Day 5 exposing to an NLB

README.md

@@ -38,7 +38,8 @@ Apply the plan which will create a K8s cluster:
 ```bash
 terraform apply \
   -var "region=$AWS_REGION" \
-  -var "asg_desired_capacity=1"
+  -var "asg_desired_capacity=1" \
+  -var "nlb_enabled=true"
 ```
 
 Use asg_desired_capacity=0 to tear down the cluster.
@@ -100,7 +101,7 @@ The GH also contains a job to push to ECR, which is not tested locally.
 
 ### Day 4: Deploy the Django app in K8s using the ECR image
 
-Commit: https://github.com/lucabrunox/learning/tree/e296b828cb5
+Commit: https://github.com/lucabrunox/learning/tree/5216dfe5efd6
 
 Needless to say that without EKS it's more complicated, but worth the learnings.
 
@@ -120,3 +121,19 @@ kubectl apply -f frontend/k8s/manifest.yaml
 
 curl $(kubectl get svc frontend -o=jsonpath='{.spec.clusterIP}'):8000
 ```
+
+### Day 5: Expose service via NLB and NodePort
+
+Publicly exposing the service via NLB learnings:
+- Allowed node ports only from 30000
+- NLB security group must be configured for each listener port
+- NLBs need at least 2 subnets for redundancy
+- Django has an ALLOWED_HOSTS config to prevent Host header attacks
+- Django detects a tty when logging to stdout
+
+```bash
+kubectl apply -f k8s/ecr-credentials.yaml
+kubectl apply -f frontend/k8s/manifest.yaml
+
+curl http://$(terraform output --raw learning_nlb_dns_name)
+```

frontend/k8s/manifest.yaml

@@ -18,6 +18,7 @@ spec:
         - name: ecrsecret
       containers:
         - name: frontend
+          tty: true
           image: MY_ACCOUNT.dkr.ecr.eu-west-1.amazonaws.com/learning-frontend:ve296b828cb5109a608881efa9fe5bf208d682bbc
           imagePullPolicy: IfNotPresent
           ports:
@@ -30,9 +31,11 @@ metadata:
   labels:
     app.kubernetes.io/name: frontend
 spec:
+  type: NodePort
   selector:
     app.kubernetes.io/name: frontend
   ports:
     - protocol: TCP
       port: 8000
-      targetPort: 8000
+      targetPort: 8000
+      nodePort: 30000

frontend/learning/settings.py

@@ -25,7 +25,7 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
 
-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = ["localhost", ".amazonaws.com"]
 
 
 # Application definition

tf/main.tf

@@ -25,6 +25,11 @@ variable "asg_desired_capacity" {
   default = 1
 }
 
+variable "nlb_enabled" {
+  type = bool
+  default = false
+}
+
 provider "aws" {
   region = var.region
 }
@@ -45,8 +50,8 @@ module "learning_vpc" {
   cidr = "10.0.0.0/16"
 
   azs             = data.aws_availability_zones.any.zone_ids
-  private_subnets = ["10.0.1.0/24"]
-  public_subnets  = ["10.0.101.0/24"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]
 
   map_public_ip_on_launch = true
   create_igw = true
@@ -147,6 +152,13 @@ resource "aws_security_group" "learning_sg" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
+  ingress {
+    from_port   = 30000
+    to_port     = 30000
+    protocol    = "tcp"
+    security_groups = [module.learning_nlb.security_group_id]
+  }
+
   egress {
     from_port   = 0
     to_port     = 0
@@ -214,12 +226,67 @@ resource "aws_autoscaling_group" "learning_asg" {
     strategy = "Rolling"
   }
 
+  target_group_arns = [for group in module.learning_nlb.target_groups: group.arn]
+
   launch_template {
     id      = aws_launch_template.learning_template.id
     version = aws_launch_template.learning_template.latest_version
   }
 }
 
+/* NLB */
+
+module "learning_nlb" {
+  source = "terraform-aws-modules/alb/aws"
+  create = var.nlb_enabled
+  load_balancer_type = "network"
+  vpc_id = module.learning_vpc.vpc_id
+  subnets = aws_autoscaling_group.learning_asg.vpc_zone_identifier
+  enable_deletion_protection = false
+
+  listeners = [
+    {
+      port = 80
+      protocol = "TCP"
+      forward = {
+        target_group_key = "learning"
+      }
+    }
+  ]
+
+  target_groups = {
+    learning = {
+      name_prefix = "learn-"
+      protocol = "TCP"
+      port = 30000
+      target_type = "instance"
+      create_attachment = false
+      health_check = {
+        protocol = "HTTP"
+        port = 30000
+        path = "/"
+        matcher = "200-399"
+      }
+    }
+  }
+
+  security_group_ingress_rules = {
+    all_tcp = {
+      from_port   = 80
+      to_port     = 80
+      ip_protocol = "tcp"
+      cidr_ipv4   = "0.0.0.0/0"
+    }
+  }
+
+  security_group_egress_rules = {
+    all = {
+      ip_protocol = "-1"
+      cidr_ipv4   = module.learning_vpc.vpc_cidr_block
+    }
+  }
+}
+
 /* ECR */
 
 module "learning_ecr_frontend" {
@@ -295,3 +362,7 @@ output "learning_github_oidc_role" {
 output "learning_ecr_frontend_repository_url" {
   value = module.learning_ecr_frontend.repository_url
 }
+
+output "learning_nlb_dns_name" {
+  value = module.learning_nlb.dns_name
+}