kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add ACM/NLB instructions to 1.19 release notes

This commit is contained in:
Peter Rifel 2020-11-21 16:44:42 -06:00
parent 874d2fdb4d
commit d2c94f88b2
No known key found for this signature in database
GPG Key ID: BC6469E5B16DB2B6
2 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/releases/1.19-NOTES.md
View File

@ -88,6 +88,10 @@ To prevent downtime, follow these steps with the new version of Kops:
* If you are using Terraform with an additional .tf file and using "aws_autoscaling_attachment" to attach additional Load Balancers or ALB/NLB Target Groups you'll need to migrate to [attaching them through the InstanceGroup spec instead](https://kops.sigs.k8s.io/instance_groups/#externalloadbalancers).
* AWS clusters using an ACM Certificate on the API ELB (`.spec.api.loadBalancer.sslCertificateID`) will need to migrate from Classic LoadBalancer (CLB) to Network LoadBalancer (NLB) prior to upgrading to Kubernetes 1.19 by setting `.spec.api.loadBalancer.class: Network`.
Any kubeconfig files using kOps' admin client credentials will need to be regenerated with `kops export kubecfg --admin`.
For more information see [this page](https://github.com/kubernetes/kops/blob/master/permalinks/acm_nlb.md).
# Deprecations
* Support for Kubernetes versions 1.11 and 1.12 are deprecated and will be removed in kOps 1.20.

17
permalinks/acm_nlb.md
View File

@ -26,12 +26,17 @@ It is encouraged to perform the below migration on existing clusters prior to up
kOps 1.19.0 supports using a network load balancer (NLB) rather than a classic load balancer (CLB) for Kubernetes API access.
The NLB can be configured with a second listener configured for TCP, allowing the client certificate authentication to succeed by passing the TLS session through to the kube-apiserver pods.
Migrating from CLB to NLB involves setting the Cluster's `spec.api.loadBalancer.class: Network` and running `kops update cluster --yes`.
The second TCP listener will be configured automatically if `sslCertificate` is set.
This will provision a new NLB and update the API DNS record to point to the new NLB.
`kops export kubecfg` will now use the secondary NLB port with its client cert auth user.
The primary listener still uses the ACM certificate, preserving any external authentication mechanisms.
Migrate from CLB to NLB with the following steps:
1. Set the Cluster's `spec.api.loadBalancer.class: Network`.
2. Run `kops update cluster --yes`.
The second TCP listener will be configured automatically if `sslCertificate` is set.
This will provision a new NLB and update the API DNS record to point to the new NLB.
3. Any clients using kOps' admin credentials will need to run `kops export kubecfg --admin`.
This will use the secondary NLB port with its client cert auth user.
The primary listener still uses the ACM certificate, preserving any external authentication mechanisms.
4. Manually delete the old API CLB through the AWS Management Console or CLI.
The CLB will have a name of `api-<hyphenated-cluster-name>-<suffix>` and will not have any instances attached.
A future version of kOps may do this automatically.
Terraform users can follow their normal workflow, confirming that `terraform plan` reports deletion of the ELB and creation of the NLB and its target groups.