AI-Gateway系列_kagateway-09HTTPs-HTTP访问测试

配置TLS证书

cd ~/albert/gw/kgateway

# 创建存放证书的目录
mkdir -p example_certs

# 生成一个自签名 root 证书(有效期 365 天)
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=any domain/CN=*' -keyout example_certs/root.key -out example_certs/root.crt
   
ls -l
-rw------- 1 hpcc hpcc  xxxx  root.key
-rw-r--r-- 1 hpcc hpcc  xxxx  root.crt

# 创建 gateway.cnf(证书模板文件)

cat <<'EOF' > example_certs/gateway.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = *.example.com
O = any domain

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.example.com
DNS.2 = example.com
EOF

# 生成服务器私钥 + CSR(证书签名请求)
openssl req -new -nodes -keyout example_certs/gateway.key -out example_certs/gateway.csr -config example_certs/gateway.cnf

# 用rootCA给CSR签发服务器证书
openssl x509 -req -sha256 -days 365 
  -CA example_certs/root.crt -CAkey example_certs/root.key -set_serial 0 
  -in example_certs/gateway.csr -out example_certs/gateway.crt 
  -extfile example_certs/gateway.cnf -extensions req_ext
  
  
# 检查
ll example_certs/
total 32
drwxrwxr-x 2 hpcc hpcc 4096 Nov 15 13:00 ./
drwxrwxr-x 5 hpcc hpcc 4096 Nov 15 12:43 ../
-rw-rw-r-- 1 hpcc hpcc  249 Nov 15 12:56 gateway.cnf
-rw-rw-r-- 1 hpcc hpcc 1082 Nov 15 13:00 gateway.crt
-rw-rw-r-- 1 hpcc hpcc 1001 Nov 15 13:00 gateway.csr
-rw------- 1 hpcc hpcc 1704 Nov 15 13:00 gateway.key
-rw-rw-r-- 1 hpcc hpcc 1147 Nov 15 12:45 root.crt
-rw------- 1 hpcc hpcc 1704 Nov 15 12:45 root.key


# 在kgateway-system命名空间里创建一个TLS类型的 Secret,Gateway API中的HTTPS监听器(例如port 443)必须引用一个Kubernetes Secret来加载证书.
kubectl create secret tls httpbin-example-cert 
  --namespace kgateway-system 
  --cert=gateway.crt 
  --key=gateway.key
  
# 检查  
kubectl get secret httpbin-example-cert -n kgateway-system -o yaml

kubectl get secret httpbin-example-cert -n kgateway-system
NAME                   TYPE                DATA   AGE
httpbin-example-cert   kubernetes.io/tls   2      69s

创建网关实例

cat << 'EOF' | kubectl apply -f -
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: https
  namespace: kgateway-system
spec:
  gatewayClassName: agentgateway
  listeners:
  - name: https
    protocol: HTTPS
    port: 8443
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        name: httpbin-example-cert
    allowedRoutes:
      namespaces:
        from: All
EOF


kubectl get gateway https -n kgateway-system

kubectl get pods -n kgateway-system -l gateway.networking.k8s.io/gateway-name=https

配置HTTPSRoute

cat << 'EOF' | kubectl apply -f -
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: httpbin-https-route
  namespace: httpbin
spec:
  parentRefs:
  - name: https
    namespace: kgateway-system
  hostnames:
  - "www.example.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    backendRefs:
    - name: httpbin
      port: 8000
EOF

# 检查http路由
kubectl get httproute -n httpbin
NAME                  HOSTNAMES             AGE
httpbin               ["www.example.com"]   99m
httpbin-https-route   ["www.example.com"]   13m


kubectl get gateway -n kgateway-system https -o yaml
status:
  conditions:
  - lastTransitionTime: "2025-11-15T05:22:23Z"
    message: ""
    observedGeneration: 1
    reason: Accepted
    status: "True"
    type: Accepted
  - lastTransitionTime: "2025-11-15T05:22:23Z"
    message: Successfully programmed Gateway
    observedGeneration: 1
    reason: Programmed
    status: "True"
    type: Programmed
  listeners:
  - attachedRoutes: 1
    conditions:
    - lastTransitionTime: "2025-11-15T05:22:23Z"
      message: No errors found
  
kubectl get httproute -n httpbin httpbin-https-route -o yaml | grep "Accepted"
      reason: Accepted
      type: Accepted

kubectl get deploy -n kgateway-system
NAME       READY   UP-TO-DATE   AVAILABLE   AGE
http       1/1     1            1           4h36m
https      1/1     1            1           105m
kgateway   1/1     1            1           5h33m
hpcc@k8s-master-28:~/albert/gw/kgateway$ kubectl get gateway -A
NAMESPACE         NAME    CLASS          ADDRESS   PROGRAMMED   AGE
kgateway-system   http    agentgateway             True         4h37m
kgateway-system   https   agentgateway             True         106m

测试

# 配置端口转发,在本地通过curl完成测试验证
kubectl -n kgateway-system port-forward pod/https-6f44cd5d54-kt85k 8443:8443
Forwarding from 127.0.0.1:8443 -> 8443
Forwarding from [::1]:8443 -> 8443


curl -k https://localhost:8443/headers -H "Host: www.example.com"
{
  "headers": {
    "Accept": [
      "*/*"
    ],
    "Host": [
      "www.example.com"
    ],
    "User-Agent": [
      "curl/7.68.0"
    ]
  }
}

流量路径

curl -k https://localhost:8443/headers -H "Host: www.example.com"
       │
  
[本机 8443]
(port-forward)
       │

[Gateway Pod 内 8443 端口(HTTPS listener)]
       │  (使用 Secret httpbin-example-cert 做 TLS 握手 & 解密)
       │

[解密后得到 HTTP 请求:GET /headers, Host=www.example.com]
       │
       │  (根据 HTTPRoute:host=www.example.com → backendRefs: httpbin:8000)
  
[Service httpbin:8000 (ClusterIP 虚拟端口)]
       │  (Service: port 8000 → targetPort 8080)
    
[httpbin Pod 容器内部 8080 端口]
       │
   
go-httpbin 进程处理请求,返回响应(JSON headers)
       │

[Gateway 再把 HTTP 响应封装回 TLS,返回给 curl]

 

 

Leave a Reply