Use MSE Ingresses to access applications in ACK clusters -

An MSE Ingress is an Ingress service built based on cloud-native gateways of Alibaba Cloud Microservices Engine (MSE). MSE Ingresses are compatible with NGINX Ingresses and NGINX Ingress annotations. MSE Ingresses support the canary release of multiple service versions, flexible service governance capabilities, and comprehensive security protection. You can use MSE Ingresses to meet the requirements for traffic governance on a large number of cloud-native distributed applications. This topic describes how to use MSE Ingresses to access applications in Container Service for Kubernetes (ACK) clusters.

Prerequisites

MSE is activated. You can go to the MSE console to activate MSE.
The MSE Ingress Controller component is installed in the ACK cluster. You can use one of the following methods to install the MSE Ingress Controller component:
- When you create an ACK cluster, you can select MSE Ingress for Ingress in the Component Configurations step.
- If an existing ACK cluster is available, you can install the MSE Ingress Controller component on the Add-ons page. For more information, see Install the MSE Ingress Controller component on the Add-ons page.
Note
The version of your cluster must be V1.16 or later. For more information about how to create a cluster, see Create an ACK dedicated cluster or Create an ACK managed cluster. For more information about how to upgrade a cluster, see Update the Kubernetes version of an ACK cluster.
Relevant permissions are granted to the MSE Ingress Controller component. For more information, see Grant permissions to MSE Ingress Controller in ACK or ACK Serverless clusters.
A kubectl client is connected to the ACK cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Background information

In Kubernetes, you can define Ingress resources to manage internal services that are externally exposed. An Ingress is a collection of rules that allow access to services in a cluster. You can define Ingress resources in a destination Kubernetes cluster to configure routing rules. This way, different URLs can be used to access different services in the cluster.

An Ingress is a collection of traffic governance rules. Ingress controllers such as NGINX Ingress Controller are used to run Ingress resources. However, NGINX Ingress Controller cannot meet specific requirements of cloud-native applications. The requirements include complex traffic routing, support for multiple application-layer protocols, and Layer-7 traffic balancing. Application-layer protocols include Dubbo and Quick UDP Internet Connections (QUIC).

MSE Ingresses are next-generation gateways that are developed by Alibaba Cloud. MSE Ingresses offer the advantages of low costs, security protection, high integration, and high availability. For more information about MSE Ingresses and the working principle of MSE Ingresses, see Overview of MSE Ingress gateways.

Step 1: Configure an MSE cloud-native gateway by using an MseIngressConfig

An MseIngressConfig is a CustomResourceDefinition (CRD) that is provided by MSE Ingress Controller. MSE Ingress Controller uses an MseIngressConfig to manage the lifecycle and global configurations of an MSE cloud-native gateway.

Important

One MseIngressConfig maps to one cloud-native gateway. If you need to use multiple cloud-native gateways, you must create multiple MseIngressConfigs.
If you delete an MseIngressConfig in scenarios, except for the reuse scenario, the MSE cloud-native gateway that maps to the MseIngressConfig is also deleted.

Run the following command to create a gateway named mse-ingress. The gateway contains three replicas and uses the default configurations for the vSwitches, Server Load Balancer (SLB) instances, and security groups. Each replica is configured with 2 vCPUs and 4 GB of memory. For more information about MseIngressConfig, see the "Introduction to MseIngressConfigs" section in Configure an MseIngressConfig.

Note

If no vSwitch is configured, the vSwitch of the Kubernetes node scheduled by the MSE Ingress Controller is automatically selected. As a result, only one vSwitch is configured for the created MSE cloud-native gateway. We recommend that you manually configure two vSwitches for the MSE cloud-native gateway in the production environment.
If no SLB instance is configured, an Internet-facing SLB instance that uses the slb.s2.small specifications is automatically created for the MSE cloud-native gateway.
If no security group is configured, a basic security group is automatically created for the MSE cloud-native gateway.

cat << EOF | kubectl apply -f -
apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: test
spec:
  name: mse-ingress
  common:
    instance:
      spec: 2c4g
      replicas: 3
EOF

The following table describes the parameters in spec.

Parameter	Description	Required	Example
spec.name	The name of the MSE cloud-native gateway that you want to create.	No	mse-ingress
spec.common.instance.spec	The specifications of the MSE cloud-native gateway that you want to create. The default value is 4c8g.	No	2c4g
spec.common.instance.replicas	The number of replicas of the MSE cloud-native gateway that you want to create. The default value is 3.	No	3

Step 2: Configure an IngressClass resource

For MSE Ingresses, you can configure IngressClass resources by using one of the following methods based on actual business scenarios.

Use Kubernetes IngressClass resources
You can use standard Kubernetes IngressClass resources to configure an IngressClass resource for an MSE Ingress. This method is suitable for scenarios where new services access an MSE Ingress.
Use MseIngressConfig resources
You can configure an IngressClass resource for an MSE Ingress by using Ingress-related configurations in an MseIngressConfig. This method is suitable for migration from an Ingress such as NGINX Ingress to MSE Ingress. IngressClass resources in a Kubernetes cluster must have unique names. During migration, both the NGINX Ingress and MSE Ingress must listen to the same IngressClass resource. Therefore, MSE Ingress allows you to configure an IngressClass resource by using MseIngressConfigs.

Use Kubernetes IngressClass resources

An IngressClass resource is the description of an Ingress controller. An IngressClass resource is used to declare the implementation of an Ingress controller in a Kubernetes cluster. The Ingress resources that are associated with the IngressClass resource are parsed by the Ingress controller. You must associate an MseIngressConfig with the Parameter field of the IngressClass resource to implement the traffic management rule that is specified in the parsed Ingress resource description. An MseIngressConfig maps to an MSE cloud-native gateway.

Run one of the following commands to create an IngressClass resource and associate the resource with the MseIngressConfig created in Step 1: Configure an MSE cloud-native gateway by using an MseIngressConfig in spec.parameters.

Clusters that run Kubernetes versions earlier than V1.19

cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
  name: mse
spec:
  controller: mse.alibabacloud.com/ingress
  parameters:
    apiGroup: mse.alibabacloud.com
    kind: MseIngressConfig
    name: test
EOF

Clusters that run Kubernetes V1.19 or later

cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: mse
spec:
  controller: mse.alibabacloud.com/ingress
  parameters:
    apiGroup: mse.alibabacloud.com
    kind: MseIngressConfig
    name: test
EOF

Use MseIngressConfig resources

This method is suitable for migration or scenarios where IngressClass resources cannot be created. You can configure an IngressClass resource for an MSE Ingress by using the Ingress-related configurations in an MseIngressConfig resource.

For example, you can modify the configuration of the MseIngressConfig resource created in Step 1 and set ingressClass to mse.

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: test
spec:
  name: mse-ingress
  common:
    instance:
      spec: 2c4g
      replicas: 3
  ingress:
    local:
      ingressClass: mse

Parameter	Description
ingress	The listener configuration of the Ingress.
ingress.local	The Ingress listener configuration of the ACK cluster in which the cloud-native gateway is deployed.
ingress.local.ingressClass	The name of the IngressClass resource. The cloud-native gateway listens to the Ingress resource that is associated with the specified IngressClass resource in the cluster. Valid values: Not configured: The system does not listen to Ingress resources. mse: The system listens to the Ingress resource that is associated with the IngressClass resource named mse. Left empty "": The system listens to all the Ingress resources. nginx: The system listens to Ingress resources that are associated with the IngressClass resource named nginx or Ingress resources that are not associated with IngressClass resources. Other values: The system listens to Ingress resources that are associated with a specified IngressClass resource. Note The IngressClass resource that you use to associate with an MseIngressConfig resource takes precedence over the IngressClass resource that is specified by this parameter.

Verify the result

Run the following command to query the status of the MseIngressConfig resource. If the MseIngressConfig resource is in the Listening state, the cloud-native gateway is created and is running. The cloud-native gateway automatically listens to Ingress resources that are associated with the IngressClass resource mse in the cluster.

kubectl get MseIngressConfig test

Expected output:

NAME   STATUS      AGE
test   Listening   3m15s

Note

The status of the MseIngressConfig resource changes in the following order: Pending > Running > Listening. Status description:

Pending: The cloud-native gateway is being created. The creation process takes about 3 minutes.
Running: The cloud-native gateway is created and is running.
Listening: The cloud-native gateway is running and listens to Ingress resources in the cluster.
Failed: The cloud-native gateway is invalid. You can view Message in the Status field to identify the cause.

Step 3: Use the MSE Ingress to access applications in the ACK cluster

Run the following command to deploy the backend service go-httpbin:

cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: go-httpbin
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: go-httpbin
  template:
    metadata:
      labels:
        app: go-httpbin
        version: v1
    spec:
      containers:
        - image: specialyang/go-httpbin:v3
          args:
            - "--port=8090"
            - "--version=v1"
          imagePullPolicy: Always
          name: go-httpbin
          ports:
            - containerPort: 8090
---
apiVersion: v1
kind: Service
metadata:
  name: go-httpbin
  namespace: default
spec:
  ports:
    - port: 80
      targetPort: 8090
      protocol: TCP
  selector:
    app: go-httpbin
EOF

Run one of the following commands to create an Ingress resource. The /version routing rule of the domain name example.com in the code is used to expose the backend service go-httpbin.

Clusters that run Kubernetes versions earlier than V1.19

cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress
  namespace: default
spec:
  ingressClassName: mse
  rules:
   - host: example.com
     http:
      paths:
      - path: /version
        backend:
          serviceName: go-httpbin
          servicePort: 80
EOF

Clusters that run Kubernetes V1.19 or later

cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  namespace: default
spec:
  ingressClassName: mse
  rules:
  - host: example.com 
    http:
      paths:
      - backend:
          service:
            name: go-httpbin
            port:
              number: 80
        path: /version
        pathType: Prefix
EOF

View the IP address of the Ingress resource.

kubectl get ingress ingress

Expected output:

NAME      CLASS   HOSTS            ADDRESS         PORTS   AGE
ingress   mse     example.com      114.55.XX.XX   80      12m

Run the following command to perform an access test:
```
curl -H "host: example.com" 114.55.XX.XX/version
```
Expected output:
```
version:v1
```