Gateway API Controller

export EKS_CLUSTER_NAME=gw-eks-cluster export AWS_REGION=ap-northeast-2

CLUSTER_SG=$(aws eks describe-cluster --name $EKS_CLUSTER_NAME --output json| jq -r '.cluster.resourcesVpcConfig.clusterSecurityGroupId') PREFIX_LIST_ID=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=="\'com.amazonaws.$AWS_REGION.vpc-lattice\'"].PrefixListId" | jq -r '.[]') aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID}}],IpProtocol=-1" PREFIX_LIST_ID_IPV6=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=="\'com.amazonaws.$AWS_REGION.ipv6.vpc-lattice\'"].PrefixListId" | jq -r '.[]') aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID_IPV6}}],IpProtocol=-1"

curl https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/recommended-inline-policy.json -o recommended-inline-policy.json aws iam create-policy \ --policy-name VPCLatticeControllerIAMPolicy \ --policy-document file://recommended-inline-policy.json

export VPCLatticeControllerIAMPolicyArn=$(aws iam list-policies --query 'Policies[?PolicyName==`VPCLatticeControllerIAMPolicy`].Arn' --output text)

kubectl create ns aws-application-networking-system

aws eks create-addon --cluster-name $EKS_CLUSTER_NAME --addon-name eks-pod-identity-agent --addon-version v1.0.0-eksbuild.1 kubectl get pods -n kube-system | grep 'eks-pod-identity-agent'

cat << EOF > gateway-api-controller-service-account.yaml apiVersion: v1 kind: ServiceAccount metadata: name: gateway-api-controller namespace: aws-application-networking-system EOF kubectl apply -f gateway-api-controller-service-account.yaml

cat << EOF > trust-relationship.json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEksAuthToAssumeRoleForPodIdentity", "Effect": "Allow", "Principal": { "Service": "pods.eks.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] } ] } EOF

aws iam create-role --role-name VPCLatticeControllerIAMRole --assume-role-policy-document file://trust-relationship.json --description "IAM Role for AWS Gateway API Controller for VPC Lattice"

aws iam attach-role-policy --role-name VPCLatticeControllerIAMRole --policy-arn=$VPCLatticeControllerIAMPolicyArn

export VPCLatticeControllerIAMRoleArn=$(aws iam list-roles --query 'Roles[?RoleName==`VPCLatticeControllerIAMRole`].Arn' --output text)

aws eks create-pod-identity-association --cluster-name $EKS_CLUSTER_NAME --role-arn $VPCLatticeControllerIAMRoleArn --namespace aws-application-networking-system --service-account gateway-api-controller

kubectl apply -f https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/deploy-v1.0.5.yaml

kubectl get pods -n aws-application-networking-system

kubectl apply -f https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/gatewayclass.yaml

aws vpc-lattice create-service-network --name my-hotel

aws vpc-lattice list-service-networks | jq -r '.items[]| select(.name=="my-hotel") | .id'

export my_hotel_sn_id=$(aws vpc-lattice list-service-networks | jq -r '.items[]| select(.name=="my-hotel") | .id') export CLUSTER_VPC_ID=$(aws eks describe-cluster --name $EKS_CLUSTER_NAME --query 'cluster.resourcesVpcConfig.vpcId' --output text)

aws vpc-lattice create-service-network-vpc-association --service-network-identifier ${my_hotel_sn_id} --vpc-identifier ${CLUSTER_VPC_ID}

aws vpc-lattice list-service-network-vpc-associations --vpc-id ${CLUSTER_VPC_ID} | jq -r '.items[].status'

apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: name: my-hotel spec: gatewayClassName: amazon-vpc-lattice listeners: - name: http protocol: HTTP port: 80

kubectl apply -f my-hotel-gateway.yaml

kubectl get gateway

apiVersion: apps/v1 kind: Deployment metadata: name: parking labels: app: parking spec: replicas: 2 selector: matchLabels: app: parking template: metadata: labels: app: parking spec: containers: - name: parking image: public.ecr.aws/x2j8p8w7/http-server:latest env: - name: PodName value: "parking handler pod" --- apiVersion: v1 kind: Service metadata: name: parking spec: selector: app: parking ports: - protocol: TCP port: 80 targetPort: 8090

apiVersion: apps/v1 kind: Deployment metadata: name: review labels: app: review spec: replicas: 2 selector: matchLabels: app: review template: metadata: labels: app: review spec: containers: - name: aug24-review image: public.ecr.aws/x2j8p8w7/http-server:latest env: - name: PodName value: "review handler pod" --- apiVersion: v1 kind: Service metadata: name: review spec: selector: app: review ports: - protocol: TCP port: 80 targetPort: 8090

apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: rates spec: parentRefs: - name: my-hotel # Gateway Name sectionName: http # Gateway 안의 특정 listener rules: - backendRefs: - name: parking # 같은 네임스페이스의 Service 이름 kind: Service # Kubernetes Service 객체임을 명시 port: 80 # 해당 Service의 80번 포트로 전달 matches: - path: type: PathPrefix # 요청 경로가 /parking으로 시작하는 경우 value: /parking - backendRefs: - name: review kind: Service port: 80 matches: - path: type: PathPrefix value: /review

kubectl apply -f parking.yaml kubectl apply -f review.yaml kubectl apply -f rate-route-path.yaml

kubectl get svc,pod,httproute

apiVersion: apps/v1 kind: Deployment metadata: name: inventory-ver1 labels: app: inventory-ver1 spec: replicas: 2 selector: matchLabels: app: inventory-ver1 template: metadata: labels: app: inventory-ver1 spec: containers: - name: inventory-ver1 image: public.ecr.aws/x2j8p8w7/http-server:latest env: - name: PodName value: "Inventory-ver1 handler pod" --- apiVersion: v1 kind: Service metadata: name: inventory-ver1 spec: selector: app: inventory-ver1 ports: - protocol: TCP port: 80 targetPort: 8090

apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: inventory spec: parentRefs: - name: my-hotel sectionName: http rules: - backendRefs: - name: inventory-ver1 kind: Service port: 80 weight: 10

kubectl apply -f inventory-ver1.yaml kubectl apply -f inventory-route.yaml

kubectl get svc,pod,httproute

export k8s_rates_svc_dns=$(kubectl get httproute rates -o json | jq -r '.metadata.annotations."application-networking.k8s.aws/lattice-assigned-domain-name"') export k8s_inventory_svc_dns=$(kubectl get httproute inventory -o json | jq -r '.metadata.annotations."application-networking.k8s.aws/lattice-assigned-domain-name"')

kubectl exec deploy/inventory-ver1 -- curl $k8s_rates_svc_dns/parking kubectl exec deploy/inventory-ver1 -- curl $k8s_rates_svc_dns/review kubectl exec deploy/parking -- curl $k8s_inventory_svc_dns

apiVersion: apps/v1 kind: Deployment metadata: name: lattice-test-01 labels: app: lattice-test-01 spec: replicas: 2 selector: matchLabels: app: lattice-test-01 template: metadata: labels: app: lattice-test-01 spec: containers: - image: whchoi98/network-multitool imagePullPolicy: Always name: lattice-test-01 ports: - containerPort: 80 protocol: TCP readinessProbe: tcpSocket: port: 80 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: tcpSocket: port: 80 initialDelaySeconds: 15 periodSeconds: 20 --- apiVersion: v1 kind: Service metadata: name: lattice-test-01 spec: selector: app: lattice-test-01 ports: - protocol: TCP port: 80 targetPort: 80 --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: lattice-test-01 spec: parentRefs: - name: my-hotel sectionName: http rules: - backendRefs: - name: lattice-test-01 kind: Service port: 80 weight: 10

kubectl apply -f lattice-test-01.yaml

export k8s_lattice_test_01_svc_dns=$(kubectl get httproute lattice-test-01 -o json | jq -r '.metadata.annotations."application-networking.k8s.aws/lattice-assigned-domain-name"')

kubectl exec deploy/inventory-ver1 -- curl $k8s_rates_svc_dns/parking kubectl exec deploy/inventory-ver1 -- curl $k8s_rates_svc_dns/review kubectl exec deploy/parking -- curl $k8s_inventory_svc_dns

[ec2-user@ip-10-0-0-69 ~]$ kubectl get po -A NAMESPACE NAME READY STATUS RESTARTS AGE aws-application-networking-system gateway-api-controller-78bf4bc557-2vd6s 2/2 Running 0 30m aws-application-networking-system gateway-api-controller-78bf4bc557-zmttd 2/2 Running 0 30m default inventory-ver1-6684c99896-2czlj 1/1 Running 0 22m default inventory-ver1-6684c99896-s67qf 1/1 Running 0 22m default lattice-test-01-5948cbc968-fz8h2 1/1 Running 0 19m default lattice-test-01-5948cbc968-nh68h 1/1 Running 0 19m default parking-7954f95979-2cprh 1/1 Running 0 27m default parking-7954f95979-5vxdm 1/1 Running 0 27m default review-7995c597f5-h5z8l 1/1 Running 0 27m default review-7995c597f5-rmmdr 1/1 Running 0 27m kube-system aws-node-5fjcg 2/2 Running 0 46m kube-system aws-node-ft65m 2/2 Running 0 46m kube-system coredns-9b5bc9468-4hmkd 1/1 Running 0 52m kube-system coredns-9b5bc9468-vjznj 1/1 Running 0 52m kube-system eks-pod-identity-agent-4kdsm 1/1 Running 0 31m kube-system eks-pod-identity-agent-gsdzg 1/1 Running 0 31m kube-system kube-proxy-nkwdm 1/1 Running 0 46m kube-system kube-proxy-q2dpc 1/1 Running 0 46m kube-system metrics-server-86bbfd75bb-gxpxm 1/1 Running 0 52m kube-system metrics-server-86bbfd75bb-qls44 1/1 Running 0 52m