---
# System prepended metadata

title: Creating endpoints for clients that don't support SNI

---

# Creating endpoints for clients that don't support SNI
Long term solution for Cloudera-Boomi issue [LD-6324](https://trainingrocket.atlassian.net/browse/LD-6324)

## Option A: The current solution that works using Service level Classical ELB
Create a Kubernetes _Service_ level ELB using `type: LoadBalancer` and then manually create a CNAME record in Route53 to map `something.trainingrocket.com` to `elb-url.us-west-2.elb.amazonaws.com`. The following is all yaml we need for this solution to work.
```yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:770069256085:certificate/c1b918de-8242-402e-9d81-6029047c2e4c
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
  labels:
    app: learndot
    release: cloudera
  name: cloudera-proxy-svc
spec:
  type: LoadBalancer
  ports:
  - port: 80
    targetPort: 8080
    name: http
    protocol: TCP
  - port: 443
    targetPort: 8080
    name: https
    protocol: TCP
  selector:
    app: learndot
    release: cloudera
```
Note that we're using `*.trainingrocket.com` as going to nginx ingress controller and cert manager would require us to create dedicated Kubernetes _Ingress_ level ELB.

- Requires _Service_ level ELB
- We need dedicated ACM cert, we can't use Let's Encrypt
- Requires manual CNAME record update everytime ELB changes, can cook up some bash script to automated it tho
- Additonal ELB cost
- Terminates SSL at ELB level

## Option B: Potential solution using Ingress level ALB
- We'll need to install and maintain additional Kubernetes _Operator_ [AWS ALB Ingress Controller](https://github.com/kubernetes-sigs/aws-alb-ingress-controller)
- Still needs dedicated SSL cert
> Although the AWS Application Load Balancer (ALB) is a modern load balancer offered by AWS that can can be provisioned from within EKS, at the time of writing, the alb-ingress-controller; is only capable of serving sites using certificates stored in AWS Certificate Manager (ACM). [source](https://docs.cert-manager.io/en/latest/tutorials/venafi/securing-ingress.html)
- Still needs manual CNAME record updates (according to [the only cert-manager docs on ALB](https://docs.cert-manager.io/en/latest/tutorials/venafi/securing-ingress.html))
- Still has additional cost of ALB


```yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  labels:    
    app: learndot
    release: cloudera
  name: cloudera-proxy-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:770069256085:certificate/c1b918de-8242-402e-9d81-6029047c2e4c
spec:
  tls:
  - hosts:
    - "cloudera-proxy.trainingrocket.com"
    secretName: ca-star-trainingrocket-com-key-pair
  rules:
  - host: "cloudera-proxy.trainingrocket.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: cloudera-proxy-svc
          servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: learndot
    release: cloudera
  name: cloudera-proxy-svc
spec:
  type: NodePort
  ports:
  - port: 80
    targetPort: 8080
    name: http
    protocol: TCP
  selector:
    app: learndot
    release: cloudera
```

## Option C: Potential solution using Ingress level classical ELB
- I couldn't figure out how to do it

## How we could have done it in GCP
Create a reserved static IP named `cloudera-proxy-static-ip`
```ssh
$ gcloud compute addresses create cloudera-proxy-static-ip --global 
$ gcloud compute addresses describe cloudera-proxy-static-ip --global --format 'value(address)'
35.186.228.205
```

Attach the static IP to _Ingress_ by just adding one line annotation `kubernetes.io/ingress.global-static-ip-name`. _Service_ just needs the usual`type: NodePort`. Then we create an _A_ Record pointing to reserved static IP from `something.ent.learndot.com`.
```yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  labels:    
    app: learndot
    release: cloudera
  name: cloudera-proxy-ingress
  annotations:
    certmanager.k8s.io/cluster-issuer: ca-issuer-ent-learndot-com
    kubernetes.io/ingress.global-static-ip-name: cloudera-proxy-static-ip
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - "cloudera-proxy.ent.learndot.com"
    secretName: ent-default-ssl-certificate
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: cloudera-svc
          servicePort: 80
```
-  No load balancers are involved
-  We can still use Let's Encrypt certs via cert-manager, we don't need dedicated certs
-  No additional cost, in-use static IPs are free
-  No need to create additional service, note that we're using `cloudera-svc`