? In addition, validated configurations for different setups? If so, this is always a hard thing to satisfy as it is an integration question and the number of possible configurations is infinite.

Let's start with service.beta.kubernetes.io which comes from https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/ which links to https://github.com/kubernetes/cloud-provider-aws/blob/master/pkg/cloudprovider/providers/aws/aws.go. Repeating this documentation would make it hard to maintain, but the current docs seems to cover the relevant items: https://www.getambassador.io/reference/ambassador-with-aws/#load-balancer-annotations.

Then we have x_forwarded_proto_redirect which is mentioned at the above link, but fully covered here: https://www.getambassador.io/reference/redirects/#x-forwarded-proto-redirect. There are also other configuration options covered here: https://www.getambassador.io/reference/core/ambassador/#use_proxy_proto.

Finally, we have the Ambassador guides that cover things like websockets: https://www.getambassador.io/user-guide/websockets-ambassador.

In summary, it appears (to me) that the AWS options are covered in the documentation though perhaps some linking to other relevant configuration options (e.g. x_forwarded_proto_redirect) could be added. If anything, it appears the remaining ask is to create an AWS LoadBalancer guide or perhaps a better approach would be a generic load balancing guide with a section for AWS. Is this a good summary or is the ask something else? I ask primarily as willing to put up a PR, but unclear what exactly would be helpful.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

cakuros picture cakuros  路  4Comments

ngrigoriev picture ngrigoriev  路  3Comments

kflynn picture kflynn  路  5Comments

gregbacchus picture gregbacchus  路  3Comments

caiobegotti picture caiobegotti  路  4Comments