$ oc -n aws-load-balancer-operator create configmap trusted-caYou can configure the cluster-wide proxy in the AWS Load Balancer Operator. After configuring the cluster-wide proxy, Operator Lifecycle Manager (OLM) automatically updates all the deployments of the Operators with the environment variables such as HTTP_PROXY, HTTPS_PROXY, and NO_PROXY. These variables are populated to the managed controller by the AWS Load Balancer Operator.
Create the config map to contain the certificate authority (CA) bundle in the aws-load-balancer-operator namespace by running the following command:
$ oc -n aws-load-balancer-operator create configmap trusted-caTo inject the trusted CA bundle into the config map, add the config.openshift.io/inject-trusted-cabundle=true label to the config map by running the following command:
$ oc -n aws-load-balancer-operator label cm trusted-ca config.openshift.io/inject-trusted-cabundle=trueUpdate the AWS Load Balancer Operator subscription to access the config map in the AWS Load Balancer Operator deployment by running the following command:
$ oc -n aws-load-balancer-operator patch subscription aws-load-balancer-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_CONFIGMAP_NAME","value":"trusted-ca"}],"volumes":[{"name":"trusted-ca","configMap":{"name":"trusted-ca"}}],"volumeMounts":[{"name":"trusted-ca","mountPath":"/etc/pki/tls/certs/albo-tls-ca-bundle.crt","subPath":"ca-bundle.crt"}]}}}'After the AWS Load Balancer Operator is deployed, verify that the CA bundle is added to the aws-load-balancer-operator-controller-manager deployment by running the following command:
$ oc -n aws-load-balancer-operator exec deploy/aws-load-balancer-operator-controller-manager -c manager -- bash -c "ls -l /etc/pki/tls/certs/albo-tls-ca-bundle.crt; printenv TRUSTED_CA_CONFIGMAP_NAME"-rw-r--r--. 1 root 1000690000 5875 Jan 11 12:25 /etc/pki/tls/certs/albo-tls-ca-bundle.crt
trusted-caOptional: Restart deployment of the AWS Load Balancer Operator every time the config map changes by running the following command:
$ oc -n aws-load-balancer-operator rollout restart deployment/aws-load-balancer-operator-controller-managerYou can route the traffic for the domain to pods of a service and add TLS termination on the AWS Load Balancer.
You have an access to the OpenShift cli (oc).
Create a YAML file that defines the AWSLoadBalancerController resource:
add-tls-termination-albc.yaml fileapiVersion: networking.olm.openshift.io/v1
kind: AWSLoadBalancerController
metadata:
  name: cluster
spec:
  subnetTagging: Auto
  ingressClass: tls-termination (1)| 1 | Defines the ingress class name. If the ingress class is not present in your cluster the AWS Load Balancer Controller creates one. The AWS Load Balancer Controller reconciles the additional ingress class values if spec.controlleris set toingress.k8s.aws/alb. | 
Create a YAML file that defines the Ingress resource:
add-tls-termination-ingress.yaml fileapiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: <example> (1)
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing (2)
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx (3)
spec:
  ingressClassName: tls-termination (4)
  rules:
  - host: example.com (5)
    http:
        paths:
          - path: /
            pathType: Exact
            backend:
              service:
                name: <example_service> (6)
                port:
                  number: 80| 1 | Specifies the ingress name. | 
| 2 | The controller provisions the load balancer for ingress in a public subnet to access the load balancer over the internet. | 
| 3 | The Amazon Resource Name (ARN) of the certificate that you attach to the load balancer. | 
| 4 | Defines the ingress class name. | 
| 5 | Defines the domain for traffic routing. | 
| 6 | Defines the service for traffic routing. | 
You can route the traffic to different services with multiple ingress resources that are part of a single domain through a single AWS Load Balancer. Each ingress resource provides different endpoints of the domain.
You have an access to the OpenShift cli (oc).
Create an IngressClassParams resource YAML file, for example, sample-single-lb-params.yaml, as follows:
apiVersion: elbv2.k8s.aws/v1beta1 (1)
kind: IngressClassParams
metadata:
  name: single-lb-params (2)
spec:
  group:
    name: single-lb (3)| 1 | Defines the API group and version of the IngressClassParamsresource. | 
| 2 | Specifies the IngressClassParamsresource name. | 
| 3 | Specifies the IngressGroupresource name. All of theIngressresources of this class belong to thisIngressGroup. | 
Create the IngressClassParams resource by running the following command:
$ oc create -f sample-single-lb-params.yamlCreate the IngressClass resource YAML file, for example, sample-single-lb-class.yaml, as follows:
apiVersion: networking.k8s.io/v1 (1)
kind: IngressClass
metadata:
  name: single-lb (2)
spec:
  controller: ingress.k8s.aws/alb (3)
  parameters:
    apiGroup: elbv2.k8s.aws (4)
    kind: IngressClassParams (5)
    name: single-lb-params (6)| 1 | Defines the API group and version of the IngressClassresource. | 
| 2 | Specifies the ingress class name. | 
| 3 | Defines the controller name. The ingress.k8s.aws/albvalue denotes that all ingress resources of this class should be managed by the AWS Load Balancer Controller. | 
| 4 | Defines the API group of the IngressClassParamsresource. | 
| 5 | Defines the resource type of the IngressClassParamsresource. | 
| 6 | Defines the IngressClassParamsresource name. | 
Create the IngressClass resource by running the following command:
$ oc create -f sample-single-lb-class.yamlCreate the AWSLoadBalancerController resource YAML file, for example, sample-single-lb.yaml, as follows:
apiVersion: networking.olm.openshift.io/v1
kind: AWSLoadBalancerController
metadata:
  name: cluster
spec:
  subnetTagging: Auto
  ingressClass: single-lb (1)| 1 | Defines the name of the IngressClassresource. | 
Create the AWSLoadBalancerController resource by running the following command:
$ oc create -f sample-single-lb.yamlCreate the Ingress resource YAML file, for example, sample-multiple-ingress.yaml, as follows:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-1 (1)
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing (2)
    alb.ingress.kubernetes.io/group.order: "1" (3)
    alb.ingress.kubernetes.io/target-type: instance (4)
spec:
  ingressClassName: single-lb (5)
  rules:
  - host: example.com (6)
    http:
        paths:
        - path: /blog (7)
          pathType: Prefix
          backend:
            service:
              name: example-1 (8)
              port:
                number: 80 (9)
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-2
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/group.order: "2"
    alb.ingress.kubernetes.io/target-type: instance
spec:
  ingressClassName: single-lb
  rules:
  - host: example.com
    http:
        paths:
        - path: /store
          pathType: Prefix
          backend:
            service:
              name: example-2
              port:
                number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-3
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/group.order: "3"
    alb.ingress.kubernetes.io/target-type: instance
spec:
  ingressClassName: single-lb
  rules:
  - host: example.com
    http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: example-3
              port:
                number: 80| 1 | Specifies the ingress name. | 
| 2 | Indicates the load balancer to provision in the public subnet to access the internet. | 
| 3 | Specifies the order in which the rules from the multiple ingress resources are matched when the request is received at the load balancer. | 
| 4 | Indicates that the load balancer will target OKD nodes to reach the service. | 
| 5 | Specifies the ingress class that belongs to this ingress. | 
| 6 | Defines a domain name used for request routing. | 
| 7 | Defines the path that must route to the service. | 
| 8 | Defines the service name that serves the endpoint configured in the Ingressresource. | 
| 9 | Defines the port on the service that serves the endpoint. | 
Create the Ingress resource by running the following command:
$ oc create -f sample-multiple-ingress.yamlYou can view the AWS Load Balancer Operator logs by using the oc logs command.
View the logs of the AWS Load Balancer Operator by running the following command:
$ oc logs -n aws-load-balancer-operator deployment/aws-load-balancer-operator-controller-manager -c manager