AWS Lambda
Use K8sGateway to route traffic requests directly to an Amazon Web Services (AWS) Lambda function.
About
Serverless functions, such as Lambda functions, provide an alternative to traditional applications or services. The functions run on servers that you do not have to manage yourself, and you pay for only for the compute time you use.
However, you might want to invoke your serverless functions from other services or apps, such as the Kubernetes workloads that run in your cluster. By abstracting a Lambda as a type of destination in your K8sGateway environment, your workloads can send requests to the Lambda destination in the same way that you set up routing through K8sGateway to other types of destinations. K8sGateway does the work of assuming an AWS IAM role to invoke the actual Lambda function in your AWS account.
For more information, see the AWS Lambda documentation on configuring Lambda functions as targets.
Before you begin
-
Follow the Get started guide to install K8sGateway, set up a gateway resource, and deploy the httpbin sample app.
-
Get the external address of the gateway and save it in an environment variable.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESS
kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080
Create an AWS credentials secret
Create a Kubernetes secret that contains your AWS access key and secret key. K8sGateway uses this secret to connect to AWS Lambda for authentication and function invocation.
-
Get the access key, secret key, and session token for your AWS account. If your AWS account setup does not require a session token, you can remove the session token parameter from the Kubernetes secret. Note that your AWS credentials must have the appropriate permissions to interact with AWS Lambda.
-
Create a Kubernetes secret that contains the AWS access key and secret key.
glooctl create secret aws \ --name 'aws-creds' \ --namespace gloo-system \ --access-key ${AWS_ACCESS_KEY_ID} \ --secret-key ${AWS_SECRET_ACCESS_KEY} \ --session-token ${AWS_SESSION_TOKEN}
Create a Lambda function
Create an AWS Lambda function to test K8sGateway routing.
-
Log in to the AWS console and navigate to the Lambda page.
-
Click the Create Function button.
-
Name the function
echo
and click Create function. -
Replace the default contents of
index.mjs
with the following Node.js function, which returns a response body that contains exactly what was sent to the function in the request body.export const handler = async(event) => { const response = { statusCode: 200, body: `Response from AWS Lambda. Here's the request you just sent me: ${JSON.stringify(event)}` }; return response; };
-
Click Deploy.
Create an Upstream and HTTPRoute
Create K8sGateway Upstream
and HTTPRoute
resources to route requests to the Lambda function.
-
In your terminal, create an Upstream resource that references the Lambda secret. Update the region with your AWS account region, such as
us-east-1
.kubectl apply -f - <<EOF apiVersion: gloo.solo.io/v1 kind: Upstream metadata: name: lambda namespace: gloo-system spec: aws: region: <region> secretRef: name: aws-creds namespace: gloo-system lambdaFunctions: - lambdaFunctionName: echo logicalName: echo qualifier: $LATEST EOF
-
Create an HTTPRoute resource that references the
lambda
Upstream.kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: lambda namespace: gloo-system spec: parentRefs: - name: http namespace: gloo-system rules: - matches: - path: type: PathPrefix value: /echo backendRefs: - name: lambda namespace: gloo-system group: gloo.solo.io kind: Upstream filters: - type: ExtensionRef extensionRef: group: "gloo.solo.io" kind: Parameter name: echo EOF
-
Confirm that K8sGateway correctly routes requests to Lambda by sending a curl request to the
echo
function.curl $INGRESS_GW_ADDRESS:8080/echo -d '{"key1":"value1", "key2":"value2"}' -X POST
curl localhost:8080/echo -d '{"key1":"value1", "key2":"value2"}' -X POST
Example response:
{"statusCode":200,"body":"Response from AWS Lambda. Here's the request you just sent me: {\"key1\":\"value1\",\"key2\":\"value2\"}"}%
At this point, K8sGateway is routing directly to the echo
Lambda function!
Cleanup
You can remove the resources that you created in this guide.
-
Delete the
lambda
HTTPRoute andlambda
Upstream.kubectl delete HTTPRoute lambda -n gloo-system kubectl delete Upstream lambda -n gloo-system
-
Delete the
aws-creds
secret.kubectl delete secret aws-creds -n gloo-system
-
Use the AWS Lambda console to delete the
echo
test function.
Known limitations
- Currently, the only parameter that is supported for the
backendRefs.filters.extensionRef
field in the HTTPRoute resource is the name of the Lambda function. Additional parameters, such aswrapAsApiGateway
,unwrapAsApiGateway
, orinvocationStyle
, are not supported. - Authenticating with your AWS account by using IAM Roles for Service Accounts (IRSA) is currently unsupported.