1

概述

集群中的服务该如何供集群外访问?K8S提供了ingress特性,而可实现ingress的软件有nginx、haproxy、traefix等,本文描述如何将API网关服务Kong作为ingress来暴露集群提供的服务。

Kong安装

注意:本文采用Helm方式安装,否则可用原始YAMLs文件方式安装,如:

# db is pgsql
% kubectl apply -f https://bit.ly/kong-ingress
# or
# db-less
% kubectl apply -f https://bit.ly/kong-ingress-dbless

可选。若主机无法访问gcr.io网站,需将charts下载到本地主机:

git clone https://github.com/helm/charts.git

创建namespace:

% kubectl create namespace kong

如下以db-less模式安装kong,并启用其k8s ingress control

# 若主机可访问gcr.io,则第一步骤可省略,此时执行:
% helm install stable/kong \
   --name kong
   --namespace kong \
   --set ingressController.enabled=true \
   --set postgresql.enabled=false \
   --set env.database=off
   
# 否则:
% cd charts/stable/kong
% mv requirements.yaml requirements.yaml.orig     # db-less模式安装,可将数据库依赖删掉
% helm install . \
   --name kong \
   --namespace kong \
   --set ingressController.enabled=true \
   --set postgresql.enabled=false \
   --set env.database=off

安装完成后检查。注意:默认helm安装采用NodePort方式暴露kong-proxy(代理)端口,故端口是随机生成的,如下所示,通过主机的30569可访问kong的80端口,通过32461端口可访问kong的443端口。

% oc get deploy
NAME        DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
kong-kong   1         1         1            1           1h

% oc get pod
NAME                         READY     STATUS    RESTARTS   AGE
kong-kong-695d4dd564-89skv   2/2       Running   3          1h

% oc get svc
NAME              TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
kong-kong-admin   NodePort   172.30.35.72   <none>        8444:32192/TCP               1h
kong-kong-proxy   NodePort   172.30.69.93   <none>        80:30569/TCP,443:32461/TCP   1h

# crd
% kubectl get crd|grep konghq
kongconsumers.configuration.konghq.com     2019-08-20T08:15:32Z
kongcredentials.configuration.konghq.com   2019-08-20T08:15:32Z
kongingresses.configuration.konghq.com     2019-08-20T08:15:32Z
kongplugins.configuration.konghq.com       2019-08-20T08:15:32Z

访问kong-proxy测试:

# 如下所示,选择任何一台Node节点的IP:<NodePort>访问测试:
% curl -i okd-m01.zyl.io:30569
HTTP/1.1 404 Not Found
Date: Tue, 27 Aug 2019 08:46:25 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
Server: kong/1.2.2

{"message":"no Route matched with those values"}

配置Ingress

创建测试用例:

% kubectl create namespace demo
% kubectl run echo --image=googlecontainer/echoserver:1.10
% kubectl expose deploy echo --port=8080 --target-port=8080

创建Ingress

% kubectl create -f - <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: echo
  annotations:
    kubernetes.io/ingress.class: "kong"
spec:
  rules:
  - http:
      paths:
      - path: /echo
        backend:
          serviceName: echo
          servicePort: 8080
EOF

注意kubernetes.io/ingress.class可选,其指定Ingresskong解析,此关键字与kong部署配置的--ingress-class一致。

% oc get deploy kong-kong -o yaml|more
...
      spec:
        containers:
        - args:
          - /kong-ingress-controller
          - --publish-service=kong/kong-kong-proxy
          - --ingress-class=kong
          - --election-id=kong-ingress-controller-leader-kong
          - --kong-url=https://localhost:8444
...

检查Ingress并测试:

注意

  • 本例部署的kong有一个replicat,其pod当前运行在节点134.194.18.11上,故此处ADDRESS显示为此节点地址,但因将kong通过NodePort方式暴露端口,故实际上可通过任一节点访问;
  • PORTS此处永远显示为标准端口80,但上节通过NodePorts方式将kong代理暴露到集群外部,其端口映射关系为80:30569/TCP,443:32461/TCP
% kubectl get ing
NAME      HOSTS               ADDRESS         PORTS     AGE
echo      *                   134.194.18.11   80        3m

通过kong代理访问服务:

% curl http://134.194.18.11:30569/echo
...
Hostname: echo-56f4bd4f84-rx8wx

Pod Information:
        node name:      okd-c01.zyl.io
        pod name:       echo-56f4bd4f84-rx8wx
        pod namespace:  demo
        pod IP: 10.128.2.243
...

参考文档


我是读书人
114 声望136 粉丝

随意记录,想着啥,写啥