我已经在GCP上为Kubernetes Cluster部署了两个服务:
一个是Spring Cloud Api Gateway实现:
apiVersion: v1
kind: Service
metadata:
name: api-gateway
spec:
ports:
- name: main
port: 80
targetPort: 8080
protocol: TCP
selector:
app: api-gateway
tier: web
type: NodePort
另一个是后端聊天服务实现,它在/ws/
路径上公开WebSocket。
apiVersion: v1
kind: Service
metadata:
name: chat-api
spec:
ports:
- name: main
port: 80
targetPort: 8080
protocol: TCP
selector:
app: chat
tier: web
type: NodePort
API网关通过Contour Ingress Controller暴露于互联网:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: api-gateway-ingress
annotations:
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- secretName: api-gateway-tls
hosts:
- api.mydomain.com.br
rules:
- host: api.mydomain.com.br
http:
paths:
- backend:
serviceName: api-gateway
servicePort: 80
网关将来自/chat/
路径的传入呼叫路由到/ws/
上的聊天服务:
@Bean
public RouteLocator routes(RouteLocatorBuilder builder) {
return builder.routes()
.route(r -> r.path("/chat/**")
.filters(f -> f.rewritePath("/chat/(?<segment>.*)", "/ws/(?<segment>.*)"))
.uri("ws://chat-api"))
.build();
}
当我尝试通过网关连接到WebSocket时,我收到403错误:
error: Unexpected server response: 403
我甚至尝试使用http,https,ws和wss进行连接,但错误仍然存在。
有人有线索吗?
我使用Contour 0.5.0使用Ingress资源时遇到了同样的问题,但我设法通过使用IngressRoute将Contour升级到v0.6.0-beta.3来解决它(但要注意,它是测试版)。
您可以像这样添加IngressRoute资源(crd)(删除以前的入口资源):
#ingressroute.yaml
apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
name: api-gateway-ingress
namespace: default
spec:
virtualhost:
fqdn: api.mydomain.com.br
tls:
secretName: api-gateway-tls
routes:
- match: /
services:
- name: api-gateway
port: 80
- match: /chat
enableWebsockets: true # Setting this to true enables websocket for all paths that match /chat
services:
- name: api-gateway
port: 80
然后应用它
Websockets只能在/chat
路径上获得授权。
有关Contour IngressRoute的更多详细信息,请参阅here。