Albert

AI-Gateway系列_kagateway-10Websocket访问测试

Published November 17, 2025
Posted in AI Gateway
3 mins read
Updated November 17, 2025
0 Comments

创建测试应用

# 构建WebSocket echo服务

apiVersion: v1
kind: Namespace
metadata:
  name: wsdemo
---
apiVersion: v1
kind: Service
metadata:
  name: ws-echo
  namespace: wsdemo
spec:
  ports:
  - name: ws
    port: 8080
    targetPort: 8080
  selector:
    app: ws-echo
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ws-echo
  namespace: wsdemo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ws-echo
  template:
    metadata:
      labels:
        app: ws-echo
    spec:
      containers:
      - name: ws-echo
        image: 10.118.17.28:30002/kgateway/ws-echo:latest
        env:
        - name: PORT
          value: "8080"
        ports:
        - containerPort: 8080

# 创建测试应用，把「后端业务服务」ws-echo 部署到集群里。
kubectl apply -f ws-echo.yaml

# 检查测试应用是否正常
kubectl get pods -n wsdemo

配置Websocket路由

💡 如果 Host = ws.example.com 且路径以 /ws 开头，就把流量转发给 wsdemo 里的 ws-echo:8080”

# 继续复用现有的Gateway https（8443）新增一个域名：ws.example.com
# 规则：/ws 前缀的流量 → 转发到 wsdemo 里的 ws-echo:8080

kubectl apply -f- << 'EOF'
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: ws-echo-route
  namespace: wsdemo
spec:
  parentRefs:
    - name: https
      namespace: kgateway-system
  hostnames:
    - "ws.example.com"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /ws
      backendRefs:
        - name: ws-echo
          port: 8080
EOF

# 检查
kubectl get httproute -n wsdemo
NAME            HOSTNAMES            AGE
ws-echo-route   ["ws.example.com"]   41s

kubectl describe httproute ws-echo-route -n wsdemo

Status:
  Parents:
    Conditions:
      Last Transition Time:  2025-11-15T07:00:49Z
      Message:               
      Observed Generation:   1
      Reason:                Accepted
      Status:                True
      Type:                  Accepted
      Last Transition Time:  2025-11-15T07:00:49Z
      Message:               
      Observed Generation:   1
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs

测试

# 配置端口转发，在本地通过curl完成测试验证
kubectl get pods -n kgateway-system -l gateway.networking.k8s.io/gateway-name=https
NAME                     READY   STATUS    RESTARTS   AGE
https-6f44cd5d54-kt85k   1/1     Running   0          116m


kubectl -n kgateway-system port-forward pod/https-6f44cd5d54-kt85k 8443:8443

# 使用curl测试

curl -vk https://localhost:8443/ws 
>   -H "Host: ws.example.com" 
>   -H "Connection: Upgrade" 
>   -H "Upgrade: websocket" 
>   -H "Sec-WebSocket-Version: 13" 
>   -H "Sec-WebSocket-Key: SGVsbG9XZWJTb2NrZXQ="

*   Trying 127.0.0.1:8443...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.example.com; O=any domain
*  start date: Nov 15 05:00:59 2025 GMT
*  expire date: Nov 15 05:00:59 2026 GMT
*  issuer: O=any domain; CN=*
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /ws HTTP/1.1
> Host: ws.example.com
> User-Agent: curl/7.68.0
> Accept: */*
> Connection: Upgrade
> Upgrade: websocket
> Sec-WebSocket-Version: 13
> Sec-WebSocket-Key: SGVsbG9XZWJTb2NrZXQ=
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):


# 使用wscat测试
npm install -g wscat

wscat -c wss://localhost:8443/ws -H "Host: ws.example.com"

💡1.HTTP → WebSocket 升级是否成功（101，连接保持不断）2.升级之后的双向字节流是否被透明转发（你发的东西能持续 echo 回来）

流量路径

wss://localhost:8443/ws   Host: ws.example.com
       │
       ▼
[本机 8443]
(port-forward)
       │
       ▼
[Gateway Pod 内 8443 端口（HTTPS listener）]
       │  （用 Secret httpbin-example-cert 做 TLS 握手 & 解密）
       │
       ▼
[解密后是一个 HTTP 请求：GET /ws, Host=ws.example.com
       + 头部：Connection: Upgrade, Upgrade: websocket]
       │
       │  （Gateway / Envoy 支持 WebSocket 升级：101 Switching Protocols）
       │
       ▼
[建立起 WebSocket 隧道：前端 ↔ Gateway ↔ 后端]
       │
       │  （根据 HTTPRoute：host=ws.example.com + path=/ws → backendRefs: ws-echo:8080）
       ▼
[Service ws-echo:8080 （ClusterIP 虚拟端口）]
       │  （Service: port 8080 → targetPort 8080）
       ▼
[ws-echo Pod 容器内部 8080 端口（echo server 进程）]
       │
       ▼
在 wscat 里发一条消息：
"hello"
       │
       ├─→ 通过 WebSocket 帧发到 ws-echo
       │
       └←─ ws-echo 把收到的内容原样 echo 回来

Leave a Reply Cancel reply