AWS Lambda

Use K8sGateway to route traffic requests directly to an Amazon Web Services (AWS) Lambda function.

About

Serverless functions, such as Lambda functions, provide an alternative to traditional applications or services. The functions run on servers that you do not have to manage yourself, and you pay for only for the compute time you use.

However, you might want to invoke your serverless functions from other services or apps, such as the Kubernetes workloads that run in your cluster. By abstracting a Lambda as a type of destination in your K8sGateway environment, your workloads can send requests to the Lambda destination in the same way that you set up routing through K8sGateway to other types of destinations. K8sGateway does the work of assuming an AWS IAM role to invoke the actual Lambda function in your AWS account.

For more information, see the AWS Lambda documentation on configuring Lambda functions as targets.

Before you begin

1. Follow the Get started guide to install K8sGateway, set up a gateway resource, and deploy the httpbin sample app.

2. Get the external address of the gateway and save it in an environment variable.

   Cloud Provider LoadBalancerPort-forward for local testing

   export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
   echo $INGRESS_GW_ADDRESS  

   kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080

Create an AWS credentials secret

Create a Kubernetes secret that contains your AWS access key and secret key. K8sGateway uses this secret to connect to AWS Lambda for authentication and function invocation.

1. Get the access key, secret key, and session token for your AWS account. If your AWS account setup does not require a session token, you can remove the session token parameter from the Kubernetes secret. Note that your AWS credentials must have the appropriate permissions to interact with AWS Lambda.

2. Create a Kubernetes secret that contains the AWS access key and secret key.

   glooctl create secret aws \
       --name 'aws-creds' \
       --namespace gloo-system \
       --access-key ${AWS_ACCESS_KEY_ID} \
       --secret-key ${AWS_SECRET_ACCESS_KEY} \
       --session-token ${AWS_SESSION_TOKEN}

Create a Lambda function

Create an AWS Lambda function to test K8sGateway routing.

1. Log in to the AWS console and navigate to the Lambda page.

2. Click the Create Function button.

3. Name the function echo and click Create function.

4. Replace the default contents of index.mjs with the following Node.js function, which returns a response body that contains exactly what was sent to the function in the request body.

   export const handler = async(event) => {
       const response = {
           statusCode: 200,
           body: `Response from AWS Lambda. Here's the request you just sent me: ${JSON.stringify(event)}`
       };
       return response;
   };

5. Click Deploy.

Create an Upstream and HTTPRoute

Create K8sGateway Upstream and HTTPRoute resources to route requests to the Lambda function.

1. In your terminal, create an Upstream resource that references the Lambda secret. Update the region with your AWS account region, such as us-east-1.

   kubectl apply -f - <<EOF
   apiVersion: gloo.solo.io/v1
   kind: Upstream
   metadata:
     name: lambda
     namespace: gloo-system
   spec:
     aws:
       region: <region>
       secretRef:
         name: aws-creds
         namespace: gloo-system
       lambdaFunctions:
       - lambdaFunctionName: echo
         logicalName: echo
         qualifier: $LATEST
   EOF

2. Create an HTTPRoute resource that references the lambda Upstream.

   kubectl apply -f - <<EOF
   apiVersion: gateway.networking.k8s.io/v1beta1
   kind: HTTPRoute
   metadata:
     name: lambda
     namespace: gloo-system
   spec:
     parentRefs:
       - name: http
         namespace: gloo-system
     rules:
     - matches:
       - path:
           type: PathPrefix
           value: /echo
       backendRefs:
       - name: lambda
         namespace: gloo-system
         group: gloo.solo.io
         kind: Upstream
         filters:
           - type: ExtensionRef
             extensionRef:
               group: "gloo.solo.io"
               kind: Parameter
               name: echo
   EOF

3. Confirm that K8sGateway correctly routes requests to Lambda by sending a curl request to the echo function.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl $INGRESS_GW_ADDRESS:8080/echo -d '{"key1":"value1", "key2":"value2"}' -X POST

   curl localhost:8080/echo -d '{"key1":"value1", "key2":"value2"}' -X POST

   Example response:

   {"statusCode":200,"body":"Response from AWS Lambda. Here's the request you just sent me: {\"key1\":\"value1\",\"key2\":\"value2\"}"}% 

At this point, K8sGateway is routing directly to the echo Lambda function!

Cleanup

You can remove the resources that you created in this guide.

1. Delete the lambda HTTPRoute and lambda Upstream.

   kubectl delete HTTPRoute lambda -n gloo-system
   kubectl delete Upstream lambda -n gloo-system

2. Delete the aws-creds secret.

   kubectl delete secret aws-creds -n gloo-system

3. Use the AWS Lambda console to delete the echo test function.

Known limitations

• Currently, the only parameter that is supported for the backendRefs.filters.extensionRef field in the HTTPRoute resource is the name of the Lambda function. Additional parameters, such as wrapAsApiGateway, unwrapAsApiGateway, or invocationStyle, are not supported.
• Authenticating with your AWS account by using IAM Roles for Service Accounts (IRSA) is currently unsupported.