How to set AWS ALB instead of ELB in Istio?
Current accepted answer is correct. However I would like to give a slight update to it. Once AWS alb controller is installed and configured there are several steps one should take to make it work and be usable:
- Use
istioctl manifest generate
command to generate a list of manifests - Find
istio-ingressgateway
service configuration - Update it to be of a NodePort type
- Update ports configuration to have a pre-defined mapping of Node and Target ports. Note the
status-port
NodePort - Apply these manifests instead of installing/updating istio using
istioctl install
command. In some cases it might be better to rely on istio helm installation though - Update ingress configuration to have the following annotations
alb.ingress.kubernetes.io/healthcheck-port: 'PORT'
alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP```
where PORT equals to the istio status-port NodePort value
This way, you update ALB default configuration for the healthcheck to check Istio healthcheck
Step 1 : Change istioingresssgateway service type as nodeport
Step 2 : Install ALB ingress controller
Step 3 : Write ingress.yaml for istioingressgateway as follows:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: istio-system
name: ingress
labels:
app: ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/subnets: <subnet1>,<subnet2>
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: istio-ingressgateway
servicePort: 80
alb.ingress.kubernetes.io/subnets annotation can be avoided if you labelled subnet of vpc with :
kubernetes.io/cluster/: owned
kubernetes.io/role/internal-elb: 1 (for internal ELB)
kubernetes.io/role/elb: 1 (for external ELB)
or else you can provide two subnet values and each subnet should be in different availability zone in the above yaml
It worked in Istio 1.6