Hello,
Does it support Istio today? If yes, what is the recommended setup? if not, are there any plans to support it?

Thank you,
Yossi

Hi Guys,

I have noticed that automatic subnets ids discovery is prone to errors. It is happening when you have multiple private subnets in the same availability zone.

What's is happening:
APIGW ingress controller is creating a CloudFormation template that contains the list of all private subnets, in our case list contains two private subnets in each availability zone. The creation of a cloud formation stack initiated by the APIGW ingress controller is failing, due to the inability to create a network load balancer located in more than one subnet in the same availability zone.

Suggested solution:
Implement additional annotation similar to ALB ingress controller to provide explicitly subnet ids:
e. g.
apigateway.ingress.kubernetes.io/subnets: s-id1, s-id2, s-id3

Best Regards,
Marek K.

When will this:

https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

be supported by api gateway ingress controller? Is there a roadmap / estimation for this?

Thanks!

Because we don't really want to use kube2iam; we were already using IAM-OIDC as much as we could.

Hi,

This is a great controller that automate the apigateway integration with microservices.
I am using CI/CD with helm upgrade to deploy. At the moment, I am exploring the options to use only 1 api gateway with different paths for different repository that we have.

I have tested it but getting the following error:

##[error]Error: rendered manifests contain a resource that already exists. Unable to continue with install: existing resource conflict: namespace: default, name: apigw-dev, existing_kind: networking.k8s.io/v1beta1, Kind=Ingress, new_kind: networking.k8s.io/v1beta1, Kind=Ingress

Just wondering if it's possible to update the existing api gateway by just adding more path?
Look forward to hearing from you.

Regards,
Szelee

While looking at measures to reduce potential risk of cost in a DDOS, I noticed that we can't define any throttling settings, which would be very useful for this controller.

Seems like it would need to include AWS::ApiGateway::UsagePlan while building the template, to allow us to define ThrottleSettings.

We launched IRSA in September 2019 and it is now the official way to handle pod-level least privileges. Please move to IRSA as soon as possible.

When running make docker-build, assuming one does not go get the dependencies separately, the command fails with something similar to:

pkg/cloudformation/cloudformation.go:10:2: cannot find package "github.com/awslabs/goformation/cloudformation/resources" in any of:
	/usr/local/opt/go/libexec/src/github.com/awslabs/goformation/cloudformation/resources (from $GOROOT)
	/Users//golang/src/github.com/awslabs/goformation/cloudformation/resources (from $GOPATH)
	/Users//golang/src/github.com/awslabs/goformation/cloudformation/resources
	/Users//Development/amazon-apigateway-ingress-controller/src/github.com/awslabs/goformation/cloudformation/resources
	/Users//Development/amazon-apigateway-ingress-controller/vendor/src/github.com/awslabs/goformation/cloudformation/resources
../../golang/src/sigs.k8s.io/controller-runtime/pkg/webhook/alias.go:20:2: cannot find package "gomodules.xyz/jsonpatch/v2" in any of:
	/usr/local/opt/go/libexec/src/gomodules.xyz/jsonpatch/v2 (from $GOROOT)
	/Users//golang/src/gomodules.xyz/jsonpatch/v2 (from $GOPATH)
	/Users//golang/src/gomodules.xyz/jsonpatch/v2
	/Users//Development/amazon-apigateway-ingress-controller/src/gomodules.xyz/jsonpatch/v2
	/Users//Development/amazon-apigateway-ingress-controller/vendor/src/gomodules.xyz/jsonpatch/v2
make: *** [vet] Error 1

From what I can tell this is because vendor/ is now ignored in golang v1.11+ https://github.com/golang/go/wiki/GOPATH#use-a-single-gopath . It sounds like we need to adapt either the documentation or the automation to accommodate this.

Is there a way to add the nginx cors annotations using the apigateway ingress? I've tried adding the following annotations:

apigateway.ingress.kubernetes.io/enable-cors: "true"
apigateway.ingress.kubernetes.io/cors-allow-methods: "DELETE, PUT, GET, POST, OPTIONS"
apigateway.ingress.kubernetes.io/cors-allow-origin: "*"
apigateway.ingress.kubernetes.io/cors-allow-credentials: "true" 

And

nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "DELETE, PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true" 

But neither result in the cors headers coming through.

Thanks,
Craig

Hi,
I have 2 NodeInstanceRole, how do I configure this on kube2iam-ingress-trust-policy.yml file. I try this and can not create Role.

"Principal": {
"AWS": "arn:aws:iam::xxx:role/worker-nodes-2-NodeInstanceRole-xxxxxxx"
"AWS": "arn:aws:iam::xxx:role/worker-nodes-NodeInstanceRole-xxxxxxx"
},

Thanks

What Do you expect to happen
Make a change to the spec, adding or removing a path, and have the apigateway updated to reflect that change.

What happens now
Make a change to the spec, adding or removing a path, it checks if the CFN is complete and finishes.

We could accomplish this by adding a hash of the spec, or spec and other relevant information, as a tag. Then we can force an update if that tag doesn't match.

When I deploy APIgateway ingress controller in cn-northwest-1 region. The stack can be created. However, it will become ROLLBACK_COMPLETE. The RESTAPI failed to create withe following event:

Since EDGE type is not supported in AWS China Region. Is there any other way to use this ingress controller? For example, is it supported to use REGIONAL type?

Hi, I want to use lambda functions to authorized instead of client arn. So could you guide me how to do this, and list of anotation.
Thank you

We are using API Gateway Ingress controller in our project and we have a requirement to change the default SecurityPolicy to TLS_1_2.
As I see at the moment the AWSApiGatewayDomainName resource does not have a SecurityPolicy flag.

In pkg/cloudformation/cloudformation.go - func buildCustomDomain()

&resources.AWSApiGatewayDomainName{
		CertificateArn: certificateArn,
		DomainName:     domainName,
		EndpointConfiguration: &resources.AWSApiGatewayDomainName_EndpointConfiguration{
			Types: []string{"EDGE"},
		},

Looking at the current library you use AWSApiGatewayDomainName struct does not even have a SecurityPolicy property, although it is supported in the AWS API :

type AWSApiGatewayDomainName struct {

	// CertificateArn AWS CloudFormation Property
	// Required: false
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-certificatearn
	CertificateArn string `json:"CertificateArn,omitempty"`

	// DomainName AWS CloudFormation Property
	// Required: true
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-domainname
	DomainName string `json:"DomainName,omitempty"`

	// EndpointConfiguration AWS CloudFormation Property
	// Required: false
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-endpointconfiguration
	EndpointConfiguration *AWSApiGatewayDomainName_EndpointConfiguration `json:"EndpointConfiguration,omitempty"`

	// RegionalCertificateArn AWS CloudFormation Property
	// Required: false
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-regionalcertificatearn
	RegionalCertificateArn string `json:"RegionalCertificateArn,omitempty"`

	// _deletionPolicy represents a CloudFormation DeletionPolicy
	_deletionPolicy policies.DeletionPolicy

	// _dependsOn stores the logical ID of the resources to be created before this resource
	_dependsOn []string

	// _metadata stores structured data associated with this resource
	_metadata map[string]interface{}
}

I think you may need to update your cloudfromation.go file to use the latest awslabs/goformation and add the ability to change all fields (not only the mandatory ones) at least in the resource - AWSApiGatewayDomainName

It currently supports a few more things that you seem to be missing :

{
  "Type" : "AWS::ApiGateway::DomainName",
  "Properties" : {
      "CertificateArn" : String,
      "DomainName" : String,
      "EndpointConfiguration" : EndpointConfiguration,
      "MutualTlsAuthentication" : MutualTlsAuthentication,
      "RegionalCertificateArn" : String,
      "SecurityPolicy" : String,
      "Tags" : [ Tag, ... ]
    }
}

P.S.
In addition to that I think you are using an outdated library - "github.com/awslabs/goformation/cloudformation/resources" that seems to have changed sometime ago to , as the apigatewayv2 latest library seems to be in - https://github.com/awslabs/goformation/tree/master/cloudformation/apigatewayv2 with a different directory structure.

Hi there

Is this project actively maintained? I've seen that the last commit to the master branch is about one year old?

Is this supported in another repo or what is the plan for this?

Thank you

I'm trying to integrate this api-gateway ingress controller with pods that are running on fargate. But i'm getting following error,

{"level":"info","ts":1613314030.3956022,"caller":"ingress/ingress_controller.go:609","msg":"fetching proxy service details"} {"level":"info","ts":1613314030.3956294,"caller":"ingress/ingress_controller.go:171","msg":"fetching worker nodes"} {"level":"info","ts":1613314030.3958447,"caller":"ingress/ingress_controller.go:191","msg":"getting vpcID, securityGroups, subnetIds, asgNames for worker nodes"} {"level":"error","ts":1613314030.4834905,"caller":"ingress/ingress_controller.go:631","msg":"unable to fetch networking info","error":"Error describing instances: InvalidInstanceID.Malformed: Invalid id: \"fargate-ip-10-83-25-10.ec2.internal\"\n\tstatus code: 400, request id: 4f99c311-ce0b-4113-89c5-e09cf31c3511","stacktrace":"github.com/awslabs/amazon-apigateway-ingress-controller/pkg/controller/ingress.(*ReconcileIngress).create\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/pkg/controller/ingress/ingress_controller.go:631\ngithub.com/awslabs/amazon-apigateway-ingress-controller/pkg/controller/ingress.(*ReconcileIngress).Reconcile\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/pkg/controller/ingress/ingress_controller.go:270\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:215\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"} {"level":"error","ts":1613314030.4835908,"logger":"kubebuilder.controller","msg":"Reconciler error","controller":"ingress-controller","request":"dev7/api-gw-configservice","error":"Error describing instances: InvalidInstanceID.Malformed: Invalid id: \"fargate-ip-10-83-25-10.ec2.internal\"\n\tstatus code: 400, request id: 4f99c311-ce0b-4113-89c5-e09cf31c3511","stacktrace":"github.com/awslabs/amazon-apigateway-ingress-controller/vendor/github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:217\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}

Any one can help me on this?

when I run "make docker-build", I get below error.
Could you please supply a solution?
Thanks a lot.

go generate ./pkg/... ./cmd/...
go fmt ./pkg/... ./cmd/...
go vet ./pkg/... ./cmd/...
go run vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go rbac
Error: unable to parse option "rbac": [missing argument "roleName" (at )]
Usage:
controller-gen [flags]

Examples:
# Generate RBAC manifests and crds for all types under apis/,
# outputting crds to /tmp/crds and everything else to stdout
controller-gen rbac:roleName= crd paths=./apis/... output:crd:dir=/tmp/crds output:stdout

    # Generate deepcopy/runtime.Object implementations for a particular file
    controller-gen object paths=./apis/v1beta1/some_types.go

    # Generate OpenAPI v3 schemas for API packages and merge them into existing CRD manifests
    controller-gen schemapatch:manifests=./manifests output:dir=./manifests paths=./pkg/apis/...

    # Run all the generators for a given project
    controller-gen paths=./apis/...

    # Explain the markers for generating CRDs, and their arguments
    controller-gen crd -ww

Flags:
-h, --detailed-help count print out more detailed help
(up to -hhh for the most detailed output, or -hhhh for json output)
--help print out usage and a summary of options
--version show version
-w, --which-markers count print out all markers available with the requested generators
(up to -www for the most detailed output, or -wwww for json output)

Options

generators

+webhook package generates (partial) {Mutating,Validating}WebhookConfiguration objects.
+schemapatch:manifests=[,maxDescLen=] package patches existing CRDs with new schemata.
+rbac:roleName= package generates ClusterRole objects.
+object[:headerFile=][,year=] package generates code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
+crd[:crdVersions=<[]string>][,maxDescLen=][,preserveUnknownFields=][,trivialVersions=] package generates CustomResourceDefinition objects.

generic

+paths=<[]string> package represents paths and go-style path patterns to use as package roots.

output rules (optionally as output::...)

+output:artifacts[:code=],config= package outputs artifacts to different locations, depending on whether they're package-associated or not.
+output:dir= package outputs each artifact to the given directory, regardless of if it's package-associated or not.
+output:none package skips outputting anything.
+output:stdout package outputs everything to standard-out, with no separation.

run controller-gen rbac -w to see all available markers, or controller-gen rbac -h for usage
exit status 1
make: *** [manifests] Error 1

I followed this blog (https://aws.amazon.com/blogs/containers/api-gateway-as-an-ingress-controller-for-eks/) to setup an eks cluster with managed nodes and api-gateway ingress controller.

Right after Step 6 in the blog, I was supposed to find api-reverse-proxy pods, but I cannot find them there.

In the blog it suggested to view the logs. Here is the error I found:

{"level":"error","ts":1605260574.0323148,"caller":"ingress/ingress_controller.go:281","msg":"error describing stack","error":"InvalidClientTokenId: The security token included in the request is invalid\n\tstatus code: 403, request id: 30ed34f6-d088-4ec6-b751-94098cf358b7","stacktrace":"github.com/awslabs/amazon-apigateway-ingress-controller/pkg/controller/ingress.(*ReconcileIngress).Reconcile\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/pkg/controller/ingress/ingress_controller.go:281\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:215\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}
{"level":"error","ts":1605260574.032469,"logger":"kubebuilder.controller","msg":"Reconciler error","controller":"ingress-controller","request":"default/api-95d8427d","error":"InvalidClientTokenId: The security token included in the request is invalid\n\tstatus code: 403, request id: 30ed34f6-d088-4ec6-b751-94098cf358b7","stacktrace":"github.com/awslabs/amazon-apigateway-ingress-controller/vendor/github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:217\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/awslabs/amazon-apigateway-ingress-controller/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}

It seems that there is something wrong with the security token.

Also I am supposed to find the corresponding api-gateway created, but I cannot find it.

Anyone can help?

What exactly does this controller do?

I would still need the edge optimisation, throttling, logging but not the authorisation.

It needs to be public

Would it be possible to manage the authentication at the API gateway level, leveraging the Cognito service and then forward the request to the application after an access control?

An alternative would be to configure this behaviour manually, and in the controller use an existing API gateway instance, instead of letting it create a new one.