You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/NginxKubernetesLoadbalancer.md
+42-25
Original file line number
Diff line number
Diff line change
@@ -3,23 +3,24 @@
3
3
<br/>
4
4
5
5
- Build an Nginx Kubernetes Loadbalancer Controller for MVP
6
-
- Provide a functional replacement for the "Loadbalancer Service Type" external to an On Premise K8s cluster.
6
+
- Provide a functional replacement for the "Loadbalancer Service Type" external to an On Premises K8s cluster.
7
7
- Chris Akker / Jan 2023 / Initial draft
8
+
- Steve Wagner / Jan 2023 / Initial code
8
9
9
10
<br/>
10
11
11
12
## Abstract:
12
13
13
-
Create a new K8s Controller, that will monitor specified k8s Service Endpoints, and then send API calls to an external NginxPlus server to manage Nginx Upstream server blocks.
14
-
This is will synchronize the K8s Service Endpoint list, with the Nginx LB server's Upstream block server list.
15
-
The primary use case is for tracking the NodePort IP:Port definitions for the Nginx Ingress Controller's `nginx-ingress Service`.
16
-
With the NginxPlus Server located external to the K8s cluster, this new controller LB function would provide an alternative TCP "Load Balancer Service" for On Premises k8s clusters, which do not have access to a Cloud providers "Service Type LoadBalancer".
14
+
-Create a new K8s Controller, that will monitor specified k8s Service Endpoints, and then send API calls to an external NginxPlus server to manage Nginx Upstream server blocks.
15
+
-This is will synchronize the K8s Service Endpoint list, with the Nginx LB server's Upstream block server list.
16
+
-The primary use case is for tracking the NodePort IP:Port definitions for the Nginx Ingress Controller's `nginx-ingress Service`.
17
+
-With the NginxPlus Server located external to the K8s cluster, this new controller LB function would provide an alternative TCP "Load Balancer Service" for On Premises k8s clusters, which do not have access to a Cloud providers "Service Type LoadBalancer".
17
18
18
19
<br/>
19
20
20
21
## Solution Description:
21
22
22
-
When running a k8s Cluster On Premise, there is no equivalent to a Cloud Provider's Loadbalancer Service Type. This solution and new software is the TCP load balancer functional replacement.
23
+
When running a k8s Cluster On Premises, there is no equivalent to a Cloud Provider's `Loadbalancer` Service Type. This solution and new controller software is the TCP load balancer functional replacement.
23
24
24
25
When using a Cloud Provider's Loadbalancer Service Type, it provides 3 basic functions for External access to the k8s pods/services running inside the cluster:
25
26
@@ -29,9 +30,13 @@ When using a Cloud Provider's Loadbalancer Service Type, it provides 3 basic fun
29
30
30
31
This is often called "NLB", a term used in AWS for Network Load Balancer, but functions nearly identical in all Public Cloud Provider networks. It is not actually a component of K8s, rather, it is a service provided by the Cloud Providers SDN (Software Defined Network), but is managed by the user with K8s Service Type LoadBalancer definitions/declarations.
31
32
32
-
**This Solution uses NGINX to provide an alternative to #3, the TCP loadbalancing from PublicIP to k8s NodePort.**
33
+
<br/>
34
+
35
+
>**This Solution uses NGINX to provide an alternative to #3, the TCP loadbalancing from PublicIP to k8s NodePort.**
33
36
34
-
Note: This solution is not for Cloud-based K8s clusters, only On-Premise K8s clusters.
37
+
Note: This solution is not for Cloud-based K8s clusters, only On Premises K8s clusters.
38
+
39
+
<br/>
35
40
36
41
## Reference Diagram:
37
42
@@ -43,7 +48,7 @@ Note: This solution is not for Cloud-based K8s clusters, only On-Premise K8s clu
43
48
44
49
## Business Case
45
50
46
-
- Every On Premise Kubernetes cluster needs this Solution, for external clients to access pods/service running inside the cluster.
51
+
- Every On Premises Kubernetes cluster needs this Solution, for external clients to access pods/service running inside the cluster.
47
52
- Market opportunity is at least one NginxPlus license for every k8s cluster. Two licenses if you agree that High Availability is a requirement.
48
53
- Exposing Pods and Services with NodePort requires the use of high numbered TCP ports (greater than 30000 by default). Lower, well-known TCP port numbers less than 1024 are NOT allowed to bind to the k8s Nodes' IP address. This contradicts the ephemeral dynamic nature of k8s itself, and mandates that all HTTP URLs must contain port numbers unfamiliar to everyone.
49
54
- There is a finite limit of available NodePorts available, as 30000-32767 is the default range, leaving ~ 2768 usable ports.
@@ -74,6 +79,7 @@ Why not Nginx OpenSource? Nginx Open Source does not have the API endpoint and
74
79
- Nginx-lb-https - the Nginx LB Server Upstream block that represents the mapped Nginx Ingress Controller(s) `Host:NodePort` Endpoints for https
75
80
- NodePort nginx-ingress Service - exposes the Nginx Ingress Controller(s) on Host:Port
76
81
- Plus API - the standard Nginx Plus API service that is running on the Nginx LB Server
82
+
- Nginx Plus Go Client - software that communicates with the Nginx LB Server
77
83
- Upstream - the IP:Port list of servers that Nginx will Load Balance traffic to at Layer 4 TCP using the stream configuration
78
84
79
85
<br/>
@@ -91,19 +97,19 @@ Preface - Define access parameters for NKL Controller to communicate with Nginx
91
97
92
98
1. Initialization:
93
99
- Define the name of the target Upstream Server Block
94
-
- "nginx-lb-http" or "nginx-lb-https" should be the default server block names, returns error if this does not exist
95
-
- API query to NginxPlus LB server for current Upstream list
96
-
- API query to K8s apiserver of list of Ingress Controller Endpoints
100
+
- "nginx-lb-http" or "nginx-lb-https" should be the default server block names, returns error if these do not exist
101
+
-Using the Nginx Plus Go Client library, make an API query to NginxPlus LB server for current Upstream list
102
+
- API query to K8s apiserver for list of Ingress Controller Endpoints
97
103
- Reconcile the two lists, making changes to Nginx Upstreams to match the Ingress Endpoints ( add / delete Upstreams as needed to converge the two lists )
98
104
99
105
2. Runtime:
100
-
- Periodic check - API query for the list of Servers in the Upstream block, using the NginxPlus API ( query time TBD )
106
+
- Periodic check - API query for the list of Servers in the Upstream block, using the NginxPlus API ( query interval TBD )
101
107
- IP:port definition
102
108
- other possible metadata: status, connections, response_time, etc
103
109
- Keep a copy of this list in memory, if state is required
104
110
105
-
3.Modify Upstream server entries, based on K8s NodePort Service endpoint "Notification" changes
106
-
-Register the LB Controller with the K8s watcher Service, subscribe to Notifications for changes to the nginx-ingress Service Endpoints.
111
+
3.Register the LB Controller with the K8s watcher Service, subscribe to Notifications for changes to the nginx-ingress Service Endpoints.
112
+
-Using the Nginx Plus Go Client libraries, modify Upstream server entries, based on K8s NodePort Service endpoint "Notification" changes
107
113
- Add new Endpoint to Upstream Server list on k8s Notify
108
114
- Remove deleted Endpoints to Upstream list, using the Nginx Plus "Drain" function, leaving existing TCP connections to close gracefully on K8s Notify delete.
109
115
- Create and Set Drain_wait timer on Draining Upstream servers
@@ -118,15 +124,15 @@ Preface - Define access parameters for NKL Controller to communicate with Nginx
118
124
- Calculate the difference in the list, and create new Nginx API calls to update the Upstream list, adding or removing the changes needed to mirror the nginx-ingress Service Endpoints list
119
125
- Log these changes
120
126
121
-
6. Optional: Make Nginx API calls to update the entire Upstream list, regardless of what the existing list contains. *Not sure how NginxPlus responds when you try to add a duplicate server entry via the API - I believe it just fails with no effect to the existing server entry and established connections - needs to be tested*
127
+
6. Optional: Make Nginx API calls to update the entire Upstream list, regardless of what the existing list contains. *Nginx will allow for the addition of duplicate server to the upstream block using the API, so at some point a process to "clean up and verify" the upstream list should be considered. It is possible that the Nginx-Plus-Go_Client already does this function.*
122
128
123
129
<br/>
124
130
125
-
## PM/PD Suggestion - to build this new Controller, use the existing Nginx Ingress Controller framework/code, to create this new k8s Controller, leveraging the Enterprise class, supportable code Nginx already has on hand.
131
+
## PM/PD Suggestion - to build this new Controller, use the existing Nginx Ingress Controller framework/code, to create this new k8s LB Controller, leveraging the Enterprise class, supportable code Nginx already has on hand. Or perhaps, add this Loadbalancer solution as a new Feature to the exising Ingress Controller ( NIC, after all, is already watching the nginx-ingress namespace and services ).
126
132
127
133
<br/>
128
134
129
-
## Example Nginx Plus API request for Upstream block changes
135
+
## Example Nginx Plus API requests for Upstream block changes
Nginx Plus Go Client: https://github.com/nginxinc/nginx-plus-go-client
221
+
214
222
Nginx Upstream API examples: http://nginx.org/en/docs/http/ngx_http_api_module.html#stream_upstreams_stream_upstream_name_servers_stream_upstream_server_id
215
223
216
224
<br/>
@@ -223,31 +231,40 @@ Nginx Upstream API examples: http://nginx.org/en/docs/http/ngx_http_api_module.
223
231
# TCP Proxy and load balancing block
224
232
# Nginx Kubernetes Loadbalancer
225
233
# backup servers allow Nginx to start
234
+
# State file used to preserve config across restarts
0 commit comments