Background
The Kubernetes Ingress API is designed with a separation of concerns, where the Ingress implementation provides an entry feature infrastructure managed by operations staff; it also allows application owners to control the routing of requests to the backend through rules.
The osm-edge supports multiple Ingress implementations to manage ingress traffic and provides the IngressBackend API to configure back-end services to receive access from trusted ingress points. This article focuses on the integration of osm-edge with FSM to manage ingress traffic.
Introduction to FSM
FSM is another open-source product from Flomesh for Kubernetes north-south traffic, gateway api contoller, and multi-cluster management. FSM uses Pipy, a programmable proxy at its core, and provides an Ingress controller, Gateway API controller, load balancer, cross-cluster service registration discovery, and more.
Integration with FSM
FSM is already integrated inside osm-edge and can be enabled during osm-edge installation; it can also be installed independently via helm for existing osm-edge mesh.
Prerequisites
- Kubernetes cluster, version 1.19.0 and higher
- Helm 3 CLI for standalone installation of FSM
Download the osm-edge CLI at
system=$(uname -s | tr [:upper:] [:lower:]) arch=$(dpkg --print-architecture) release=v1.1.1 curl -L https://github.com/flomesh-io/osm-edge/releases/download/${release}/osm-edge-${release}-${system}-${arch}.tar.gz | tar -vxzf - . /${system}-${arch}/osm version cp . /${system}-${arch}/osm /usr/local/bin/ Integrated installation
export osm_namespace=osm-system export osm_mesh_name=osm osm install --set fsm.enabled=true \ --mesh-name "$osm_mesh_name" \ --osm-namespace "$osm_namespace" Standalone installation
If osm-edge is installed without FSM enabled, you can use a standalone installation to install it.
helm repo add fsm https://charts.flomesh.io export fsm_namespace=osm-system helm install fsm fsm/fsm --namespace "$fsm_namespace" --create-namespace Verify that all pods are up and running properly.
kubectl get pods -n osm-system NAME READY STATUS RESTARTS AGE repo-8756f76fb-2f78g 1/1 Running 0 5m53s manager-866585bbd5-pbg7q 1/1 Running 0 5m53s osm-bootstrap-7c6689ff57-47ksk 1/1 Running 0 5m53s osm-controller-57888cfc7c-tnqxl 2/2 Running 0 5m52s osm-injector-5f77898899-45f65 1/1 Running 0 5m53s bootstrap-fd5894bcc-nr7hf 1/1 Running 0 5m53s cluster-connector-local-68c7584c8b-qf7xm 1/1 Running 0 2m43s ingress-pipy-6fb8c8b794-pgthl 1/1 Running 0 5m53s Configuration
In order to authorize clients by restricting access to backend traffic, we will configure IngressBackend so that only ingress traffic from the ingress-pipy-controller endpoint can be routed to the backend service. In order to discover the ingress-pipy-controller endpoint, we need the osm-edge controller and the corresponding namespace to monitor it. However, to ensure that the FSM functions properly, it cannot be injected with sidecar.
kubectl label namespace "$osm_namespace" openservicemesh.io/monitored-by="$osm_mesh_name" Save the external IP address and port of the entry gateway, which will be used later to test access to the backend application.
export ingress_host="$(kubectl -n "$osm_namespace" get service ingress-pipy-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}') " export ingress_port="$(kubectl -n "$osm_namespace" get service ingress-pipy-controller -o jsonpath='{.spec.ports[? (@.name=="http")].port}')" echo $ingress_host:$ingress_port Deploying the sample service
The next step is to deploy the sample httpbin service.
## Create namespace kubectl create ns httpbin kubectl create ns httpbin # Add the namespace to the grid osm namespace add httpbin # Deploy the application kubectl apply -f - <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: httpbin namespace: httpbin --- apiVersion: v1 kind: Service metadata: name: httpbin namespace: httpbin labels: app: httpbin service: httpbin spec: ports: - name: http port: 14001 selector: app: httpbin --- apiVersion: apps/v1 kind: Deployment metadata: name: httpbin namespace: httpbin spec: replicas: 1 selector: matchLabels: app: httpbin template: metadata: labels: app: httpbin spec: serviceAccountName: httpbin containers: - image: kennethreitz/httpbin imagePullPolicy: IfNotPresent name: httpbin command: ["gunicorn", "-b", "0.0.0.0:14001", "httpbin:app", "-k", "gevent"] ports: - containerPort: 14001 EOF Verify that the pod and service are created and the application is running successfully.
kubectl get pods,services -n httpbin NAME READY STATUS RESTARTS AGE pod/httpbin-54cc8cf5d-7vclc 2/2 Running 0 14s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/httpbin ClusterIP 10.43.105.166 <none> 14001/TCP 14s Configure entry rules
Next we want to access the deployed httpbin service from outside the cluster and need to provide the ingress configuration rules.
kubectl apply -f - <<EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: httpbin namespace: httpbin annotations: pipy.ingress.kubernetes.io/rewrite-target-from: /httpbin pipy.ingress.kubernetes.io/rewrite-target-to: /httpbin spec: ingressClassName: pipy rules: - host: httpbin.org http: paths: - path: /httpbin pathType: Prefix backend: service: name: httpbin port: number: 14001 EOF Accessing the httpbin service using the IP address and port recorded above will result in the following 502 Bad Gateway error response. This is because we have not set the ingress of the FSM as a trusted portal.
curl -sI http://"$ingress_host":"$ingress_port"/httpbin/get -H "Host: httpbin.org" HTTP/1.1 502 Bad Gateway content-length: 0 connection: keep-alive Execute the following command to set the FSM ingress as a trusted entry.
kubectl apply -f - <<EOF kind: IngressBackend apiVersion: policy.openservicemesh.io/v1alpha1 metadata: name: httpbin namespace: httpbin spec: backends: - name: httpbin port: number: 14001 # targetPort of httpbin service protocol: http sources: - kind: Service namespace: "$osm_namespace" name: ingress-pipy-controller EOF Try requesting the httpbin service again, and you will be able to access it successfully.
curl -sI http://"$ingress_host":"$ingress_port"/httpbin/get -H "Host: httpbin.org" HTTP/1.1 200 OK server: gunicorn/19.9.0 date: Thu, 18 Aug 2022 05:18:50 GMT content-type: application/json content-length: 241 access-control-allow-origin: * access-control-allow-credentials: true osm-stats-namespace: httpbin osm-stats-kind: Deployment osm-stats-name: httpbin osm-stats-pod: httpbin-54cc8cf5d-7vclc connection: keep-alive Summary
FSM Ingress exposes the application access points within the Kubernetes cluster for easy management of portal traffic. osm-edge's IngressBackend API provides an additional line of defense against accidental data leakage by exposing services within the mesh to the public.
Top comments (0)