This project is in the process of being donated to the CNCF and is not affiliated with the Kubernetes project.
Documentation
Traffic management
Destination types
Upstreams
AWS Lambda

AWS Lambda

Use K8sGateway to route traffic requests directly to an Amazon Web Services (AWS) Lambda function.

About

Serverless functions, such as Lambda functions, provide an alternative to traditional applications or services. The functions run on servers that you do not have to manage yourself, and you pay for only for the compute time you use.

However, you might want to invoke your serverless functions from other services or apps, such as the Kubernetes workloads that run in your cluster. By abstracting a Lambda as a type of destination in your K8sGateway environment, your workloads can send requests to the Lambda destination in the same way that you set up routing through K8sGateway to other types of destinations. K8sGateway does the work of assuming an AWS IAM role to invoke the actual Lambda function in your AWS account.

For more information, see the AWS Lambda documentation on configuring Lambda functions as targets.

Before you begin

  1. Follow the Get started guide to install K8sGateway, set up a gateway resource, and deploy the httpbin sample app.

  2. Get the external address of the gateway and save it in an environment variable. 

    export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS  
    kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080

Create an AWS credentials secret

Create a Kubernetes secret that contains your AWS access key and secret key. K8sGateway uses this secret to connect to AWS Lambda for authentication and function invocation.

  1. Get the access key, secret key, and session token for your AWS account. If your AWS account setup does not require a session token, you can remove the session token parameter from the Kubernetes secret. Note that your AWS credentials must have the appropriate permissions to interact with AWS Lambda.

  2. Create a Kubernetes secret that contains the AWS access key and secret key.

    glooctl create secret aws \
    --name 'aws-creds' \
    --namespace gloo-system \
    --access-key ${AWS_ACCESS_KEY_ID} \
    --secret-key ${AWS_SECRET_ACCESS_KEY} \
    --session-token ${AWS_SESSION_TOKEN}

Create a Lambda function

Create an AWS Lambda function to test K8sGateway routing.

  1. Log in to the AWS console and navigate to the Lambda page.

  2. Click the Create Function button.

  3. Name the function echo and click Create function.

  4. Replace the default contents of index.mjs with the following Node.js function, which returns a response body that contains exactly what was sent to the function in the request body.

    export const handler = async(event) => {
    const response = {
        statusCode: 200,
        body: `Response from AWS Lambda. Here's the request you just sent me: ${JSON.stringify(event)}`
    };
    return response;
};

  5. Click Deploy.

Create an Upstream and HTTPRoute

Create K8sGateway Upstream and HTTPRoute resources to route requests to the Lambda function.

  1. In your terminal, create an Upstream resource that references the Lambda secret. Update the region with your AWS account region, such as us-east-1.

    kubectl apply -f - <<EOF
apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  name: lambda
  namespace: gloo-system
spec:
  aws:
    region: <region>
    secretRef:
      name: aws-creds
      namespace: gloo-system
    lambdaFunctions:
    - lambdaFunctionName: echo
      logicalName: echo
      qualifier: $LATEST
EOF

  2. Create an HTTPRoute resource that references the lambda Upstream.

    kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: lambda
  namespace: gloo-system
spec:
  parentRefs:
    - name: http
      namespace: gloo-system
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /echo
    backendRefs:
    - name: lambda
      namespace: gloo-system
      group: gloo.solo.io
      kind: Upstream
      filters:
        - type: ExtensionRef
          extensionRef:
            group: "gloo.solo.io"
            kind: Parameter
            name: echo
EOF

  3. Confirm that K8sGateway correctly routes requests to Lambda by sending a curl request to the echo function.

    curl $INGRESS_GW_ADDRESS:8080/echo -d '{"key1":"value1", "key2":"value2"}' -X POST
    curl localhost:8080/echo -d '{"key1":"value1", "key2":"value2"}' -X POST

    Example response:

    {"statusCode":200,"body":"Response from AWS Lambda. Here's the request you just sent me: {\"key1\":\"value1\",\"key2\":\"value2\"}"}%

At this point, K8sGateway is routing directly to the echo Lambda function!

Cleanup

You can remove the resources that you created in this guide.

  1. Delete the lambda HTTPRoute and lambda Upstream.

    kubectl delete HTTPRoute lambda -n gloo-system
kubectl delete Upstream lambda -n gloo-system

  2. Delete the aws-creds secret.

    kubectl delete secret aws-creds -n gloo-system

  3. Use the AWS Lambda console to delete the echo test function.

Known limitations

  • Currently, the only parameter that is supported for the backendRefs.filters.extensionRef field in the HTTPRoute resource is the name of the Lambda function. Additional parameters, such as wrapAsApiGateway, unwrapAsApiGateway, or invocationStyle, are not supported.
  • Authenticating with your AWS account by using IAM Roles for Service Accounts (IRSA) is currently unsupported.
Kubernetes serviceHTTP/2