Creating endpoints for clients that don't support SNI

# Creating endpoints for clients that don't support SNI Long term solution for Cloudera-Boomi issue [LD-6324](https://trainingrocket.atlassian.net/browse/LD-6324) ## Option A: The current solution that works using Service level Classical ELB Create a Kubernetes _Service_ level ELB using `type: LoadBalancer` and then manually create a CNAME record in Route53 to map `something.trainingrocket.com` to `elb-url.us-west-2.elb.amazonaws.com`. The following is all yaml we need for this solution to work. ```yaml apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:770069256085:certificate/c1b918de-8242-402e-9d81-6029047c2e4c service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" labels: app: learndot release: cloudera name: cloudera-proxy-svc spec: type: LoadBalancer ports: - port: 80 targetPort: 8080 name: http protocol: TCP - port: 443 targetPort: 8080 name: https protocol: TCP selector: app: learndot release: cloudera ``` Note that we're using `*.trainingrocket.com` as going to nginx ingress controller and cert manager would require us to create dedicated Kubernetes _Ingress_ level ELB. - Requires _Service_ level ELB - We need dedicated ACM cert, we can't use Let's Encrypt - Requires manual CNAME record update everytime ELB changes, can cook up some bash script to automated it tho - Additonal ELB cost - Terminates SSL at ELB level ## Option B: Potential solution using Ingress level ALB - We'll need to install and maintain additional Kubernetes _Operator_ [AWS ALB Ingress Controller](https://github.com/kubernetes-sigs/aws-alb-ingress-controller) - Still needs dedicated SSL cert > Although the AWS Application Load Balancer (ALB) is a modern load balancer offered by AWS that can can be provisioned from within EKS, at the time of writing, the alb-ingress-controller; is only capable of serving sites using certificates stored in AWS Certificate Manager (ACM). [source](https://docs.cert-manager.io/en/latest/tutorials/venafi/securing-ingress.html) - Still needs manual CNAME record updates (according to [the only cert-manager docs on ALB](https://docs.cert-manager.io/en/latest/tutorials/venafi/securing-ingress.html)) - Still has additional cost of ALB ```yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: labels: app: learndot release: cloudera name: cloudera-proxy-ingress annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:770069256085:certificate/c1b918de-8242-402e-9d81-6029047c2e4c spec: tls: - hosts: - "cloudera-proxy.trainingrocket.com" secretName: ca-star-trainingrocket-com-key-pair rules: - host: "cloudera-proxy.trainingrocket.com" http: paths: - path: / backend: serviceName: cloudera-proxy-svc servicePort: 80 --- apiVersion: v1 kind: Service metadata: labels: app: learndot release: cloudera name: cloudera-proxy-svc spec: type: NodePort ports: - port: 80 targetPort: 8080 name: http protocol: TCP selector: app: learndot release: cloudera ``` ## Option C: Potential solution using Ingress level classical ELB - I couldn't figure out how to do it ## How we could have done it in GCP Create a reserved static IP named `cloudera-proxy-static-ip` ```ssh $ gcloud compute addresses create cloudera-proxy-static-ip --global $ gcloud compute addresses describe cloudera-proxy-static-ip --global --format 'value(address)' 35.186.228.205 ``` Attach the static IP to _Ingress_ by just adding one line annotation `kubernetes.io/ingress.global-static-ip-name`. _Service_ just needs the usual`type: NodePort`. Then we create an _A_ Record pointing to reserved static IP from `something.ent.learndot.com`. ```yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: labels: app: learndot release: cloudera name: cloudera-proxy-ingress annotations: certmanager.k8s.io/cluster-issuer: ca-issuer-ent-learndot-com kubernetes.io/ingress.global-static-ip-name: cloudera-proxy-static-ip kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/force-ssl-redirect: "true" spec: tls: - hosts: - "cloudera-proxy.ent.learndot.com" secretName: ent-default-ssl-certificate rules: - http: paths: - path: / backend: serviceName: cloudera-svc servicePort: 80 ``` - No load balancers are involved - We can still use Let's Encrypt certs via cert-manager, we don't need dedicated certs - No additional cost, in-use static IPs are free - No need to create additional service, note that we're using `cloudera-svc`