導讀
Kourier 是一個基于Envoy實作的輕量級網關,是專門對于 Knative Serving 服務通路提供的一個網關實作。
特性
• 提供 Knative revisions 流量分發
• 支援 gRPC 服務.
• 支援逾時和重試.
• 支援TLS
• 支援外部認證授權.
Kourier 部署
我們支援兩種方式部署使用 Kourier:
• Kourier 社群部署:
0.19.0版本•
阿裡雲容器服務 Knative目前也已內建 Kourier 0.19.0 版本, 并且以 addon 元件形式提供支援。在容器服務托管版Kubernetes中, Kourier 已經作為了 Knative 的預設使用網關。
服務通路
這裡我們建立一個簡單的helloworld的服務進行通路測試。
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: helloworld-go
spec:
template:
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/knative-sample/helloworld-go:73fbdd56
env:
- name: TARGET
value: "Knative" 執行指令部署:
kubectl apply -f helloworld.yaml
kubectl get ksvc
NAME URL LATESTCREATED LATESTREADY READY REASON
helloworld-go http://helloworld-go.default.example.com helloworld-go-msq9q helloworld-go-msq9q True 擷取服務通路 IP:
richard@B-N3TEMD6P-1650 kourier % kubectl -n knative-serving get svc kourier
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kourier LoadBalancer 172.21.4.211 47.107.243.210 80:31711/TCP,443:31637/TCP 47h 測試通路:
curl -H "host: helloworld-go.default.example.com" http://47.107.243.210 -v
* Trying 47.107.243.210...
* TCP_NODELAY set
* Connected to 47.107.243.210 (47.107.243.210) port 80 (#0)
> GET / HTTP/1.1
> Host: helloworld-go.default.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< content-length: 15
< content-type: text/plain; charset=utf-8
< date: Fri, 15 Jan 2021 09:12:47 GMT
< x-envoy-upstream-service-time: 0
< server: envoy
<
Hello Knative!
* Connection #0 to host 47.107.243.210 left intact
* Closing connection 0 使用證書
Kouier 支援TLS,那麼實際如何使用呢?這裡也簡單介紹一下
建立證書:
openssl genrsa -out tls.key 4096
openssl req -subj "/CN=*.example.com/L=*.example.com" -sha256 -new -key tls.key -out tls.csr
echo subjectAltName = DNS:helloworld-go.default.example.com,DNS:helloworld-go.default.example.cn > extfile.cnf
openssl x509 -req -days 3650 -sha256 -in tls.csr -signkey tls.key -out tls.crt -extfile extfile.cnf 建立secret:
kubectl -n knative-serving create secret tls kourier-cert --key tls.key --cert tls.crt 配置證書:
修改命名空間 knative-serving中的deployment: kourier-control, 配置證書資訊:
• CERTS_SECRET_NAMESPACE: 證書 secret 所在的命名空間
• CERTS_SECRET_NAME:證書 secret 名稱
kubectl -n knative-serving edit deploy kourier-control
...
spec:
containers:
- env:
- name: CERTS_SECRET_NAMESPACE
value: knative-serving
- name: CERTS_SECRET_NAME
value: kourier-cert
... 儲存上述修改之後, kourier-control會重新啟動
kubectl -n knative-serving get po kourier-control-54888647cc-w6gqr
NAME READY STATUS RESTARTS AGE
kourier-control-54888647cc-w6gqr 1/1 Running 0 10s 驗證服務:
測試通路, 我們這裡通過證書通路網關:
curl -H "host: helloworld-go.default.example.com" -k --cert tls.crt --key tls.key https://47.107.243.210 -v
* Trying 47.107.243.210...
* TCP_NODELAY set
* Connected to 47.107.243.210 (47.107.243.210) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.example.com; L=*.example.com
* start date: Jan 15 02:37:00 2021 GMT
* expire date: Jan 13 02:37:00 2031 GMT
* issuer: CN=*.example.com; L=*.example.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: helloworld-go.default.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK ![TestLink導出用例轉換工具(XML2Excel)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)