Switched from ELB to NLB

Signed-off-by: Philip Schmid <phisch@cisco.com>

Author: PhilipSchmid

.github/workflows/conformance-pr.yml

@@ -73,7 +73,7 @@ jobs:
         run: |
           cd test/conformance
           # Wait until the apiserver LB is ready
-          timeout 120 bash -c "until curl -sS https://$(terraform output -raw elb_dns_name):443 -k -m 3; do sleep 1 && echo 'waiting for apiserver'; done"
+          timeout 120 bash -c "until curl -sS https://$(terraform output -raw lb_dns_name):443 -k -m 3; do sleep 1 && echo 'waiting for apiserver'; done"
           if [ $? -ne 0 ]; then
             echo "API Server LB failed to become available."
             exit 1

.github/workflows/conformance.yml

@@ -153,7 +153,7 @@ jobs:
       - name: Install Cilium
         run: |
           cd test/conformance
-          timeout 120 bash -c "until curl -sS https://$(terraform output -raw elb_dns_name):443 -k -m 3; do sleep 1 && echo 'waiting for apiserver'; done"
+          timeout 120 bash -c "until curl -sS https://$(terraform output -raw lb_dns_name):443 -k -m 3; do sleep 1 && echo 'waiting for apiserver'; done"
           if [ $? -ne 0 ]; then
             echo "API Server LB failed to become available."
             exit 1

00-locals.tf

@@ -35,7 +35,7 @@ locals {
       },
       apiServer = {
         certSANs = [
-          module.elb_k8s_elb.elb_dns_name
+          aws_lb.api.dns_name
         ],
         extraArgs = {
           enable-admission-plugins = var.admission_plugins
@@ -65,7 +65,7 @@ locals {
     },
     machine = {
       certSANs = [
-        module.elb_k8s_elb.elb_dns_name
+        aws_lb.api.dns_name
       ],
       kubelet = {
         extraArgs = {

00-outputs.tf

@@ -8,9 +8,24 @@ output "path_to_kubeconfig_file" {
   value       = local.path_to_kubeconfig_file
 }
 
+output "lb_dns_name" {
+  description = "Public NLB DNS name."
+  value       = aws_lb.api.dns_name
+}
+
 output "elb_dns_name" {
-  description = "Public ELB DNS name."
-  value       = module.elb_k8s_elb.elb_dns_name
+  description = "[DEPRECATED: Use lb_dns_name instead] Public load balancer DNS name."
+  value       = aws_lb.api.dns_name
+}
+
+output "lb_zone_id" {
+  description = "The zone_id of the NLB for Route53 alias records."
+  value       = aws_lb.api.zone_id
+}
+
+output "lb_arn" {
+  description = "The ARN of the Network Load Balancer."
+  value       = aws_lb.api.arn
 }
 
 output "cluster_name" {

00-variables.tf

@@ -192,9 +192,3 @@ variable "external_cloud_provider_manifest" {
   description = "externalCloudProvider manifest to be applied if var.enable_external_cloud_provider is enabled. If you want to deploy it manually (e.g., via Helm chart), enable var.enable_external_cloud_provider but set this value to an empty string (\"\"). See https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/."
   type        = string
 }
-
-variable "use_private_ips_only" {
-  description = "When true (default), Talos cluster nodes will NOT receive public IPv4 addresses. The Kubernetes/Talos API is still exposed via a public ELB (restricted by security groups via var.external_source_cidrs). When set to false, public IPv4 addresses are allocated and the ELB is internet-facing."
-  type        = bool
-  default     = true
-}

01-vpc.tf

@@ -25,7 +25,6 @@ data "aws_subnets" "public" {
 }
 
 // Used to list all private subnets in the VPC.
-// This is required when `var.use_private_ips_only` is enabled (default).
 data "aws_subnets" "private" {
   depends_on = [
     null_resource.wait_for_subnets,
@@ -45,10 +44,8 @@ data "aws_subnets" "private" {
 }
 
 // Used to wait for at least one of the subnets to exist.
-// Unfortunately there doesn't seem to be a better way to do this in Terraform.
 resource "null_resource" "wait_for_subnets" {
   provisioner "local-exec" {
-    command = "${path.module}/scripts/wait-for-subnets.sh -v ${data.aws_vpc.vpc.id} -r ${data.aws_region.current.name} -t ${var.use_private_ips_only ? "private" : "public"}"
+    command = "${path.module}/scripts/wait-for-subnets.sh -v ${data.aws_vpc.vpc.id} -r ${data.aws_region.current.name} -t public"
   }
 }
-

02-infra.tf

@@ -1,9 +1,9 @@
 # Public-facing security group for the external load balancer
-module "elb_sg" {
+module "nlb_sg" {
   source  = "terraform-aws-modules/security-group/aws"
   version = "~> 5.3"
 
-  name        = "${var.cluster_name}-elb"
+  name        = "${var.cluster_name}-nlb"
   description = "Public-facing LB for Kubernetes and Talos API"
   vpc_id      = var.vpc_id
   tags        = var.tags
@@ -34,66 +34,136 @@ module "cluster_sg" {
   version = "~> 5.3"
 
   name        = var.cluster_name
-  description = "Intra-cluster & traffic from ELB"
+  description = "Intra-cluster & traffic from NLB"
   vpc_id      = var.vpc_id
   tags        = var.tags
 
   # Node-to-node communications
   ingress_with_self = [{ rule = "all-all" }]
 
-  # Allow API traffic coming *from* the ELB
+  # Allow API traffic coming *from* the NLB (required for the health checks)
   ingress_with_source_security_group_id = [
     {
       from_port                = 6443
       to_port                  = 6443
       protocol                 = "tcp"
-      description              = "Kubernetes API from ELB"
-      source_security_group_id = module.elb_sg.security_group_id
+      description              = "Kubernetes API from NLB"
+      source_security_group_id = module.nlb_sg.security_group_id
     },
     {
       from_port                = 50000
       to_port                  = 50000
       protocol                 = "tcp"
-      description              = "Talos API from ELB"
-      source_security_group_id = module.elb_sg.security_group_id
+      description              = "Talos API from NLB"
+      source_security_group_id = module.nlb_sg.security_group_id
+    }
+  ]
+
+  # Allow API traffic directly from external clients (with preserved IPs through NLB)
+  ingress_cidr_blocks = var.external_source_cidrs
+  ingress_with_cidr_blocks = [
+    {
+      from_port   = 6443
+      to_port     = 6443
+      protocol    = "tcp"
+      description = "Kubernetes API from external clients"
+    },
+    {
+      from_port   = 50000
+      to_port     = 50000
+      protocol    = "tcp"
+      description = "Talos API from external clients"
     },
   ]
 
   egress_with_cidr_blocks = [{ rule = "all-all", cidr_blocks = "0.0.0.0/0" }]
 }
 
-module "elb_k8s_elb" {
-  source  = "terraform-aws-modules/elb/aws"
-  version = "~> 4.0"
+# Network Load Balancer for Kubernetes & Talos API
+resource "aws_lb" "api" {
+  name = "${var.cluster_name}-api"
+
+  load_balancer_type = "network"
+  internal           = false
 
-  name            = "${var.cluster_name}-k8s-api"
   subnets         = data.aws_subnets.public.ids
-  tags            = merge(var.tags, local.cluster_required_tags)
-  security_groups = [module.elb_sg.security_group_id]
+  security_groups = [module.nlb_sg.security_group_id]
 
-  listener = [
-    {
-      lb_port           = 443
-      lb_protocol       = "tcp"
-      instance_port     = 6443
-      instance_protocol = "tcp"
-    },
-    {
-      lb_port           = 50000
-      lb_protocol       = "tcp"
-      instance_port     = 50000
-      instance_protocol = "tcp"
-    }
-  ]
+  enable_cross_zone_load_balancing = true
+  tags                             = merge(var.tags, local.cluster_required_tags)
+}
 
-  health_check = {
-    target              = "tcp:50000"
+# Target Group: Kubernetes API (6443)
+resource "aws_lb_target_group" "k8s" {
+  name_prefix        = "k8s-"
+  port               = 6443
+  protocol           = "TCP"
+  preserve_client_ip = true
+  vpc_id             = data.aws_vpc.vpc.id
+  health_check {
+    healthy_threshold   = 3
+    unhealthy_threshold = 2
+    timeout             = 3
     interval            = 5
+    protocol            = "TCP"
+    port                = 6443
+  }
+  target_type = "instance"
+  tags        = merge(var.tags, local.cluster_required_tags)
+}
+
+# Target Group: Talos API (50000)
+resource "aws_lb_target_group" "talos" {
+  name_prefix        = "tal-"
+  port               = 50000
+  protocol           = "TCP"
+  preserve_client_ip = true
+  vpc_id             = data.aws_vpc.vpc.id
+  health_check {
     healthy_threshold   = 3
     unhealthy_threshold = 2
-    timeout             = 2
+    timeout             = 3
+    interval            = 5
+    protocol            = "TCP"
+    port                = 50000
   }
+  target_type = "instance"
+  tags        = merge(var.tags, local.cluster_required_tags)
+}
+
+# Listener 443 -> TG k8s
+resource "aws_lb_listener" "https" {
+  load_balancer_arn = aws_lb.api.arn
+  port              = 443
+  protocol          = "TCP"
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.k8s.arn
+  }
+}
+
+# Listener 50000 -> TG talos
+resource "aws_lb_listener" "talos" {
+  load_balancer_arn = aws_lb.api.arn
+  port              = 50000
+  protocol          = "TCP"
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.talos.arn
+  }
+}
+
+# Attach control-plane instances to both target groups
+resource "aws_lb_target_group_attachment" "cp_k8s" {
+  for_each         = { for idx, id in module.talos_control_plane_nodes.*.id : idx => id }
+  target_group_arn = aws_lb_target_group.k8s.arn
+  target_id        = each.value
+  port             = 6443
+}
 
-  number_of_instances = var.controlplane_count
-  instances           = module.talos_control_plane_nodes.*.id
+resource "aws_lb_target_group_attachment" "cp_talos" {
+  for_each         = { for idx, id in module.talos_control_plane_nodes.*.id : idx => id }
+  target_group_arn = aws_lb_target_group.talos.arn
+  target_id        = each.value
+  port             = 50000
 }

03-talos.tf

@@ -121,8 +121,8 @@ module "talos_control_plane_nodes" {
   name                        = "${var.cluster_name}-control-plane-${count.index}"
   ami                         = data.aws_ami.talos.id
   instance_type               = var.control_plane.instance_type
-  subnet_id                   = var.use_private_ips_only ? element(data.aws_subnets.private.ids, count.index) : element(data.aws_subnets.public.ids, count.index)
-  associate_public_ip_address = !var.use_private_ips_only
+  subnet_id                   = element(data.aws_subnets.public.ids, count.index)
+  associate_public_ip_address = true
   tags                        = merge(var.tags, local.cluster_required_tags)
   metadata_options            = var.metadata_options
   ignore_ami_changes          = true
@@ -151,8 +151,8 @@ module "talos_worker_group" {
   name                        = "${var.cluster_name}-worker-group-${each.value.name}-${trimprefix(each.key, "${each.value.name}.")}"
   ami                         = data.aws_ami.talos.id
   instance_type               = each.value.instance_type
-  subnet_id                   = var.use_private_ips_only ? element(data.aws_subnets.private.ids, tonumber(trimprefix(each.key, "${each.value.name}."))) : element(data.aws_subnets.public.ids, tonumber(trimprefix(each.key, "${each.value.name}.")))
-  associate_public_ip_address = !var.use_private_ips_only
+  subnet_id                   = element(data.aws_subnets.public.ids, tonumber(trimprefix(each.key, "${each.value.name}.")))
+  associate_public_ip_address = true
   tags                        = merge(each.value.tags, var.tags, local.cluster_required_tags)
   metadata_options            = var.metadata_options
   ignore_ami_changes          = true
@@ -178,7 +178,7 @@ resource "talos_machine_secrets" "this" {
 
 data "talos_machine_configuration" "controlplane" {
   cluster_name       = var.cluster_name
-  cluster_endpoint   = "https://${module.elb_k8s_elb.elb_dns_name}"
+  cluster_endpoint   = "https://${aws_lb.api.dns_name}"
   machine_type       = "controlplane"
   machine_secrets    = talos_machine_secrets.this.machine_secrets
   kubernetes_version = var.kubernetes_version
@@ -191,11 +191,27 @@ data "talos_machine_configuration" "controlplane" {
   )
 }
 
+resource "talos_machine_configuration_apply" "controlplane" {
+  for_each                    = { for index, instance in module.talos_control_plane_nodes : index => instance }
+  client_configuration        = talos_machine_secrets.this.client_configuration
+  machine_configuration_input = data.talos_machine_configuration.controlplane.machine_configuration
+  endpoint                    = module.talos_control_plane_nodes[each.key].public_ip
+  node                        = module.talos_control_plane_nodes[each.key].private_ip
+}
+
+resource "talos_machine_bootstrap" "this" {
+  depends_on = [talos_machine_configuration_apply.controlplane]
+
+  client_configuration = talos_machine_secrets.this.client_configuration
+  endpoint             = module.talos_control_plane_nodes.0.public_ip
+  node                 = module.talos_control_plane_nodes.0.private_ip
+}
+
 data "talos_machine_configuration" "worker_group" {
   for_each = merge([for info in var.worker_groups : { for index in range(0, var.workers_count) : "${info.name}.${index}" => info }]...)
 
   cluster_name       = var.cluster_name
-  cluster_endpoint   = "https://${module.elb_k8s_elb.elb_dns_name}"
+  cluster_endpoint   = "https://${aws_lb.api.dns_name}"
   machine_type       = "worker"
   machine_secrets    = talos_machine_secrets.this.machine_secrets
   kubernetes_version = var.kubernetes_version
@@ -208,44 +224,20 @@ data "talos_machine_configuration" "worker_group" {
   )
 }
 
-resource "talos_machine_configuration_apply" "controlplane" {
-  for_each                    = { for index, instance in module.talos_control_plane_nodes : index => instance }
-  client_configuration        = talos_machine_secrets.this.client_configuration
-  machine_configuration_input = data.talos_machine_configuration.controlplane.machine_configuration
-  endpoint                    = module.elb_k8s_elb.elb_dns_name
-  node                        = var.use_private_ips_only ? module.talos_control_plane_nodes[each.key].private_ip : module.talos_control_plane_nodes[each.key].public_ip
-}
-
-# Wait until Talos APID has rotated its cert & ELB sees the node healthy
-resource "time_sleep" "wait_api_ready" {
-  depends_on      = [talos_machine_bootstrap.this]
-  create_duration = "30s"
-}
-
 resource "talos_machine_configuration_apply" "worker_group" {
-  depends_on = [time_sleep.wait_api_ready]
-
   for_each = merge([for info in var.worker_groups : { for index in range(0, var.workers_count) : "${info.name}.${index}" => info }]...)
 
   client_configuration        = talos_machine_secrets.this.client_configuration
   machine_configuration_input = data.talos_machine_configuration.worker_group[each.key].machine_configuration
-  endpoint                    = module.elb_k8s_elb.elb_dns_name
-  node                        = var.use_private_ips_only ? module.talos_worker_group[each.key].private_ip : module.talos_worker_group[each.key].public_ip
-}
-
-resource "talos_machine_bootstrap" "this" {
-  depends_on = [talos_machine_configuration_apply.controlplane]
-
-  client_configuration = talos_machine_secrets.this.client_configuration
-  endpoint             = module.elb_k8s_elb.elb_dns_name
-  node                 = var.use_private_ips_only ? module.talos_control_plane_nodes.0.private_ip : module.talos_control_plane_nodes.0.public_ip
+  endpoint                    = module.talos_worker_group[each.key].public_ip
+  node                        = module.talos_worker_group[each.key].private_ip
 }
 
 data "talos_client_configuration" "this" {
   cluster_name         = var.cluster_name
   client_configuration = talos_machine_secrets.this.client_configuration
-  endpoints            = [module.elb_k8s_elb.elb_dns_name]
-  nodes                = var.use_private_ips_only ? module.talos_control_plane_nodes.*.private_ip : module.talos_control_plane_nodes.*.public_ip
+  endpoints            = [aws_lb.api.dns_name]
+  nodes                = flatten([module.talos_control_plane_nodes.*.private_ip, flatten([for node in module.talos_worker_group : node.private_ip])])
 }
 
 resource "local_file" "talosconfig" {
@@ -257,8 +249,8 @@ resource "talos_cluster_kubeconfig" "this" {
   depends_on = [talos_machine_bootstrap.this]
 
   client_configuration = talos_machine_secrets.this.client_configuration
-  endpoint             = module.elb_k8s_elb.elb_dns_name
-  node                 = var.use_private_ips_only ? module.talos_control_plane_nodes.0.private_ip : module.talos_control_plane_nodes.0.public_ip
+  endpoint             = module.talos_control_plane_nodes.0.public_ip
+  node                 = module.talos_control_plane_nodes.0.private_ip
 }
 
 resource "local_file" "kubeconfig" {