如果我们专门需要有一组route处理暴露给内部的应用,就可以采用Route分区的功能,OpenShift 4.3中Route分区功能有所增强,支持基于命名空间的分区以及基于Route的Label进行分区。
下面我们具体来实践一下。
1.创建内部Router组
首先修改自己的node,做一些分组,比如infra,infra1
[root@clientvm 0 ~]# oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-138-140.us-east-2.compute.internal Ready master 14d v1.16.2 ip-10-0-141-38.us-east-2.compute.internal Ready infra,worker 14d v1.16.2 ip-10-0-144-175.us-east-2.compute.internal Ready master 14d v1.16.2 ip-10-0-152-254.us-east-2.compute.internal Ready infra1,worker 14d v1.16.2 ip-10-0-165-83.us-east-2.compute.internal Ready infra,worker 14d v1.16.2 ip-10-0-172-187.us-east-2.compute.internal Ready master 14d v1.16.2
OpenShift 4安装完成后有一个缺省的Ingress Controller,可以通过以下命令看到这个default router.
[root@clientvm 0 ~]# oc get ingresscontroller -n openshift-ingress-operator default -o yaml
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
creationTimestamp: "2020-02-17T14:05:36Z"
finalizers:
- ingresscontroller.operator.openshift.io/finalizer-ingresscontroller
generation: 2
name: default
namespace: openshift-ingress-operator
resourceVersion: "286852"
selfLink: /apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default
uid: 91cb30a9-518e-11ea-9402-02390bbc2fc6
spec:
nodePlacement:
nodeSelector:
matchLabels:
node-role.kubernetes.io/infra: ""
replicas: 2
status:
availableReplicas: 2
conditions:
- lastTransitionTime: "2020-02-17T14:05:36Z"
reason: Valid
status: "True"
type: Admitted
- lastTransitionTime: "2020-02-18T03:20:38Z"
status: "True"
type: Available
- lastTransitionTime: "2020-02-17T14:05:40Z"
message: The endpoint publishing strategy supports a managed load balancer
reason: WantedByEndpointPublishingStrategy
status: "True"
type: LoadBalancerManaged
- lastTransitionTime: "2020-02-17T14:05:43Z"
message: The LoadBalancer service is provisioned
reason: LoadBalancerProvisioned
status: "True"
type: LoadBalancerReady
- lastTransitionTime: "2020-02-17T14:05:40Z"
message: DNS management is supported and zones are specified in the cluster DNS
config.
reason: Normal
status: "True"
type: DNSManaged
- lastTransitionTime: "2020-02-17T14:05:47Z"
message: The record is provisioned in all reported zones.
reason: NoFailedZones
status: "True"
type: DNSReady
- lastTransitionTime: "2020-02-18T03:20:38Z"
status: "False"
type: Degraded
- lastTransitionTime: "2020-02-18T03:20:38Z"
message: The deployment has Available status condition set to True
reason: DeploymentAvailable
status: "False"
type: DeploymentDegraded
domain: apps.cluster-6277.sandbox140.opentlc.com
endpointPublishingStrategy:
loadBalancer:
scope: External
type: LoadBalancerService
observedGeneration: 2
selector: ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default
tlsProfile:
ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
minTLSVersion: VersionTLS12
我们先建立一组内部的Router
[root@clientvm 0 ~]# cat router-internal.yaml
apiVersion: v1
items:
- apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: internal
namespace: openshift-ingress-operator
spec:
replicas: 1
domain: internalapps.cluster-6277.sandbox140.opentlc.com
endpointPublishingStrategy:
type: LoadBalancerService
nodePlacement:
nodeSelector:
matchLabels:
node-role.kubernetes.io/infra1: ""
routeSelector:
matchLabels:
type: internal
status: {}
kind: List
metadata:
resourceVersion: ""
selfLink: ""
oc create -f router-internal.yaml
建立完成后查看
[root@clientvm 0 ~]# oc get ingresscontroller -n openshift-ingress-operator NAME AGE default 14d internal 23m
[root@clientvm 0 ~]# oc get svc -n openshift-ingress NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE router-default LoadBalancer 172.30.147.15 a92dd1252518e11ea940202390bbc2fc-1093196650.us-east-2.elb.amazonaws.com 80:31681/TCP,443:31998/TCP 14d router-internal LoadBalancer 172.30.234.210 af3b1fc6df9f44e69b656426ba1497dc-1902918297.us-east-2.elb.amazonaws.com 80:31499/TCP,443:32125/TCP 23m router-internal-default ClusterIP 172.30.205.36 <none> 80/TCP,443/TCP,1936/TCP 14d router-internal-internal ClusterIP 172.30.187.205 <none> 80/TCP,443/TCP,1936/TCP 23m
值得注意的是,我们是在aws公有云环境中去建立的,所以暴露出来的是LoadBalancerService
如果我们是在自己内部云的环境中建立,应该不需要标黑的那段。
查看一下router信息
[root@clientvm 0 ~]# oc get pod -n openshift-ingress -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES router-default-6784d69459-db5rt 1/1 Running 0 14d 10.129.2.15 ip-10-0-141-38.us-east-2.compute.internal <none> <none> router-default-6784d69459-xrtgc 1/1 Running 0 14d 10.131.0.4 ip-10-0-165-83.us-east-2.compute.internal <none> <none> router-internal-6c896bb666-mckr4 1/1 Running 0 26m 10.128.2.82 ip-10-0-152-254.us-east-2.compute.internal <none> <none>
2.修改应用路由
注意标黑的host URL以及label上注明了type: internal
[root@clientvm 0 ~]# oc get route tomcat -oyaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
openshift.io/host.generated: "true"
creationTimestamp: "2020-03-03T08:08:18Z"
labels:
app: tomcat
app.kubernetes.io/component: tomcat
app.kubernetes.io/instance: tomcat
app.kubernetes.io/name: ""
app.kubernetes.io/part-of: tomcat-app
app.openshift.io/runtime: ""
type: internal
name: tomcat
namespace: myproject
resourceVersion: "5811320"
selfLink: /apis/route.openshift.io/v1/namespaces/myproject/routes/tomcat
uid: a94f136b-3292-4d8d-981c-923bf5d8a3a0
spec:
host: tomcat-myproject.internalapps.cluster-6277.sandbox140.opentlc.com
port:
targetPort: 8080-tcp
to:
kind: Service
name: tomcat
weight: 100
wildcardPolicy: None
从describe信息来看,路由已经暴露在default和internal的路由上。
[root@clientvm 0 ~]# oc describe route tomcat
Name: tomcat
Namespace: myproject
Created: 22 minutes ago
Labels: app=tomcat
app.kubernetes.io/component=tomcat
app.kubernetes.io/instance=tomcat
app.kubernetes.io/name=
app.kubernetes.io/part-of=tomcat-app
app.openshift.io/runtime=
type=internal
Annotations: openshift.io/host.generated=true
Requested Host: tomcat-myproject.internalapps.cluster-6277.sandbox140.opentlc.com
exposed on router default (host apps.cluster-6277.sandbox140.opentlc.com) 22 minutes ago
exposed on router internal (host internalapps.cluster-6277.sandbox140.opentlc.com) 20 minutes ago
Path: <none>
TLS Termination: <none>
Insecure Policy: <none>
Endpoint Port: 8080-tcp
Service: tomcat
Weight: 100 (100%)
Endpoints: 10.128.2.76:8080
之所以暴露在default上,是因为在default router设置中并为设置RouteSelector,因此如果需要只暴露在internal的路由,就需要修改default,加入RouteSelector的Label标识,但这样带来的效果就是,以后每次建立route都需要指定label,从而选择具体把route挂载在一组特定的router上。
在公有云环境中,我们可以直接访问 http://tomcat-myproject.internalapps.cluster-6277.sandbox140.opentlc.com/
3.基于命名空间进行路由分区
以上是基于Route的Label进行路由分区,如果是基于命名空间分区的化,我们继续修改一下route-internal.yaml文件
[root@clientvm 0 ~]# cat router-internal.yaml
apiVersion: v1
items:
- apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: internal
namespace: openshift-ingress-operator
spec:
replicas: 1
domain: internalapps.cluster-6277.sandbox140.opentlc.com
endpointPublishingStrategy:
type: LoadBalancerService
namespaceSelector:
matchLabels:
environment: app
nodePlacement:
nodeSelector:
matchLabels:
node-role.kubernetes.io/infra1: ""
status: {}
kind: List
metadata:
resourceVersion: ""
selfLink: ""
然后我们把项目打上标签
oc label ns myproject environment=app
修改route tomcat,删掉label,删除再测试。
值得注意的是,如果路由分组既有namespaceSelector又有RouteSelector,那就说明需要两个条件都生效。