• Cloud Container Engine

cce
  1. Help Center
  2. Cloud Container Engine
  3. User Guide 2.0
  4. Application Access Settings
  5. Layer 7 Load Balancing (Ingress)

Layer 7 Load Balancing (Ingress)

Enhanced load balancers are used. Compared with layer 4 load balancing, layer 7 load balancing now supports Uniform Resource Identifier (URI) configurations and distributes access traffic to the corresponding service based on the URIs.

The access address consists of the IP address of the load balancer, access port, and defined URI, for example, 10.154.55.77:80/helloworld.

You can configure load balancers on public or private networks to implement layer 7 routing within a VPC.

Methods for Setting the Access Mode

You can set the access mode using either of the following two methods:

Creating an Application on the CCE Console

This section uses the ingress-test application as an example.

  1. Create an application. For details, see Creating a Stateless Application or Creating a Stateful Application.

    • If the Intra-VPC access mode has been set during application creation, go to 3.
    • If the access mode is not set during application creation, go to 2.

  2. (Optional) Set the access mode.

    1. In the navigation pane, choose Resource Management > Network.
    2. On the Services tab page, click Create Service. Select Intra-VPC access.
      • Service Name: Specify a service name. You can use the application name as the service name.
      • Cluster Name: Select the cluster for which you want to add a service.
      • Namespace: Select a namespace for which you want to add a service.
      • Application: Click Select Application, select the name of the application for which the intra-VPC access is to be configured, and click OK.
      • Access Type: Select Node IP address.
      • Port Configuration:
        • Protocol: Select a protocol used by the service.
        • Container Port: Specify a port on which the application listens. The Nginx application listens on port 80.
        • Access Port: Specify a port to map a container port to the node's private IP address. The port range is 30000–32767. The port will be used when the application is accessed using the node's private IP address. You are advised to select Automatically generated.
          • Automatically generated: The system automatically assigns a port number.
          • Specified port: Specify a fixed node port. The port range is 30000–32767. Ensure that the port is unique in its cluster.
    3. Click Create Now. The Intra-VPC access mode is successfully set.

  3. Add an ingress service.

    1. In the navigation pane, choose Resource Management > Network.
    2. On the Ingresses tab page, click Create Ingress.
      • Ingress Name: Specifies the name of an ingress, for example, ingress-demo.
      • Cluster Name: Select the cluster to which the ingress is to be added.
      • Namespace: Select the namespace to which the ingress is to be added.
      • Enhanced load balancer: You can select an existing load balancer or let the system automatically create one.

        Currently, only clusters of v1.11.3 support automatic creation of enhanced load balancers.

      • External Port: Port number that is open to the ELB service address. The port number can be freely selected.
      • Front-End Protocol: HTTP and HTTPS are supported. If HTTPS is selected, select a key certificate. The key certificate must be created in advance. The key type is IngressTLS. For details about how to create a key, see Creating a Secret.
        NOTE:

        Only clusters of v1.11.3 support the HTTPS protocol. Clusters of v1.9.2 do not support it.

      • Domain Name: Domain address that is actually accessed, which corresponds to the domain address of the ELB service. You need to purchase and record the domain name. This parameter is optional. If a domain name rule is configured, the domain name must be used for access. Otherwise, you can use the IP address of the load balancer for access.
      • Route Configuration:
        • Route Matching Rule: Prefix matching, exact matching, and regular matching.
          • Prefix match: If the mapping URL is /healthz, the URL that meets the prefix can be accessed. For example, /healthz/v1 and /healthz/v2.
          • Exact match: Only the URL that is the same as the mapping URL can be accessed. For example, if the mapping URL is /healthz, only /healthz can be accessed.
          • Regular expression match: The mapping URL rule can be set, for example, /[A-Za-z0-9_.-]+/test. All URLs that comply with this rule can be accessed, for example, /abcA9/test and /v1-Ab/test.
        • Mapping URL: Access path to be registered, for example: /healthz.
        • Service Name: Select the service whose ingress is to be added. The service access type is Intra-VPC access. If no service exists, click Creating a Service to create one.
        • Container Port: Specify a port on which the container listens. For example, the defaultbackend application listens on port 8080 (container port).

  4. Click Create Now.

    After the creation is complete, you can view the created ingress in the ingress list.

  5. Access the /healthz interface of the application (for example, defaultbackend).

    1. Obtain the access address of the /healthz interface of the defaultbackend. The access address consists of the load balancer IP address, external port, and mapping URL. For example, 10.154.55.77:80/healthz.
      Figure 1 Obtaining the access address
    2. Enter the URL of the /healthz interface in the address box of the browser to access the application, as shown in Figure 2.
      Figure 2 Access the /healthz interface of the defaultbackend

Using kubectl for Ingress Access

This section uses an Nginx application as an example to describe how to implement ingress access using kubectl.

Prerequisites

You have configured the kubectl commands and connected an ECS to the cluster. For details, see Connecting to a Kubernetes Cluster Using kubectl.

  1. Log in to the ECS on which the kubectl commands have been configured. For details, see Logging In to a Linux ECS.
  2. Create the ingress-test-deployment.yaml, ingress-test-svc.yaml, ingress-test-ingress.yaml, and ingress-test-secret.yaml files.

    ingress-test-deployment.yaml, ingress-test-svc.yaml, ingress-test-ingress.yaml, and ingress-test-secret.yaml are user-defined names. You can name them randomly.

    NOTE:

    The key certificate ingress-test-secret.yaml is required only when HTTPS is selected.

    vi ingress-test-deployment.yaml

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: ingress-test
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: ingress-test
      strategy:
        type: RollingUpdate
      template:
        metadata:
          labels:
            app: ingress-test
        spec:
          containers:
            # Third-party public image. You can obtain the address by referring to the description or use your own image.
          - image: nginx  
            imagePullPolicy: Always
            name: nginx

    vi ingress-test-svc.yaml

    apiVersion: v1 
    kind: Service 
    metadata: 
      labels: 
        app: ingress-test 
      name: ingress-test 
    spec:
      ports: 
      - name: service0 
        port: 8080             # Access port of the virtual IP address of the cluster.
        protocol: TCP 
        targetPort: 8080       # Container port on which the application listens.
      # If multiple ports need to be set, fill in the following information in sequence:
      - name: service1 
        port: 8081 
        protocol: TCP 
        targetPort: 8081
      selector: 
        app: ingress-test 
      type:  NodePort         # Uses the Nodeport access type to connect to the load balancer.

    vi ingress-test-ingress.yaml

    apiVersion: extensions/v1beta1 
    kind: Ingress 
    metadata: 
      annotations: 
        kubernetes.io/elb.ip: 192.168.0.39        # Mandatory. Service address of an enhanced load balancer. The value can be the public IP address of a public network load balancer or the private IP address of a private network load balancer.
        kubernetes.io/elb.port: "80"              # Mandatory. External port registered with the ELB service address.
      name: ingress-test 
    spec:
      tls:                             # Optional. If the HTTPS protocol is used, this parameter is required.
      - secretName: test-secret        # Optional. This parameter is required when HTTPS is used. Set this parameter to the name of the created key certificate.
      rules: 
      - http: 
          paths: 
          - backend: 
              serviceName: ingress-test   # Name of the ingress-test-svc.yaml service.
              servicePort: 8080           # targetPort of the ingress-test-svc.yaml, that is, the container port.
            property:
              ingress.beta.kubernetes.io/url-match-mode: EQUAL_TO    # Route matching policy. The options are EQUAL_TO (exact matching), STARTS_WITH (prefix matching), and REGEX (regular matching).
            path: "/healthz"              # User-defined route.
    vi ingress-test-secret.yaml
    apiVersion: v1
    data:
      tls.crt: LS0tLS1CR******LS0tCg==
      tls.key: LS0t******S0tLS0K
    kind: Secret
    metadata:
      annotations:
        description: test for ingressTLS secrets
      name: test-secret
      namespace: default
    type: IngressTLS

  3. Create an application.

    kubectl create -f ingress-test-deployment.yaml

    If the following information is displayed, the application is being created.

    deployment "nginx" created

    kubectl get po

    If the following information is displayed, the application is created successfully.

    NAME                            READY     STATUS             RESTARTS   AGE
    ingress-test-1627801589-r64pk   1/1       Running            0          6s

  4. Create a secret.

    kubectl create -f ingress-test-secret.yaml

    If the following information is displayed, the secret is being created.

    secret "ingress-test-secret" created

    kubectl get secrets

    If the following information is displayed, the secret is created successfully.

    NAME                         TYPE                                  DATA      AGE
    dash-dashboard               Opaque                                0         7d
    dash-dashboard-token-f2nbk   kubernetes.io/service-account-token   3         7d
    default-secret               kubernetes.io/dockerconfigjson        1         8d
    default-token-wfn4l          kubernetes.io/service-account-token   3         8d
    paas.elb                     cfe/secure-opaque                     2         8d
    ingress-test-secret          IngressTLS                            2         13s

  5. Create a service.

    kubectl create -f ingress-test-svc.yaml

    If the following information is displayed, the service has been created.

    service "ingress-test" created

    kubectl get svc

    If the following information is displayed, the service has been created successfully.

    NAME            TYPE          CLUSTER-IP        EXTERNAL-IP   PORT(S)          AGE
    ingress-test    NodePort      10.247.189.207    <none>       8080:30532/TCP   5s
    kubernetes      ClusterIP     10.247.0.1        <none>        443/TCP          3d

    kubectl create -f ingress-test-ingress.yaml

    If the following information is displayed, the service has been created.

    ingress "ingress-test" created

    kubectl get ingress

    If the following information is displayed, the ingress service is created successfully and the application is accessible.

    NAME             HOSTS     ADDRESS          PORTS   AGE
    ingress-test     *         10.154.76.63     80      10s

  6. Enter http://10.154.76.63/healthz in the address box of the browser.

    10.154.76.63 indicates the IP address of the enhanced load balancer.