Background:
The team will publish a set of applications, WS applications developed by SpringBoot. And then you have to go outside. Support WS WSS protocol. Jenkins finished writing the Pipeline publishing task. Remember that when there was no container in the past, the CLS hanging certificate of Tencent Cloud was used to map the CVM port. My current network environment looks like this: Kubernetes 1.20.5 to install Traefik in the Tencent cloud (of course, this environment is running on top of TKE1.20.6, it is all built according to the above example, except that I created a new namespace Traefik, The Traefik application is installed in this namespace! The reason for this is that there are too many PODs under TKE’s kebe-system! I have OCD.)
Deployment and analysis process:
1. About my app:
The application will be deployed at StatefulSet as follows:
cat <<EOF > xxx-gateway.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: xxx-gateway
spec:
serviceName: xxx-gateway
replicas: 1
selector:
matchLabels:
app: xxx-gateway
template:
metadata:
labels:
app: xxx-gateway
spec:
containers:
- name: xxx-gateway
image: ccr.ccs.tencentyun.com/xxx-master/xxx-gateway:202107151002
env:
- name: SPRING_PROFILES_ACTIVE
value: "official"
- name: SPRING_APPLICATION_JSON
valueFrom:
configMapKeyRef:
name: spring-config
key: dev-config.json
ports:
- containerPort: 8443
resources:
requests:
memory: "512M"
cpu: "500m"
limits:
memory: "512M"
cpu: "500m"
imagePullSecrets:
- name: tencent
---
apiVersion: v1
kind: Service
metadata:
name: xxx-gateway
labels:
app: xxx-gateway
spec:
ports:
- port: 8443
selector:
app: xxx-gateway
clusterIP: None
EOF
kubectl apply -f xxx-gateway.yaml -n official
Ingress YAML is a direct copy of another application to modify, as follows:
cat <<EOF > gateway-0-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: layaverse-gateway-0-http
namespace: official
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: xxx-gateway-0.xxx.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: xxx-gateway
port:
number: 8443
EOF
The deployment of ingress
kubectl apply -f gateway-0-ingress.yaml
View the status of the Ingress deployment
kubectl get ingress -n official
Then test WSS (WSS I use port 443 directly. The certificate mounts the SLB layer – that’s what I understand! Refer to my Traefik configuration for details), and here I would like to highlight the WSCAT tool. Anyway, we have a look at our back-end partners testing WS applications are all using online WS tools:
That’s it. Then I happened to see WSCAT installed:
sudo apt install npm
sudo npm install -g wscat
wscat -c wss://xxx-gateway-0.xxx.com:443/ws
Mm-hmm. It’s almost certain that the app is successful, right?
Of course, the above is just my smooth hypothesis! In fact, after the proxy, the WS service on the back end is still having various problems (at first I suspected it was Traefik’s problem), but it still can’t connect! I roughly changed the exposure mode of XXX – Gateway to NodePort and then mounted it to SLB layer (directly added SSL certificate in SCL). After testing, it was OK and used directly. Let the app run, and then figure out what to do with it.
2. About WS and HTTP:
Leaving all that aside, how does implementing my Traefik implement proxy WS?
The content in the figure is extracted from:https://blog.csdn.net/fmm_sunshine/article/details/77918477
3. Check whose pot it is
1. Build a simple WS application
Since the back-end code is confusing, I will find a simple WS service and test it with the Traefik proxy! Dockerhub search a nodejs websocket mirror: https://hub.docker.com/r/ksdn117/web-socket-test deployment:
cat <<EOF > web-socket-test.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web-socket-test
spec:
serviceName: web-socket-test
replicas: 1
selector:
matchLabels:
app: web-socket-test
template:
metadata:
labels:
app: web-socket-test
spec:
containers:
- name: web-socket-test
image: ksdn117/web-socket-test
ports:
- containerPort: 8010
name: web
- containerPort: 8443
name: ssl
resources:
requests:
memory: "512M"
cpu: "500m"
limits:
memory: "512M"
cpu: "500m"
---
apiVersion: v1
kind: Service
metadata:
name: web-socket-test
labels:
app: web-socket-test
spec:
type: NodePort
ports:
- port: 8010
targetPort: 8010
protocol: TCP
name: web
- port: 8443
targetPort: 8443
name: ssl
protocol: TCP
selector:
app: web-socket-test
EOF
Note: I added type:NodePort to the configuration file here
kubectl apply -f web-socket-test.yaml
kubectl get pods
kubectl get svc
2. Internal WSCAT test whether the WS service is connected
First connect to Container Pod IP internally to test the service:
Wscat - connect the ws: / / 172.22.0.230:8010
kubectl logs -f web-socket-test-0
3. Traefik was applied and tested for external proxy WS
Traefik’s normal external exposure service can be used by Ingress and IngressRoute. I’ll try both:
1. Ingressroute way
cat <<EOF > web-socket-ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: web-socket-test-http
namespaces: default
spec:
entryPoints:
- web
routes:
- match: Host(`web-socket-test.xxx.com`)
kind: Rule
services:
- name: web-socket-test
port: 8010
EOF
kubectl apply -f web-socket-ingressroute.yaml
WSCAT connection test:
That’s no problem, right?
Delete the ingress
kubectl delete -f web-socket-ingressroute.yaml
2. Ingress
Here’s how Ingress works:
cat <<EOF > web-socket-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-socket-test
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: web-socket-test.layame.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: web-socket-test
port:
number: 8010
EOF
kubectl apply -f web-socket-ingress.yaml
wscat --connect wss://web-socket-test.xxx.com:443
Jump pot basically complete at least not my infrastructure should be a problem….. Have a backend partner test it out to see what went wrong. From my agent layer is no problem!
About others:
Of course, some blogs also need to add passHostHeader: true configuration
1. Ingressroute:
2. ingress
ingress:traefik.ingress.kubernetes.io/service.passhostheader: “true”
If you have a problem, try the above method!