Merge pull request #1371 from input-output-hk/global-accelerator

gytis-ivaskevicius · web-flow · commit 3630c5c8f164 · 2024-07-23T13:49:26.000+03:00
chore: implement AWS Global Accelerator
diff --git a/nix/cardano-services/deployments/backend-ingress.nix b/nix/cardano-services/deployments/backend-ingress.nix
@@ -6,35 +6,65 @@
   utils,
   ...
 }: {
+  templates.accelerator = lib.mkIf (values.useAccelerator && values.ingress.enabled) {
+    apiVersion = "operator.h3poteto.dev/v1alpha1";
+    kind = "EndpointGroupBinding";
+    metadata.name = "${chart.name}-main";
+    spec = {
+      endpointGroupArn = values.acceleratorArn;
+      ingressRef.name = "${chart.name}-backend";
+    };
+  };
+
   templates.backend-ingress = lib.mkIf values.ingress.enabled {
     apiVersion = "networking.k8s.io/v1";
     kind = "Ingress";
     metadata = {
       name = "${chart.name}-backend";
       labels = utils.appLabels "backend";
-      annotations = {
-        "alb.ingress.kubernetes.io/actions.ssl-redirect" = builtins.toJSON {
-          Type = "redirect";
-          RedirectConfig = {
-            Protocol = "HTTPS";
-            Port = "443";
-            StatusCode = "HTTP_301";
+      annotations =
+        if values.useAccelerator
+        then {
+          "service.beta.kubernetes.io/aws-load-balancer-backend-protocol" = "tcp";
+          "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled" = "true";
+          "service.beta.kubernetes.io/aws-load-balancer-type" = "external";
+          "alb.ingress.kubernetes.io/scheme" = "internet-facing";
+          "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internet-facing";
+          "alb.ingress.kubernetes.io/target-type" = "ip";
+          "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" = "ip";
+          "service.beta.kubernetes.io/aws-load-balancer-proxy-protocol" = "*";
+          "service.beta.kubernetes.io/aws-load-balancer-target-group-attributes" = "proxy_protocol_v2.enabled=true,preserve_client_ip.enabled=true";
+
+          "alb.ingress.kubernetes.io/listen-ports" = builtins.toJSON [{HTTP = 80;} {HTTPS = 443;}];
+          #"alb.ingress.kubernetes.io/wafv2-acl-arn" = values.backend.wafARN;
+          "alb.ingress.kubernetes.io/healthcheck-path" = "${values.cardano-services.httpPrefix}/health";
+          "alb.ingress.kubernetes.io/healthcheck-interval-seconds" = toString values.backend.albHealthcheck.interval;
+          "alb.ingress.kubernetes.io/healthcheck-timeout-seconds" = toString values.backend.albHealthcheck.timeout;
+          "alb.ingress.kubernetes.io/group.order" = toString values.cardano-services.ingresOrder;
+          "external-dns.alpha.kubernetes.io/disabled" = "true";
+        }
+        else {
+          "alb.ingress.kubernetes.io/actions.ssl-redirect" = builtins.toJSON {
+            Type = "redirect";
+            RedirectConfig = {
+              Protocol = "HTTPS";
+              Port = "443";
+              StatusCode = "HTTP_301";
+            };
           };
+          "alb.ingress.kubernetes.io/listen-ports" = builtins.toJSON [{HTTP = 80;} {HTTPS = 443;}];
+          "alb.ingress.kubernetes.io/target-type" = "ip";
+          "alb.ingress.kubernetes.io/scheme" = "internet-facing";
+          "alb.ingress.kubernetes.io/wafv2-acl-arn" = values.backend.wafARN;
+          "alb.ingress.kubernetes.io/healthcheck-path" = "${values.cardano-services.httpPrefix}/health";
+          "alb.ingress.kubernetes.io/healthcheck-interval-seconds" = toString values.backend.albHealthcheck.interval;
+          "alb.ingress.kubernetes.io/healthcheck-timeout-seconds" = toString values.backend.albHealthcheck.timeout;
+          # Use latency routing policy
+          "external-dns.alpha.kubernetes.io/aws-region" = config.region;
+          "external-dns.alpha.kubernetes.io/set-identifier" = values.backend.dnsId;
+          "alb.ingress.kubernetes.io/group.name" = chart.namespace;
+          "alb.ingress.kubernetes.io/group.order" = toString values.cardano-services.ingresOrder;
         };
-        "alb.ingress.kubernetes.io/listen-ports" = builtins.toJSON [{HTTP = 80;} {HTTPS = 443;}];
-        "alb.ingress.kubernetes.io/target-type" = "ip";
-        "alb.ingress.kubernetes.io/scheme" = "internet-facing";
-        "alb.ingress.kubernetes.io/wafv2-acl-arn" = values.backend.wafARN;
-        "alb.ingress.kubernetes.io/healthcheck-path" = "${values.cardano-services.httpPrefix}/health";
-        "alb.ingress.kubernetes.io/healthcheck-interval-seconds" = toString values.backend.albHealthcheck.interval;
-        "alb.ingress.kubernetes.io/healthcheck-timeout-seconds" = toString values.backend.albHealthcheck.timeout;
-        # Use latency routing policy
-        "external-dns.alpha.kubernetes.io/aws-region" = config.region;
-        "external-dns.alpha.kubernetes.io/set-identifier" = values.backend.dnsId;
-        "alb.ingress.kubernetes.io/group.name" = chart.namespace;
-        # ACM
-        "alb.ingress.kubernetes.io/group.order" = toString values.cardano-services.ingresOrder;
-      };
     };
     spec = {
       ingressClassName = "alb";
diff --git a/nix/cardano-services/deployments/default.nix b/nix/cardano-services/deployments/default.nix
@@ -102,6 +102,8 @@ in
       };
 
       values = {
+        useAccelerator = false;
+        acceleratorArn = tf-outputs.${final.region}.accelerators.${final.namespace} or null;
         postgresName = "${final.namespace}-postgresql";
         stakepool.databaseName = "stakepool";
         ingress.enabled = true;
@@ -216,6 +218,7 @@ in
           };
 
           values = {
+            useAccelerator = true;
             ws-server.enabled = true;
             stakepool.databaseName = "stakepoolv2";
             cardano-services = {
@@ -417,6 +420,7 @@ in
           };
 
           values = {
+            useAccelerator = true;
             ws-server.enabled = true;
             stakepool.databaseName = "stakepoolv2";
             backend.allowedOrigins = lib.concatStringsSep "," allowedOriginsDev;
@@ -866,7 +870,6 @@ in
                 (map (v: "/v${v}/handle") versions.handle)
               ];
           };
-          chain-history-provider.enabled = false;
         };
 
         "ops-preview-1@us-east-1" = final: {
@@ -902,6 +905,7 @@ in
           };
 
           values = {
+            useAccelerator = true;
             cardano-services = {
               ingresOrder = 99;
             };
diff --git a/nix/cardano-services/deployments/tf-outputs/lace-dev-us-east-1.json b/nix/cardano-services/deployments/tf-outputs/lace-dev-us-east-1.json
@@ -1 +1 @@
-{"acm_arn":"arn:aws:acm:us-east-1:926093910549:certificate/f136a39b-3556-4ddf-85ac-ac5b7431dd34","acm_dapp_arn":"arn:aws:acm:us-east-1:926093910549:certificate/84cb06a8-cf8e-4485-b117-d0ff5c8304b0","waf_arn":"arn:aws:wafv2:us-east-1:926093910549:regional/webacl/rate-limit/d4216c0e-b464-4383-953f-3262f4cd3cb6"}
+{"accelerators":{"dev-preprod":"arn:aws:globalaccelerator::926093910549:accelerator/75241ddd-9ca6-4907-9fb4-ed6973e39563/listener/2e35ef83/endpoint-group/cd0c364c0002","dev-preview":"arn:aws:globalaccelerator::926093910549:accelerator/792713c0-b902-47c1-ba82-4d38a8e06ae9/listener/18235bfe/endpoint-group/c487a8452002","ops-preprod-1":"arn:aws:globalaccelerator::926093910549:accelerator/3c1f8a14-aa0b-4114-b287-33ea56f0ddcb/listener/51576def/endpoint-group/7fde6f56d002"},"acm_arn":"arn:aws:acm:us-east-1:926093910549:certificate/f136a39b-3556-4ddf-85ac-ac5b7431dd34","acm_dapp_arn":"arn:aws:acm:us-east-1:926093910549:certificate/84cb06a8-cf8e-4485-b117-d0ff5c8304b0","waf_arn":"arn:aws:wafv2:us-east-1:926093910549:regional/webacl/rate-limit/d4216c0e-b464-4383-953f-3262f4cd3cb6"}
diff --git a/nix/cardano-services/deployments/tf-outputs/lace-live-eu-central-1.json b/nix/cardano-services/deployments/tf-outputs/lace-live-eu-central-1.json
@@ -1 +1 @@
-{"acm_arn":"arn:aws:acm:eu-central-1:926093910549:certificate/c0da842b-45c2-4306-ab09-139c47b437d0","acm_dapp_arn":"arn:aws:acm:eu-central-1:926093910549:certificate/07886406-64df-477c-b76b-f6a8d7c708ce","waf_arn":"arn:aws:wafv2:eu-central-1:926093910549:regional/webacl/rate-limit/bee0cf89-9c9a-4fb3-a609-88a3bb2edc7e"}
+{"accelerators":{"dev-preprod":"arn:aws:globalaccelerator::926093910549:accelerator/75241ddd-9ca6-4907-9fb4-ed6973e39563/listener/2e35ef83/endpoint-group/247304504909","dev-preview":"arn:aws:globalaccelerator::926093910549:accelerator/792713c0-b902-47c1-ba82-4d38a8e06ae9/listener/18235bfe/endpoint-group/a58684e05909","ops-preprod-1":"arn:aws:globalaccelerator::926093910549:accelerator/3c1f8a14-aa0b-4114-b287-33ea56f0ddcb/listener/51576def/endpoint-group/82f43e613909"},"acm_arn":"arn:aws:acm:eu-central-1:926093910549:certificate/c0da842b-45c2-4306-ab09-139c47b437d0","acm_dapp_arn":"arn:aws:acm:eu-central-1:926093910549:certificate/07886406-64df-477c-b76b-f6a8d7c708ce","waf_arn":"arn:aws:wafv2:eu-central-1:926093910549:regional/webacl/rate-limit/bee0cf89-9c9a-4fb3-a609-88a3bb2edc7e"}
diff --git a/nix/cardano-services/deployments/tf-outputs/lace-prod-us-east-2.json b/nix/cardano-services/deployments/tf-outputs/lace-prod-us-east-2.json
@@ -1 +1 @@
-{"acm_arn":"arn:aws:acm:us-east-2:926093910549:certificate/5ecbcb9a-222f-40ed-9067-05a70e416b30","acm_dapp_arn":"arn:aws:acm:us-east-2:926093910549:certificate/2f2912ea-f2eb-4fe7-adab-080fabcda0be","waf_arn":"arn:aws:wafv2:us-east-2:926093910549:regional/webacl/rate-limit/78a416a5-74d6-4215-95eb-575dd9146a6e"}
+{"accelerators":{"dev-preprod":"arn:aws:globalaccelerator::926093910549:accelerator/75241ddd-9ca6-4907-9fb4-ed6973e39563/listener/2e35ef83/endpoint-group/af197b8fb300","dev-preview":"arn:aws:globalaccelerator::926093910549:accelerator/792713c0-b902-47c1-ba82-4d38a8e06ae9/listener/18235bfe/endpoint-group/6868e24ff300","ops-preprod-1":"arn:aws:globalaccelerator::926093910549:accelerator/3c1f8a14-aa0b-4114-b287-33ea56f0ddcb/listener/51576def/endpoint-group/73ad3825b300"},"acm_arn":"arn:aws:acm:us-east-2:926093910549:certificate/5ecbcb9a-222f-40ed-9067-05a70e416b30","acm_dapp_arn":"arn:aws:acm:us-east-2:926093910549:certificate/2f2912ea-f2eb-4fe7-adab-080fabcda0be","waf_arn":"arn:aws:wafv2:us-east-2:926093910549:regional/webacl/rate-limit/78a416a5-74d6-4215-95eb-575dd9146a6e"}

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"acm_arn":"arn:aws:acm:us-east-1:926093910549:certificate/f136a39b-3556-4ddf-85ac-ac5b7431dd34","acm_dapp_arn":"arn:aws:acm:us-east-1:926093910549:certificate/84cb06a8-cf8e-4485-b117-d0ff5c8304b0","waf_arn":"arn:aws:wafv2:us-east-1:926093910549:regional/webacl/rate-limit/d4216c0e-b464-4383-953f-3262f4cd3cb6"}`
	`1`	+{"accelerators":{"dev-preprod":"arn:aws:globalaccelerator::926093910549:accelerator/75241ddd-9ca6-4907-9fb4-ed6973e39563/listener/2e35ef83/endpoint-group/cd0c364c0002","dev-preview":"arn:aws:globalaccelerator::926093910549:accelerator/792713c0-b902-47c1-ba82-4d38a8e06ae9/listener/18235bfe/endpoint-group/c487a8452002","ops-preprod-1":"arn:aws:globalaccelerator::926093910549:accelerator/3c1f8a14-aa0b-4114-b287-33ea56f0ddcb/listener/51576def/endpoint-group/7fde6f56d002"},"acm_arn":"arn:aws:acm:us-east-1:926093910549:certificate/f136a39b-3556-4ddf-85ac-ac5b7431dd34","acm_dapp_arn":"arn:aws:acm:us-east-1:926093910549:certificate/84cb06a8-cf8e-4485-b117-d0ff5c8304b0","waf_arn":"arn:aws:wafv2:us-east-1:926093910549:regional/webacl/rate-limit/d4216c0e-b464-4383-953f-3262f4cd3cb6"}
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"acm_arn":"arn:aws:acm:eu-central-1:926093910549:certificate/c0da842b-45c2-4306-ab09-139c47b437d0","acm_dapp_arn":"arn:aws:acm:eu-central-1:926093910549:certificate/07886406-64df-477c-b76b-f6a8d7c708ce","waf_arn":"arn:aws:wafv2:eu-central-1:926093910549:regional/webacl/rate-limit/bee0cf89-9c9a-4fb3-a609-88a3bb2edc7e"}`
	`1`	+{"accelerators":{"dev-preprod":"arn:aws:globalaccelerator::926093910549:accelerator/75241ddd-9ca6-4907-9fb4-ed6973e39563/listener/2e35ef83/endpoint-group/247304504909","dev-preview":"arn:aws:globalaccelerator::926093910549:accelerator/792713c0-b902-47c1-ba82-4d38a8e06ae9/listener/18235bfe/endpoint-group/a58684e05909","ops-preprod-1":"arn:aws:globalaccelerator::926093910549:accelerator/3c1f8a14-aa0b-4114-b287-33ea56f0ddcb/listener/51576def/endpoint-group/82f43e613909"},"acm_arn":"arn:aws:acm:eu-central-1:926093910549:certificate/c0da842b-45c2-4306-ab09-139c47b437d0","acm_dapp_arn":"arn:aws:acm:eu-central-1:926093910549:certificate/07886406-64df-477c-b76b-f6a8d7c708ce","waf_arn":"arn:aws:wafv2:eu-central-1:926093910549:regional/webacl/rate-limit/bee0cf89-9c9a-4fb3-a609-88a3bb2edc7e"}
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"acm_arn":"arn:aws:acm:us-east-2:926093910549:certificate/5ecbcb9a-222f-40ed-9067-05a70e416b30","acm_dapp_arn":"arn:aws:acm:us-east-2:926093910549:certificate/2f2912ea-f2eb-4fe7-adab-080fabcda0be","waf_arn":"arn:aws:wafv2:us-east-2:926093910549:regional/webacl/rate-limit/78a416a5-74d6-4215-95eb-575dd9146a6e"}`
	`1`	+{"accelerators":{"dev-preprod":"arn:aws:globalaccelerator::926093910549:accelerator/75241ddd-9ca6-4907-9fb4-ed6973e39563/listener/2e35ef83/endpoint-group/af197b8fb300","dev-preview":"arn:aws:globalaccelerator::926093910549:accelerator/792713c0-b902-47c1-ba82-4d38a8e06ae9/listener/18235bfe/endpoint-group/6868e24ff300","ops-preprod-1":"arn:aws:globalaccelerator::926093910549:accelerator/3c1f8a14-aa0b-4114-b287-33ea56f0ddcb/listener/51576def/endpoint-group/73ad3825b300"},"acm_arn":"arn:aws:acm:us-east-2:926093910549:certificate/5ecbcb9a-222f-40ed-9067-05a70e416b30","acm_dapp_arn":"arn:aws:acm:us-east-2:926093910549:certificate/2f2912ea-f2eb-4fe7-adab-080fabcda0be","waf_arn":"arn:aws:wafv2:us-east-2:926093910549:regional/webacl/rate-limit/78a416a5-74d6-4215-95eb-575dd9146a6e"}