无法通过Kubernetes ingress访问websocket

问题描述 投票:2回答:1

我已经在GCP上为Kubernetes Cluster部署了两个服务:

一个是Spring Cloud Api Gateway实现:

apiVersion: v1
kind: Service
metadata:
  name: api-gateway
spec:
  ports:
  - name: main
    port: 80
    targetPort: 8080
    protocol: TCP
  selector:
    app: api-gateway
    tier: web
  type: NodePort

另一个是后端聊天服务实现,它在/ws/路径上公开WebSocket。

apiVersion: v1
kind: Service
metadata:
 name: chat-api
spec:
  ports:
  - name: main
    port: 80
    targetPort: 8080
    protocol: TCP
  selector:
    app: chat
    tier: web
  type: NodePort

API网关通过Contour Ingress Controller暴露于互联网:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: api-gateway-ingress
  annotations:
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
    ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - secretName: api-gateway-tls
    hosts:
    - api.mydomain.com.br
  rules:
  - host: api.mydomain.com.br
    http:
      paths:
      - backend:
          serviceName: api-gateway
          servicePort: 80

网关将来自/chat/路径的传入呼叫路由到/ws/上的聊天服务:

@Bean
public RouteLocator routes(RouteLocatorBuilder builder) {
    return builder.routes()
            .route(r -> r.path("/chat/**")
                    .filters(f -> f.rewritePath("/chat/(?<segment>.*)", "/ws/(?<segment>.*)"))
                    .uri("ws://chat-api"))
            .build();
}

当我尝试通过网关连接到WebSocket时,我收到403错误:

error: Unexpected server response: 403

我甚至尝试使用http,https,ws和wss进行连接,但错误仍然存​​在。

有人有线索吗?

spring websocket kubernetes kubernetes-ingress
1个回答
3
投票

我使用Contour 0.5.0使用Ingress资源时遇到了同样的问题,但我设法通过使用IngressRoute将Contour升级到v0.6.0-beta.3来解决它(但要注意,它是测试版)。

您可以像这样添加IngressRoute资源(crd)(删除以前的入口资源):

#ingressroute.yaml
apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: api-gateway-ingress
  namespace: default
spec:
  virtualhost:
    fqdn: api.mydomain.com.br
    tls:
      secretName: api-gateway-tls
  routes:
    - match: /
      services:
        - name: api-gateway
          port: 80
    - match: /chat
      enableWebsockets: true # Setting this to true enables websocket for all paths that match /chat
      services:
        - name: api-gateway
          port: 80

然后应用它

Websockets只能在/chat路径上获得授权。

有关Contour IngressRoute的更多详细信息,请参阅here

© www.soinside.com 2019 - 2024. All rights reserved.