Kgateway is now an official CNCF sandbox project! 🎉
Documentation
Traffic management
Destination types
Backends
AWS Lambda

AWS Lambda

Use kgateway to route traffic requests directly to an Amazon Web Services (AWS) Lambda function.

About

Serverless functions, such as Lambda functions, provide an alternative to traditional applications or services. The functions run on servers that you do not have to manage yourself, and you pay for only for the compute time you use.

However, you might want to invoke your serverless functions from other services or apps, such as the Kubernetes workloads that run in your cluster. By abstracting a Lambda as a type of destination in your kgateway environment, your workloads can send requests to the Lambda destination in the same way that you set up routing through kgateway to other types of destinations. kgateway does the work of assuming an AWS IAM role to invoke the actual Lambda function in your AWS account.

For more information, see the AWS Lambda documentation on configuring Lambda functions as targets.

Before you begin

  1. Follow the Get started guide to install kgateway.

  2. Follow the Sample app guide to create an API gateway proxy with an HTTP listener and deploy the httpbin sample app.

  3. Get the external address of the gateway and save it in an environment variable. 

    export INGRESS_GW_ADDRESS=$(kubectl get svc -n kgateway-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS  
    kubectl port-forward deployment/http -n kgateway-system 8080:8080

Create an AWS credentials secret

Create a Kubernetes secret that contains your AWS access key and secret key. kgateway uses this secret to connect to AWS Lambda for authentication and function invocation.

  1. Get the access key, secret key, and session token for your AWS account. If your AWS account setup does not require a session token, you can remove the session token parameter from the Kubernetes secret. Note that your AWS credentials must have the appropriate permissions to interact with AWS Lambda.

  2. Create a Kubernetes secret that contains the AWS access key and secret key.

    glooctl create secret aws \
    --name 'aws-creds' \
    --namespace kgateway-system \
    --access-key ${AWS_ACCESS_KEY_ID} \
    --secret-key ${AWS_SECRET_ACCESS_KEY} \
    --session-token ${AWS_SESSION_TOKEN}

Create a Lambda function

Create an AWS Lambda function to test kgateway routing.

  1. Log in to the AWS console and navigate to the Lambda page.

  2. Click the Create Function button.

  3. Name the function echo and click Create function.

  4. Replace the default contents of index.mjs with the following Node.js function, which returns a response body that contains exactly what was sent to the function in the request body.

    export const handler = async(event) => {
    const response = {
        statusCode: 200,
        body: `Response from AWS Lambda. Here's the request you just sent me: ${JSON.stringify(event)}`
    };
    return response;
};

  5. Click Deploy.

Create a Backend and HTTPRoute

Create kgateway Backend and HTTPRoute resources to route requests to the Lambda function.

  1. In your terminal, create a Backend resource that references the Lambda secret. Update the region with your AWS account region, such as us-east-1.

    kubectl apply -f - <<EOF
apiVersion: gateway.kgateway.dev/v1alpha1
kind: Backend
metadata:
  name: lambda
  namespace: kgateway-system
spec:
  aws:
    region: <region>
    secretRef:
      name: aws-creds
      namespace: kgateway-system
    lambdaFunctions:
    - lambdaFunctionName: echo
      logicalName: echo
      qualifier: $LATEST
EOF

  2. Create an HTTPRoute resource that references the lambda Backend.

    kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: lambda
  namespace: kgateway-system
spec:
  parentRefs:
    - name: http
      namespace: kgateway-system
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /echo
    backendRefs:
    - name: lambda
      namespace: kgateway-system
      group: gateway.kgateway.dev
      kind: Backend
      filters:
        - type: ExtensionRef
          extensionRef:
            group: "gateway.kgateway.dev"
            kind: Parameter
            name: echo
EOF

  3. Confirm that kgateway correctly routes requests to Lambda by sending a curl request to the echo function.

    curl $INGRESS_GW_ADDRESS:8080/echo -d '{"key1":"value1", "key2":"value2"}' -X POST
    curl localhost:8080/echo -d '{"key1":"value1", "key2":"value2"}' -X POST

    Example response:

    {"statusCode":200,"body":"Response from AWS Lambda. Here's the request you just sent me: {\"key1\":\"value1\",\"key2\":\"value2\"}"}%

At this point, kgateway is routing directly to the echo Lambda function!

Cleanup

You can remove the resources that you created in this guide.

  1. Delete the lambda HTTPRoute and lambda Backend.

    kubectl delete HTTPRoute lambda -n kgateway-system
kubectl delete Backend lambda -n kgateway-system

  2. Delete the aws-creds secret.

    kubectl delete secret aws-creds -n kgateway-system

  3. Use the AWS Lambda console to delete the echo test function.

Known limitations

  • Currently, the only parameter that is supported for the backendRefs.filters.extensionRef field in the HTTPRoute resource is the name of the Lambda function. Additional parameters, such as wrapAsApiGateway, unwrapAsApiGateway, or invocationStyle, are not supported.
  • Authenticating with your AWS account by using IAM Roles for Service Accounts (IRSA) is currently unsupported.
Static