Setting Kong Proxy to use an existing Load Balancer

[carmine-ianniello-deltatre]

Hello,

Maybe I'm a bit lost in the documentation but seems impossible to set the kong proxy to use an existing load balancer. Let's say I have an aws eks cluster, with a load balancer. How can I set the proxy in order to let it use the already created one? Is there any flag, any annotation to use? I also tried to specify this annotation service.beta.kubernetes.io/aws-load-balancer-internal: true, but with no luck.

proxy:
  enabled: true
  type: LoadBalancer
  annotations: {  service.beta.kubernetes.io/aws-load-balancer-internal: true   }

Funny thing is that in the yaml manifest instead, it's possible to set (at least) the LoadBalancerIP.

kind: Service
metadata:
  annotations: {}
  name: kong-proxy
  namespace: kong
spec:
  ports:
  - name: proxy
    port: 80
    protocol: TCP
    targetPort: 8000
  - name: proxy-ssl
    port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    app: ingress-kong
  type: LoadBalancer
  loadBalancerIP: 20.229.110.105

Any suggestion will be really appreciated.

Thanks!

[pmalek]

Hello @CarmineDeloitte 👋

By LoadBalancer do you mean AWS' ELB/ALB/NLB? Or do you have an existing Service of type LoadBalancer? If it's the latter then you should be able to just point it to kong's deployment via the label selectors.

If it's the former than I'm not sure. It seems that you can use a TargetGroupBinding CRD for ALB use case: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/targetgroupbinding/targetgroupbinding/

[carmine-ianniello-deltatre]

Hello @pmalek

Yep I have an ELB load balancer in AWS, but how can I use the TargetGroupBinding ? Just as a labels selector in the kong chart?

[pmalek]

Hm to be honest, I'm not sure. From what I can read at https://github.com/kubernetes-sigs/aws-load-balancer-controller it seems that it works with ALB and NLB.

Which type of a LB specifically are you having?

ELB in AWS is a generic term, no? I believe you should be able to use the TargetGroupBinding as denoted in their docs:

apiVersion: elbv2.k8s.aws/v1beta1
kind: TargetGroupBinding
metadata:
  name: my-tgb
spec:
  serviceRef:
    name: awesome-service # route traffic to the awesome-service
    port: 80
  targetGroupARN: <arn-to-targetGroup>

If that's not the case, don't hesitate to reach us.

[carmine-ianniello-deltatre]

Yep, exactly, the elb is a generic kind of ingress, and the NLB is used. But what is not clear to me is how can I use the TargetGroupBinding with the Kong Charts

[pmalek]

My understanding is that either the controller I linked is pre-installed in AWS clusters or you install it and then you can use that CRD I mentioned - TargetGroupBinding by applying it to the cluster with service ref and target group arn filled in and the controller should do the rest. That's my understanding but as I said, I haven't tested it.

This seems like a general kubernetes and AWS issue (or question rather). Let's leave it open for not, in case anyone stumbles across a similar problem and posts a solution but from our standpoint it's rather unlikely that we'll go research this matter from our side.

[AliaksandrRyzhou]

Hello, I'm interested in this question as well because it's very useful if you want to create the infrastructure by using Terraform, and you have to create some Route53 A-records assigned to this LB during a deployment. But you cannot do this due to not existing LB.

[recidive]

I have this question too. I wanted to create a Load Balancer via terraform and make Kong use it when installing via the helm chart. I want to do this to avoid the LB DNS to change whenever I uninstall/reinstall the Kong helm chart. Otherwise there'll be a lot of downtime if someone does this either intentionally or accidentally. It seems to me too volatile/fragile.

[czegi90]

Hello, I'm also interested in this question, did anyone find an answer how to use the TargetGroupBinding together with the chart?