概述
集群中的服务该如何供集群外访问?K8S提供了ingress特性,而可实现ingress的软件有nginx、haproxy、traefix等,本文描述如何将API网关服务Kong作为ingress来暴露集群提供的服务。
Kong安装
注意:本文采用Helm方式安装,否则可用原始YAMLs文件方式安装,如:
# db is pgsql
% kubectl apply -f https://bit.ly/kong-ingress
# or
# db-less
% kubectl apply -f https://bit.ly/kong-ingress-dbless
可选。若主机无法访问gcr.io网站,需将charts下载到本地主机:
git clone https://github.com/helm/charts.git
创建namespace:
% kubectl create namespace kong
如下以db-less模式安装kong,并启用其k8s ingress control:
# 若主机可访问gcr.io,则第一步骤可省略,此时执行:
% helm install stable/kong \
--name kong
--namespace kong \
--set ingressController.enabled=true \
--set postgresql.enabled=false \
--set env.database=off
# 否则:
% cd charts/stable/kong
% mv requirements.yaml requirements.yaml.orig # db-less模式安装,可将数据库依赖删掉
% helm install . \
--name kong \
--namespace kong \
--set ingressController.enabled=true \
--set postgresql.enabled=false \
--set env.database=off
安装完成后检查。注意:默认helm安装采用NodePort方式暴露kong-proxy(代理)端口,故端口是随机生成的,如下所示,通过主机的30569可访问kong的80端口,通过32461端口可访问kong的443端口。
% oc get deploy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
kong-kong 1 1 1 1 1h
% oc get pod
NAME READY STATUS RESTARTS AGE
kong-kong-695d4dd564-89skv 2/2 Running 3 1h
% oc get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kong-kong-admin NodePort 172.30.35.72 <none> 8444:32192/TCP 1h
kong-kong-proxy NodePort 172.30.69.93 <none> 80:30569/TCP,443:32461/TCP 1h
# crd
% kubectl get crd|grep konghq
kongconsumers.configuration.konghq.com 2019-08-20T08:15:32Z
kongcredentials.configuration.konghq.com 2019-08-20T08:15:32Z
kongingresses.configuration.konghq.com 2019-08-20T08:15:32Z
kongplugins.configuration.konghq.com 2019-08-20T08:15:32Z
访问kong-proxy测试:
# 如下所示,选择任何一台Node节点的IP:<NodePort>访问测试:
% curl -i okd-m01.zyl.io:30569
HTTP/1.1 404 Not Found
Date: Tue, 27 Aug 2019 08:46:25 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
Server: kong/1.2.2
{"message":"no Route matched with those values"}
配置Ingress
创建测试用例:
% kubectl create namespace demo
% kubectl run echo --image=googlecontainer/echoserver:1.10
% kubectl expose deploy echo --port=8080 --target-port=8080
创建Ingress:
% kubectl create -f - <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: echo
annotations:
kubernetes.io/ingress.class: "kong"
spec:
rules:
- http:
paths:
- path: /echo
backend:
serviceName: echo
servicePort: 8080
EOF
注意:kubernetes.io/ingress.class可选,其指定Ingress由kong解析,此关键字与kong部署配置的--ingress-class一致。
% oc get deploy kong-kong -o yaml|more
...
spec:
containers:
- args:
- /kong-ingress-controller
- --publish-service=kong/kong-kong-proxy
- --ingress-class=kong
- --election-id=kong-ingress-controller-leader-kong
- --kong-url=https://localhost:8444
...
检查Ingress并测试:
注意:
- 本例部署的kong有一个replicat,其pod当前运行在节点134.194.18.11上,故此处ADDRESS显示为此节点地址,但因将kong通过NodePort方式暴露端口,故实际上可通过任一节点访问;
- PORTS此处永远显示为标准端口80,但上节通过NodePorts方式将kong代理暴露到集群外部,其端口映射关系为80:30569/TCP,443:32461/TCP。
% kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
echo * 134.194.18.11 80 3m
通过kong代理访问服务:
% curl http://134.194.18.11:30569/echo
...
Hostname: echo-56f4bd4f84-rx8wx
Pod Information:
node name: okd-c01.zyl.io
pod name: echo-56f4bd4f84-rx8wx
pod namespace: demo
pod IP: 10.128.2.243
...
参考文档
- kubernetes-ingress-controller:https://github.com/Kong/kuber...;
- helm with kong:https://github.com/helm/chart...;
- kubernetes-ingress-controller文档:https://github.com/Kong/kuber...;
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。