如何使用Higress实现GRPC与WebSocket服务访问
什么是gRPC
gRPC(gRPC Remote Procedure Call)是一种开源的远程过程调用(RPC)框架,由Google开发并于2015年发布。它使用HTTP/2协议进行通信,旨在简化跨网络的服务通信和跨语言的服务调用。以下是 gRPC 的一些关键特点和概念:
申请SSL证书
申请CA证书:
# 生成CA根证书私钥:为保证安全,生成一个4096位的私钥,并使用aes方式加密 openssl genrsa -aes256 -out kubesre-ca.key 4096 Enter PEM pass phrase: # 密码:12345678 Verifying - Enter PEM pass phrase: # 通过CA根私钥签发CA根证书 openssl req -new -x509 -days 3650 -sha256 -extensions v3_ca -key kubesre-ca.key -out kubesre-ca.cer -subj "/C=CN/ST=shanghai/L=shanghai/O=kubesre/OU=kubesre/CN=*.kubesre.com" Enter pass phrase for kubesre-ca.key: # 密码:12345678
生成服务端证书:
# 生成服务端证书私钥 openssl genrsa -out kubesre-server.key 2048 # 生成签发请求csr $openssl req -new -key kubesre-server.key -out kubesre-server.csr -subj "/C=CN/ST=shanghai/L=shanghai/O=kubesre/OU=kubesre/CN=demo.kubesre.com" # 用CA证书签发服务端证书 openssl x509 -req -days 3650 -sha256 -CA kubesre-ca.cer -CAkey kubesre-ca.key -in kubesre-server.csr -out kubesre-server.cer Certificate request self-signature ok subject=C = CN, ST = shanghai, L = shanghai, O = kubesre, OU = kubesre, CN = demo.kubesre.com Enter pass phrase for kubesre-ca.key: # 密码:12345678 ll total 40 -rw-r--r--@ 1 chuanzhang staff 2.0K 8 13 15:24 kubesre-ca.cer -rw-------@ 1 chuanzhang staff 3.4K 8 13 15:22 kubesre-ca.key -rw-r--r--@ 1 chuanzhang staff 1.6K 8 13 15:31 kubesre-server.cer -rw-r--r--@ 1 chuanzhang staff 1.0K 8 13 15:28 kubesre-server.csr -rw-------@ 1 chuanzhang staff 1.7K 8 13 15:27 kubesre-server.key
配置证书:
点击确定后,可以通过证书管理页面看到已创建的证书:
gRPC示例应用部署
部署示例版本:
cat demo.yml apiVersion: apps/v1 kind: Deployment metadata: name: grpc-service spec: replicas: 1 selector: matchLabels: run: grpc-service template: metadata: labels: run: grpc-service spec: containers: - image: registry.cn-shanghai.aliyuncs.com/kubesre01/grpc-server:latest imagePullPolicy: Always name: grpc-service ports: - containerPort: 50051 protocol: TCP restartPolicy: Always --- apiVersion: v1 kind: Service metadata: name: grpc-service spec: ports: - port: 50051 protocol: TCP targetPort: 50051 selector: run: grpc-service # 执行创建操作 kubectl apply -f demo.yml deployment.apps/grpc-service unchanged service/grpc-service created # 查看创建状态 kubectl get pods,svc NAME READY STATUS RESTARTS AGE pod/grpc-service-56f784fcb5-n72hd 1/1 Running 0 81s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/grpc-service ClusterIP 10.96.239.197 50051/TCP 73s service/kubernetes ClusterIP 10.96.0.1 443/TCP 11d # 出现以上情况说明一切就绪
配置Higress路由规则
在域名管理中创建域名(一定要配置为HTTPS协议):
在路由配置中创建路由:
目标服务选择:
配置注解支持gRPC协议:
$ kubectl edit ingress -n higress-system demo apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: higress.io/destination: grpc-service.default.svc.cluster.local:50051 higress.io/ignore-path-case: "false" # 通过注解指定GRPC协议 nginx.ingress.kubernetes.io/backend-protocol: GRPC creationTimestamp: "2023-10-17T02:13:50Z" generation: 2 labels: higress.io/domain_demo.kubesre.com: "true" higress.io/resource-definer: higress name: demo namespace: higress-system resourceVersion: "57816" uid: 5ee0a7eb-8e8f-4b8f-ba8a-8b538fb573ce spec: ingressClassName: higress rules: - host: demo.kubesre.com http: paths: - backend: resource: apiGroup: networking.higress.io kind: McpBridge name: default path: / pathType: Prefix tls: - hosts: - demo.kubesre.com secretName: kubesre-tls
验证:
$ grpcurl -insecure -authority demo.kubesre.com 127.0.0.1:443 list grpc.reflection.v1alpha.ServerReflection helloworld.Greeter # 出现如下情况,说明验证成功了,流量成功路由到了后端服务了!
什么是WebSocket
WebSocket是一种计算机通信协议,它提供了一种在客户端和服务器之间建立持久性连接的方式,允许双向实时数据传输。WebSocket的主要目的是解决HTTP协议的一些限制,如请求-响应模式和高延迟。以下是WebSocket的一些关键特点和用途:
WebSocket通常用于实现各种实时Web应用程序,例如在线聊天、协作工具、在线游戏、股票市场报价、实时监控和通知系统等。它在那些需要实时数据传输和即时响应的场景中非常有用,因为它可以降低通信延迟,提供更好的用户体验。WebSocket通信建立在TCP协议之上,通常使用端口80(HTTP)或443(HTTPS)来传输数据。
WebSocket示例应用部署
部署示例版本:
$ cat ws.yml apiVersion: apps/v1 kind: Deployment metadata: name: demo-ws labels: app: demo-ws spec: replicas: 1 selector: matchLabels: app: demo-ws template: metadata: labels: app: demo-ws spec: containers: - name: demo-ws imagePullPolicy: Always image: registry.cn-shanghai.aliyuncs.com/kubesre01/demo-ws ports: - containerPort: 8090 --- apiVersion: v1 kind: Service metadata: name: demo-ws-svc spec: type: ClusterIP selector: app: demo-ws ports: - port: 8090 targetPort: 8090 # 执行创建操作 $ kubectl apply -f ws.yml deployment.apps/demo-ws created service/demo-ws-svc created # 查看创建状态 $ kubectl get pod,svc NAME READY STATUS RESTARTS AGE pod/demo-ws-79bd8fbdc7-hml6q 1/1 Running 0 2m2s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/demo-ws-svc ClusterIP 10.96.255.28 8080/TCP 2m2s service/kubernetes ClusterIP 10.96.0.1 443/TCP 82m # 出现以上情况说明一切就绪 copiedcat ws.yml apiVersion: apps/v1 kind: Deployment metadata: name: demo-ws labels: app: demo-ws spec: replicas: 1 selector: matchLabels: app: demo-ws template: metadata: labels: app: demo-ws spec: containers: - name: demo-ws imagePullPolicy: Always image: registry.cn-shanghai.aliyuncs.com/kubesre01/demo-ws ports: - containerPort: 8090 --- apiVersion: v1 kind: Service metadata: name: demo-ws-svc spec: type: ClusterIP selector: app: demo-ws ports: - port: 8090 targetPort: 8090 # 执行创建操作 $ kubectl apply -f ws.yml deployment.apps/demo-ws created service/demo-ws-svc created # 查看创建状态 $ kubectl get pod,svc NAME READY STATUS RESTARTS AGE pod/demo-ws-79bd8fbdc7-hml6q 1/1 Running 0 2m2s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/demo-ws-svc ClusterIP 10.96.255.28 8080/TCP 2m2s service/kubernetes ClusterIP 10.96.0.1 443/TCP 82m # 出现以上情况说明一切就绪
配置Higress域名
配置Higress路由规则
Higress默认已支持WebSocket无需额外配置,并可以通过如下注解做些额外优化配置:
nginx.ingress.kubernetes.io/proxy-http-version: "1.1" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
创建路由:
验证:通过ApiPost工具进行测试验证成功,Ws可以连接成功并可以成功收发消息!
