导读
Kourier 是一个基于Envoy实现的轻量级网关,是专门对于 Knative Serving 服务访问提供的一个网关实现。
特性
• 提供 Knative revisions 流量分发
• 支持 gRPC 服务.
• 支持超时和重试.
• 支持TLS
• 支持外部认证授权.
Kourier 部署
我们支持两种方式部署使用 Kourier:
• Kourier 社区部署:0.19.0版本
• 阿里云容器服务 Knative 目前也已集成 Kourier 0.19.0 版本, 并且以 addon 组件形式提供支持。在容器服务托管版Kubernetes中, Kourier 已经作为了 Knative 的默认使用网关。
服务访问
这里我们创建一个简单的helloworld的服务进行访问测试。
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: helloworld-go
spec:
template:
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/knative-sample/helloworld-go:73fbdd56
env:
- name: TARGET
value: "Knative"执行命令部署:
kubectl apply -f helloworld.yaml
kubectl get ksvc
NAME URL LATESTCREATED LATESTREADY READY REASON
helloworld-go http://helloworld-go.default.example.com helloworld-go-msq9q helloworld-go-msq9q True获取服务访问 IP:
richard@B-N3TEMD6P-1650 kourier % kubectl -n knative-serving get svc kourier
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kourier LoadBalancer 172.21.4.211 47.107.243.210 80:31711/TCP,443:31637/TCP 47h测试访问:
curl -H "host: helloworld-go.default.example.com" http://47.107.243.210 -v
* Trying 47.107.243.210...
* TCP_NODELAY set
* Connected to 47.107.243.210 (47.107.243.210) port 80 (#0)
> GET / HTTP/1.1
> Host: helloworld-go.default.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< content-length: 15
< content-type: text/plain; charset=utf-8
< date: Fri, 15 Jan 2021 09:12:47 GMT
< x-envoy-upstream-service-time: 0
< server: envoy
<
Hello Knative!
* Connection #0 to host 47.107.243.210 left intact
* Closing connection 0使用证书
Kouier 支持TLS,那么实际如何使用呢?这里也简单介绍一下
创建证书:
openssl genrsa -out tls.key 4096
openssl req -subj "/CN=*.example.com/L=*.example.com" -sha256 -new -key tls.key -out tls.csr
echo subjectAltName = DNS:helloworld-go.default.example.com,DNS:helloworld-go.default.example.cn > extfile.cnf
openssl x509 -req -days 3650 -sha256 -in tls.csr -signkey tls.key -out tls.crt -extfile extfile.cnf创建secret:
kubectl -n knative-serving create secret tls kourier-cert --key tls.key --cert tls.crt配置证书:
修改命名空间 knative-serving中的deployment: kourier-control, 配置证书信息:
• CERTS_SECRET_NAMESPACE: 证书 secret 所在的命名空间
• CERTS_SECRET_NAME:证书 secret 名称
kubectl -n knative-serving edit deploy kourier-control
...
spec:
containers:
- env:
- name: CERTS_SECRET_NAMESPACE
value: knative-serving
- name: CERTS_SECRET_NAME
value: kourier-cert
...保存上述修改之后, kourier-control会重新启动
kubectl -n knative-serving get po kourier-control-54888647cc-w6gqr
NAME READY STATUS RESTARTS AGE
kourier-control-54888647cc-w6gqr 1/1 Running 0 10s验证服务:
测试访问, 我们这里通过证书访问网关:
curl -H "host: helloworld-go.default.example.com" -k --cert tls.crt --key tls.key https://47.107.243.210 -v
* Trying 47.107.243.210...
* TCP_NODELAY set
* Connected to 47.107.243.210 (47.107.243.210) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.example.com; L=*.example.com
* start date: Jan 15 02:37:00 2021 GMT
* expire date: Jan 13 02:37:00 2031 GMT
* issuer: CN=*.example.com; L=*.example.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: helloworld-go.default.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
