Tyk aws loadbalancer

tirelibirefe · September 27, 2021, 4:09pm

Hello,
I couldn’t have found and reference documentation, need to your advises about AWS ALB or NLB configuration of kubernetes tyk-ce operator.
Does Tyk use AWS ALB or NLB as external loadbalancer for Kubernetes services? How can I connect lb and ingress each others?

Reagrds

sedky · September 27, 2021, 4:32pm

Hello,

This isn’t selected by Tyk. The cloud you are running on has defaults in regards to the hardware type which will spawn up when you select a “LoadBalancer” of kind Service. With AWS, this is ALB. However, you can give it a specific annotation to tell AWS which LB type you want.

Which type you select is entirely dependent on your use case. Here’s a general guide:

Do you have to terminate SSL at Tyk level, ie for mTLS? use NLB

Otherwise, you should use an ALB and terminate SSL at that layer, in combination with AWS ACM.

tirelibirefe · September 27, 2021, 6:29pm

thank you very much for your answer @sedky .
I would like to terminate SSL LB level, also ALB has WAF. that’s ok.
The problem is that I am not able to configure ALB to forward traffic to the ingress.

Here is config;

apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
spec:
  ports:
    - name: http
      port: 80
      targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      containers:
        - image: docker.io/kennethreitz/httpbin
          imagePullPolicy: IfNotPresent
          name: httpbin
          ports:
            - containerPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: httpbin-ingress
  annotations:
    kubernetes.io/ingress.class: tyk
    tyk.io/template: httpbin
spec:
  rules:
    - host: tyk-eks-dev-499134611.eu-central-1.elb.amazonaws.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: httpbin
                port:
                  number: 80
          - path: /httpbin
            pathType: Prefix
            backend:
              service:
                name: httpbin
                port:
                  number: 80
---
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: httpbin
  labels:
    template: "true"
spec:
  name: basit1
  protocol: http
  use_keyless: true
  active: true
  proxy:
    target_url: http://httpbin.httpbin.svc.cluster.local
    # listen_path: /httpbin
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        name: Default
        paths:
          black_list: []
          ignored: []
          white_list: []

These are my AWS ALB config:

and yes I know, it’s reported as “unhealthy” but I don’t know why.

and no response, time out:

$ curl -I http://tyk-eks-dev-499134611.eu-central-1.elb.amazonaws.com/httpbin

curl: (28) Failed to connect to tyk-eks-dev-499134611.eu-central-1.elb.amazonaws.com port 80: Connection timed out
`

I’m pulling my hairs, pls advise…

sedky · September 27, 2021, 6:38pm

Hiya

Few key things to check.

Your biggest problem is the unhealthy targets on your LB. That won’t allow any requests to go through. You should see if you can log into a gateway pod and try to curl the same endpoint that the LB is trying to hit.

Hopefully you can get a good response.

Please check Gateway logs for any errors, is the Gateway coming up even?

Finally, it is peculiar that you are not getting a response from the ALB, I would expect it to be an instant response. Please check your security groups to see if you are allowing internet traffic on port 80 through your LB.

try those and report back!

tirelibirefe · September 27, 2021, 6:57pm

Gateway logs are clean:

time="Sep 27 15:02:14" level=info msg="reload: initiating" prefix=main
time="Sep 27 15:02:14" level=info msg="Loading policies" prefix=main
time="Sep 27 15:02:14" level=error msg="Couldn't unmarshal policies: EOF" prefix=policy
time="Sep 27 15:02:14" level=info msg="Policies found (0 total):" prefix=main
time="Sep 27 15:02:14" level=info msg="Loading API Specification from /mnt/tyk-gateway/apps/aHR0cGJpbi9odHRwYmluLWh0dHBiaW4taW5ncmVzcy00ZjIxNWU2ZmQ.json"
time="Sep 27 15:02:14" level=warning msg="Legacy path detected! Upgrade to extended."
time="Sep 27 15:02:14" level=info msg="Loading API Specification from /mnt/tyk-gateway/apps/aHR0cGJpbi9odHRwYmluLWh0dHBiaW4taW5ncmVzcy1lNjdjN2RiNDg.json"
time="Sep 27 15:02:14" level=warning msg="Legacy path detected! Upgrade to extended."
time="Sep 27 15:02:14" level=info msg="Detected 2 APIs" prefix=main
time="Sep 27 15:02:14" level=info msg="Loading API configurations." prefix=main
time="Sep 27 15:02:14" level=info msg="Tracking hostname" api_name=httpbin-httpbin-ingress-4f215e6fd domain=tyk-eks-dev-499134611.eu-central-1.elb.amazonaws.com prefix=main
time="Sep 27 15:02:14" level=info msg="Tracking hostname" api_name=httpbin-httpbin-ingress-e67c7db48 domain=tyk-eks-dev-499134611.eu-central-1.elb.amazonaws.com prefix=main
time="Sep 27 15:02:14" level=info msg="Initialising Tyk REST API Endpoints" prefix=main
time="Sep 27 15:02:14" level=info msg="API hostname set: tyk-eks-dev-499134611.eu-central-1.elb.amazonaws.com" prefix=main
time="Sep 27 15:02:14" level=info msg="Checking security policy: Open" api_id=aHR0cGJpbi9odHRwYmluLWh0dHBiaW4taW5ncmVzcy00ZjIxNWU2ZmQ api_name=httpbin-httpbin-ingress-4f215e6fd org_id=ku
time="Sep 27 15:02:14" level=info msg="API Loaded" api_id=aHR0cGJpbi9odHRwYmluLWh0dHBiaW4taW5ncmVzcy00ZjIxNWU2ZmQ api_name=httpbin-httpbin-ingress-4f215e6fd org_id=ku prefix=gateway server_name=-- user_id=-- user_ip=--
time="Sep 27 15:02:14" level=info msg="API hostname set: tyk-eks-dev-499134611.eu-central-1.elb.amazonaws.com" prefix=main
time="Sep 27 15:02:14" level=info msg="Checking security policy: Open" api_id=aHR0cGJpbi9odHRwYmluLWh0dHBiaW4taW5ncmVzcy1lNjdjN2RiNDg api_name=httpbin-httpbin-ingress-e67c7db48 org_id=ku
time="Sep 27 15:02:14" level=info msg="API Loaded" api_id=aHR0cGJpbi9odHRwYmluLWh0dHBiaW4taW5ncmVzcy1lNjdjN2RiNDg api_name=httpbin-httpbin-ingress-e67c7db48 org_id=ku prefix=gateway server_name=-- user_id=-- user_ip=--
time="Sep 27 15:02:14" level=info msg="Loading uptime tests..." prefix=host-check-mgr
time="Sep 27 15:02:14" level=info msg="Initialised API Definitions" prefix=main
time="Sep 27 15:02:14" level=info msg="API reload complete" prefix=main
time="Sep 27 15:02:14" level=info msg="reload: complete" prefix=main
time="Sep 27 15:02:14" level=info msg="Initiating coprocess reload" prefix=main
time="Sep 27 15:02:14" level=info msg="Reloading middlewares" prefix=coprocess
time="Sep 27 15:02:14" level=info msg="coprocess reload complete" prefix=main
time="Sep 27 15:02:14" level=info msg="reload: cycle completed in 2.431877ms" prefix=main

Operator logs are clean:

{"level":"info","ts":1632754934.4450216,"logger":"controllers.ApiDefinition","msg":"Creating new  ApiDefinition","ApiDefinition":"httpbin/httpbin-httpbin-ingress-e67c7db48"}
{"level":"info","ts":1632754934.4458387,"logger":"controllers.Ingress","msg":"successful sync api defintion","name":"httpbin/httpbin-ingress","name":"httpbin-httpbin-ingress-e67c7db48","op":"created"}
{"level":"info","ts":1632754934.4458861,"logger":"controllers.Ingress","msg":"sync api definition","name":"httpbin/httpbin-ingress","name":"httpbin-httpbin-ingress-4f215e6fd"}
{"level":"info","ts":1632754934.449949,"logger":"apidefinition-resource","msg":"default","name":"httpbin-httpbin-ingress-4f215e6fd"}
{"level":"info","ts":1632754934.453048,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-e67c7db48","Method":"POST","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/apis","Status":200}
{"level":"info","ts":1632754934.4706888,"logger":"apidefinition-resource","msg":"validate create","name":"httpbin-httpbin-ingress-4f215e6fd"}
{"level":"info","ts":1632754934.4838457,"logger":"controllers.Ingress","msg":"successful sync api defintion","name":"httpbin/httpbin-ingress","name":"httpbin-httpbin-ingress-4f215e6fd","op":"created"}
{"level":"info","ts":1632754934.4838896,"logger":"controllers.Ingress","msg":"deleting orphan api's","name":"httpbin/httpbin-ingress"}
{"level":"info","ts":1632754934.4839506,"logger":"controllers.Ingress","msg":"deleting orphan api definitions","name":"httpbin/httpbin-ingress","selector":"tyk.io/apidefinition,tyk.io/apidefinition notin (4f215e6fd,e67c7db48),tyk.io/ingress==httpbin-ingress","count":2}
{"level":"info","ts":1632754934.5019524,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-e67c7db48","Method":"GET","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/reload/group","Status":200}
{"level":"info","ts":1632754934.5124695,"logger":"apidefinition-resource","msg":"default","name":"httpbin-httpbin-ingress-e67c7db48"}
{"level":"info","ts":1632754934.5203743,"logger":"apidefinition-resource","msg":"default","name":"httpbin"}
{"level":"info","ts":1632754934.5284462,"logger":"apidefinition-resource","msg":"validate update","name":"httpbin-httpbin-ingress-e67c7db48"}
{"level":"info","ts":1632754934.5336256,"logger":"apidefinition-resource","msg":"validate update","name":"httpbin"}
{"level":"info","ts":1632754934.5381548,"logger":"controllers.ApiDefinition","msg":"Completed reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-e67c7db48"}{"level":"info","ts":1632754934.538223,"logger":"controllers.ApiDefinition","msg":"Reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-4f215e6fd"}
{"level":"info","ts":1632754934.5383196,"logger":"controllers.ApiDefinition","msg":"Updating linked policies"}
{"level":"info","ts":1632754934.5383286,"logger":"controllers.ApiDefinition","msg":"updating looping targets"}
{"level":"info","ts":1632754934.538333,"logger":"controllers.ApiDefinition","msg":"Creating new  ApiDefinition","ApiDefinition":"httpbin/httpbin-httpbin-ingress-4f215e6fd"}
{"level":"info","ts":1632754934.5394826,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-4f215e6fd","Method":"POST","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/apis","Status":200}
{"level":"info","ts":1632754934.545751,"logger":"controllers.Ingress","msg":"Sync ingress OK","name":"httpbin/httpbin-ingress"}
{"level":"info","ts":1632754934.555072,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-4f215e6fd","Method":"GET","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/reload/group","Status":200}
{"level":"info","ts":1632754934.5602555,"logger":"apidefinition-resource","msg":"default","name":"httpbin-httpbin-ingress-4f215e6fd"}
{"level":"info","ts":1632754934.5640318,"logger":"apidefinition-resource","msg":"validate update","name":"httpbin-httpbin-ingress-4f215e6fd"}
{"level":"info","ts":1632754934.5763483,"logger":"controllers.ApiDefinition","msg":"Completed reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-4f215e6fd"}{"level":"info","ts":1632754934.5764122,"logger":"controllers.ApiDefinition","msg":"Reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-0ae5c2149"}
{"level":"info","ts":1632754934.5764563,"logger":"controllers.ApiDefinition","msg":"resource being deleted"}
{"level":"info","ts":1632754934.5764613,"logger":"controllers.ApiDefinition","msg":"checking linked security policies"}
{"level":"info","ts":1632754934.5764651,"logger":"controllers.ApiDefinition","msg":"checking linked api resources"}
{"level":"info","ts":1632754934.5764687,"logger":"controllers.ApiDefinition","msg":"deleting api"}
{"level":"info","ts":1632754934.5770502,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-0ae5c2149","Method":"DELETE","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/apis/aHR0cGJpbi9odHRwYmluLWh0dHBiaW4taW5ncmVzcy0wYWU1YzIxNDk","Status":200}
{"level":"info","ts":1632754934.5778959,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-0ae5c2149","Method":"GET","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/reload/group","Status":200}
{"level":"info","ts":1632754934.5779557,"logger":"controllers.ApiDefinition","msg":"removing finalizer"}
{"level":"info","ts":1632754934.583061,"logger":"apidefinition-resource","msg":"default","name":"httpbin-httpbin-ingress-0ae5c2149"}
{"level":"info","ts":1632754934.5865207,"logger":"apidefinition-resource","msg":"validate update","name":"httpbin-httpbin-ingress-0ae5c2149"}
{"level":"info","ts":1632754934.5932217,"logger":"apidefinition-resource","msg":"default","name":"httpbin-httpbin-ingress-0ae5c2149"}
{"level":"info","ts":1632754934.5971725,"logger":"apidefinition-resource","msg":"validate update","name":"httpbin-httpbin-ingress-0ae5c2149"}
{"level":"info","ts":1632754934.603534,"logger":"controllers.ApiDefinition","msg":"Completed reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-0ae5c2149"} {"level":"info","ts":1632754934.6036186,"logger":"controllers.ApiDefinition","msg":"Reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-e67c7db48"}
{"level":"info","ts":1632754934.6037724,"logger":"controllers.ApiDefinition","msg":"Updating linked policies"}
{"level":"info","ts":1632754934.6037848,"logger":"controllers.ApiDefinition","msg":"updating looping targets"}
{"level":"info","ts":1632754934.60379,"logger":"controllers.ApiDefinition","msg":"Updating ApiDefinition","ApiDefinition":"httpbin/httpbin-httpbin-ingress-e67c7db48"}
{"level":"info","ts":1632754934.6051555,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-e67c7db48","Method":"POST","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/apis","Status":200}
{"level":"info","ts":1632754934.6059952,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-e67c7db48","Method":"GET","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/reload/group","Status":200}
{"level":"info","ts":1632754934.606708,"logger":"controllers.ApiDefinition","msg":"Completed reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-e67c7db48"} {"level":"info","ts":1632754934.6068156,"logger":"controllers.ApiDefinition","msg":"Reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-d2e94f37e"}
{"level":"info","ts":1632754934.6068726,"logger":"controllers.ApiDefinition","msg":"resource being deleted"}
{"level":"info","ts":1632754934.6068778,"logger":"controllers.ApiDefinition","msg":"checking linked security policies"}
{"level":"info","ts":1632754934.6068819,"logger":"controllers.ApiDefinition","msg":"checking linked api resources"}
{"level":"info","ts":1632754934.6068861,"logger":"controllers.ApiDefinition","msg":"deleting api"}
{"level":"info","ts":1632754934.60742,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-d2e94f37e","Method":"DELETE","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/apis/aHR0cGJpbi9odHRwYmluLWh0dHBiaW4taW5ncmVzcy1kMmU5NGYzN2U","Status":200}
{"level":"info","ts":1632754934.608303,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-d2e94f37e","Method":"GET","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/reload/group","Status":200}
{"level":"info","ts":1632754934.6083395,"logger":"controllers.ApiDefinition","msg":"removing finalizer"}
{"level":"info","ts":1632754934.6140273,"logger":"apidefinition-resource","msg":"default","name":"httpbin-httpbin-ingress-d2e94f37e"}
{"level":"info","ts":1632754934.6182919,"logger":"apidefinition-resource","msg":"validate update","name":"httpbin-httpbin-ingress-d2e94f37e"}
{"level":"info","ts":1632754934.6254308,"logger":"apidefinition-resource","msg":"default","name":"httpbin-httpbin-ingress-d2e94f37e"}
{"level":"info","ts":1632754934.629367,"logger":"apidefinition-resource","msg":"validate update","name":"httpbin-httpbin-ingress-d2e94f37e"}
{"level":"info","ts":1632754934.6396322,"logger":"controllers.ApiDefinition","msg":"Completed reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-d2e94f37e"}{"level":"info","ts":1632754934.6396966,"logger":"controllers.ApiDefinition","msg":"Reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-4f215e6fd"}
{"level":"info","ts":1632754934.6397386,"logger":"controllers.ApiDefinition","msg":"Updating linked policies"}
{"level":"info","ts":1632754934.6397448,"logger":"controllers.ApiDefinition","msg":"updating looping targets"}
{"level":"info","ts":1632754934.6397479,"logger":"controllers.ApiDefinition","msg":"Updating ApiDefinition","ApiDefinition":"httpbin/httpbin-httpbin-ingress-4f215e6fd"}
{"level":"info","ts":1632754934.6407838,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-4f215e6fd","Method":"POST","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/apis","Status":200}
{"level":"info","ts":1632754934.6416333,"logger":"controllers.ApiDefinition","msg":"Call","ApiDefinition":"httpbin/httpbin-httpbin-ingress-4f215e6fd","Method":"GET","URL":"http://gateway-svc-tyk-ce-tyk-headless.tyk.svc.cluster.local:443/tyk/reload/group","Status":200}
{"level":"info","ts":1632754934.642099,"logger":"controllers.ApiDefinition","msg":"Completed reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-4f215e6fd"} {"level":"info","ts":1632754934.642142,"logger":"controllers.ApiDefinition","msg":"Reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-0ae5c2149"}
{"level":"info","ts":1632754934.6421816,"logger":"controllers.ApiDefinition","msg":"Reconciling ApiDefinition instance","ApiDefinition":"httpbin/httpbin-httpbin-ingress-d2e94f37e"}

There is no security; it’s like highway; all all

…still unhealthy

tirelibirefe · September 27, 2021, 10:37pm

Hello,
I get “502 bad gateway” now.

I would like to try the solution explained here.
https://tyk.io/docs/troubleshooting/tyk-gateway/502-error-tyk-gateway/

How can I enter key value pairs to apidefinition yaml file in Kubernetes?

Regards

proxy.service_discovery.use_nested_query = false
proxy.service_discovery.use_target_list = true
proxy.service_discovery.endpoint_returns_list = true
proxy.service_discovery.data_path = ""Address”
proxy.service_discovery.port_data_path = “ServicePort""

sedky · September 28, 2021, 6:12pm

Sorry for the delay.

I can’t tell if the problem is at the ALB layer or the Tyk layer.

Can you exec into a Tyk node and then curl the endpoint locally you are trying to hit?

$ kubectl exec -n tyk -it pod/<gateway-pod-name> -- bash
...
$ curl localhost:8080/httpbin/get

If that works, then can you share the screenshot of the healthcheck endpoint in the ALB?

tirelibirefe · September 29, 2021, 9:47pm

Hello,
No problem, thank you very much for your attention and your advises.
I’ve noticed that I was going forward to a wrong direction. I figured out a number problems but still have problems.

Please go on under another topic.

Regards