One Load Balancer for The Cluster

[tigerpeng2001]

Hello,

I deployed a cluster in AWS EKS with version 1.7.12 years ago with the values copied below. There are a few issues I'd like to address for deploying a new Graylog cluster (with the latest version). Could you help?

1. Three classic load balancers were created for the old cluster. How can one ALB or NLB be used for service, master, and input (all accesses, including the service, are private)
2. The service load balancer deployed is set to TCP, not HTTPS or SSL as I expected.
3. How to restrict the inbound/outbound access to 10.0.0.0/8

Thank you,

...
  service:
    type: LoadBalancer
    port: 443
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/753cd66c-e8c2-4092-97e9-2a9603033723
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    master:
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
        port: 9000
  input:
     tcp:
       service:
         annotations:
           service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
         type: LoadBalancer
         loadBalancerIP:
       ports:
         - name: gelf
           port: 12201
         - name: syslog
           port: 12202
  externalUri:....

NAME                       TYPE           CLUSTER-IP       EXTERNAL-IP                                                                        PORT(S)                           AGE
graylog                    ClusterIP      None             <none>                                                                             9000/TCP                          2y51d
graylog-master             LoadBalancer   172.20.101.245   internal-a7767d80ac73c49aeb2cedef3c567bb0-1132647746.us-east-1.elb.amazonaws.com   9000:30155/TCP                    2y51d
graylog-tcp                LoadBalancer   172.20.224.75    internal-ade74e0a8cd3441ddbbb6b8291b262fc-1583953693.us-east-1.elb.amazonaws.com   12201:30667/TCP,12202:31423/TCP   2y51d
graylog-web                LoadBalancer   172.20.93.132    internal-a617e2764ffd04ac598c0e26bf160db3-2060849374.us-east-1.elb.amazonaws.com   443:32415/TCP                     2y51d

[KongZ]

1. You can create ALB by annotate the graylog.ingress.annotations with kubernetes.io/ingress.class: alb. Class name may different depends on how you setup ALB controller.

2. The NLB is already TCP.

3. To restrict ALB uses alb.ingress.kubernetes.io/inbound-cidrs annotation on graylog.ingress.annotations and NLB uses loadBalancerSourceRanges on graylog.input.tcp.service

graylog:
  ingress:
    annotations:
      kubernetes.io/ingress.class: aws-lb
      alb.ingress.kubernetes.io/inbound-cidrs: 10.0.0.0/8
  input:
    tcp:
      ports:
        - name: syslog1
          port: 5140
      service:
        annotations:
           service.beta.kubernetes.io/aws-load-balancer-type: "external"
           service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
        loadBalancerSourceRanges:
          - 10.0.0.0/8

[tigerpeng2001]

How about the client web interface? I used classic ELB and attempted to use STL/SHTTP with a cert managed by ACM . The related part is copied below again

...
  service:
    type: LoadBalancer
    port: 443
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/753cd66c-e8c2-4092-97e9-2a9603033723
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    master:
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
        port: 9000
  input:
     tcp:
       ...

[tigerpeng2001]

Another question: Is there any schedule for releasing a new chart that supports Graylog6?

[KongZ]

Classic load balancer can be created without adding annotation. But it is remove in AWS LB Controller 2.7.2

See https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html

Another question: Is there any schedule for releasing a new chart that supports Graylog6?

I don't have a specific date yet.

[tigerpeng2001]

Hi Kong,

• With AWS load balancer controllerv2.8.2, and the following setup, I bought up three NLBs; but cannot bring up ALB by following your suggestion. Do I miss something?

  service:
    type: LoadBalancer
    port: 443
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-scheme: internal
      service.beta.kubernetes.io/load-balancer-source-ranges: 10.0.0.0/8
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/2035edce-ba7b-4b7a-871a-6fbf89fc64b5
    master:
      notations:
        service.beta.kubernetes.io/load-balancer-source-ranges: 10.0.0.0/8
  input:
    tcp:
      ports:
       - name: gelf
         port: 12201
       - name: syslog
         port: 12202
      service:
        type: LoadBalancer
        notations:
          service.beta.kubernetes.io/load-balancer-source-ranges: 10.0.0.0/8

• Is there any way to use only one LB for all: server web, master, and tcp input?

[tigerpeng2001]

Hi Kong,

All the health checks for the master and the input target groups fail. The web target group is healthy.

The notations for master and input do not affect the load balancer's attributes, such as the security group rules.

Any suggestion?

Thanks,
Tiger