AWS LoadBalancer Controller

To expose your application’s gRPC or HTTPS endpoints publicly to the internet you can use the AWS Load Balancer Controller new tab with a Kubernetes Ingress new tab created by the Akka Operator. This is useful when external services, or clients beyond the EKS cluster need to consume the gRPC or HTTPS endpoints.

Install the LoadBalancer Controller

Follow the instructions in the AWS Load Balancer Controller installation documentation new tab. Additional information and resources can be found in the AWS Load Balancer Controller Helm chart for Kubernetes Github Repo new tab

TLS certificate

A Transport Layer Security (TLS) certificate provides privacy and data integrity between two or more communicating applications. You will need a TLS certificate for the internet facing load balancer. The Akka Cloud Platform does not manage or create TLS certificates.

When you want to expose an Akka gRPC service through a Load balancer, you will have to provide a TLS certificate. Request or import a certificate using the Amazon Certificate Manager (ACM) console new tab. While in the ACM console, you will need to select the region you are working in. You will need to provide the Amazon Resource Name (ARN) of the certificate as you create the Akka Microservice Custom Resource.

Alternatively, for development and testing, you can create your own self-signed certificate and then import it. You can find additional details regarding self-singed certificates and AWS at Managing server certificates in IAM new tab and Prerequisites for Importing Certificates new tab

A self-singed certificate can be created as in the following example:

openssl req -new \
    -newkey rsa:2048 -x509 -sha256 -days 365 \
    -nodes \
    -out MyCertificate.crt \
    -keyout MyKey.key \
    -subj "/CN=example.com/O=example"
When creating a self-signed certificate, make sure you use a domain name for the 'Common Name', for instance, "example.com". If you do not use a domain name, but just any non-empty name for the 'Common Name', the ingress controller will not be able to find the certificate and the ingress will fail to get an IP address, which shows up as a CertificateNotFound error in the events for the ingress.

You can import the cert with the following command:

aws iam upload-server-certificate \
    --server-certificate-name MyCertificate \
    --certificate-body file://MyCertificate.crt \
    --certificate-chain file://MyCertificate.crt \
    --private-key file://MyKey.key

When the preceding command is successful, it returns metadata about the uploaded certificate, including its Amazon Resource Name (ARN).

Make a note of the policy ARN for the next step.

You can verify of the certificate was imported successfully by listing the certificates with the following command:

aws iam list-server-certificates

The Akka Cloud Platform operator will create the Kubernetes Ingress which references your TLS certificate with an Amazon Resource Name (ARN) new tab

However, please remember that the operator is not involved in any other part of the process for TLS certification management, including renewals.

Enable grpcIngress

Add the grpcIngress section to the deployment descriptor and set its class to alb:

kubernetes/shopping-cart-service-cr.yml:
apiVersion: akka.lightbend.com/v1
kind: AkkaMicroservice
metadata:
  name: shopping-cart-service
  namespace: "shopping"
spec:
  image: <image>
  grpcIngress:
    enabled: true
    certificate: <certificate_arn>
    class: "alb"

Replace the certificate arn with the one from the previous step.

When the deployment descriptor has been applied, the Akka Operator will create an Ingress with the appropriate ALB annotations and NodePort service. You can retrieve the public address with:

kubectl get ingress shopping-order-service-grpc-ingress --namespace=shopping

To access the public endpoint with grpcurl you use the public address from above, with port 443:

grpcurl -insecure \
    -d '{"cartId":"cart3", "itemId":"hoodie", "quantity":2}' \
    k8s-shopping-shopping-18efcf54bb-2096059642.eu-central-1.elb.amazonaws.com:443 \
    shoppingcart.ShoppingCartService.AddItem
You have to use the -insecure flag if the certificate is self-signed.

Replace the host name (k8s-shopping-shopping-18efcf54bb-2096059642.eu-central-1.elb.amazonaws.com) with your actual host name.