Kubernetes ยท Networking ยท

[Kubernetes] ๐ŸŒ Kong์œผ๋กœ TCP/TLS ์„œ๋น„์Šค ์™ธ๋ถ€ ๋…ธ์ถœ: LoadBalancer + SNI + Gateway API

Kubernetes์—์„œ RedisยทDB ๊ฐ™์€ ์ˆœ์ˆ˜ TCP ์„œ๋น„์Šค๋ฅผ ๋„๋ฉ”์ธ์œผ๋กœ ์™ธ๋ถ€ ๋…ธ์ถœํ•˜๋ ค๋ฉด, Kong์˜ stream ๋ฆฌ์Šค๋„ˆ + SNI๋ฅผ ์“ฐ๋ฉด ๋ฉ๋‹ˆ๋‹ค. ์ด ๊ธ€์—์„œ๋Š” LoadBalancer๋กœ ๋ฐ›์€ ํฌํŠธ ํ•˜๋‚˜(์˜ˆ: 9443)์—์„œ SNI(๋„๋ฉ”์ธ)๋กœ ์—ฌ๋Ÿฌ TCP/TLS ๋ฐฑ์—”๋“œ๋ฅผ ๋ถ„๋ฐฐํ•˜๋Š” ๊ตฌ์„ฑ์„, Helm values๋ถ€ํ„ฐ Gateway API(TLSRoute) ๋งค๋‹ˆํŽ˜์ŠคํŠธ, ๊ทธ๋ฆฌ๊ณ  ์—๋Ÿฌ ๋ฉ”์‹œ์ง€๊ฐ€ ๋ฐ”๋€Œ๋ฉฐ ์›์ธ์„ ์ขํ˜€๊ฐ€๋Š” ๋””๋ฒ„๊น… ๊ณผ์ •๊นŒ์ง€ ์‹ค๋ฌด ๊ด€์ ์œผ๋กœ ๋‹ค๋ฃน๋‹ˆ๋‹ค.

ํ•ต์‹ฌ ์•„์ด๋””์–ด ํ•œ ์ค„: “ํฌํŠธ ํ•˜๋‚˜๋กœ ๋‹ค ๋ฐ›๊ณ , SNI๋กœ ๋ฐฑ์—”๋“œ๋ฅผ ๊ฐ€๋ฅธ๋‹ค.” LB์— ๋…ธ์ถœ๋œ ํฌํŠธ๊ฐ€ ๋ช‡ ๊ฐœ๋ฟ์ด์–ด๋„ ๋ฐฑ์—”๋“œ๋Š” ์ˆ˜์‹ญ ๊ฐœ๊ฐ€ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

1ํด๋ผ์ด์–ธํŠธ โ”€โ”€(TLS + SNI)โ”€โ”€โ–ถ LoadBalancer(์™ธ๋ถ€ IP) โ”€โ”€โ–ถ Kong(stream ๋ฆฌ์Šค๋„ˆ, ssl)
2                                                          โ””โ”€(SNI๋กœ ๋ถ„๋ฐฐ)โ”€โ–ถ redis-a / redis-b / db-1 ...

๐Ÿงญ ๋ฌด์—‡์„ ํ•˜๋ ค๋Š”๊ฐ€ #

๋ชฉํ‘œ๋Š” “HTTP๊ฐ€ ์•„๋‹Œ TCP ์„œ๋น„์Šค"๋ฅผ ๋„๋ฉ”์ธ ๊ธฐ๋ฐ˜์œผ๋กœ ์™ธ๋ถ€์— ์—ฌ๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. IngressยทHTTPRoute๋Š” HTTP(L7) ์ „์šฉ์ด๋ผ RedisยทPostgreSQL ๊ฐ™์€ raw TCP์—๋Š” ์“ธ ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค. ๋Œ€์‹  Kong์˜ stream(L4) ๋ฆฌ์Šค๋„ˆ์— TLS๋ฅผ ์–น๊ณ , TLS ClientHello์˜ SNI๋กœ ์–ด๋А ๋ฐฑ์—”๋“œ์ธ์ง€ ๊ฐ€๋ฆ…๋‹ˆ๋‹ค.

  • ์ž…๋ ฅ: ํด๋ผ์ด์–ธํŠธ๊ฐ€ redis-a.example.com:9443์œผ๋กœ TLS ์ ‘์†(SNI์— ๋„๋ฉ”์ธ ์‹ค๋ฆผ).
  • Kong: 9443 stream ๋ฆฌ์Šค๋„ˆ์—์„œ TLS๋ฅผ ์ฒ˜๋ฆฌํ•˜๊ณ , SNI๋ฅผ ๋ณด๊ณ  redis-a ์„œ๋น„์Šค๋กœ ์—ฐ๊ฒฐ.
  • ๊ฒฐ๊ณผ: LB ํฌํŠธ ํ•˜๋‚˜(9443)๋กœ ์—ฌ๋Ÿฌ ๋ฐฑ์—”๋“œ๋ฅผ ๋„๋ฉ”์ธ๋ณ„ ๋ถ„๋ฐฐ.

๐Ÿ’ก ์ „์ œ: ์™ธ๋ถ€ IP๋ฅผ ์ž๋™ ํ• ๋‹นํ•˜๋Š” LoadBalancer๊ฐ€ ์ด๋ฏธ ์ œ๊ณต๋˜๋Š” ํ™˜๊ฒฝ(ํด๋ผ์šฐ๋“œ LB, MetalLB ๋“ฑ). ์—†์œผ๋ฉด NodePort๋กœ๋„ ๋˜์ง€๋งŒ ์ด ๊ธ€์€ LoadBalancer ๊ธฐ์ค€์ž…๋‹ˆ๋‹ค.


๐Ÿ†š tls ๋ฆฌ์Šค๋„ˆ vs stream ๋ฆฌ์Šค๋„ˆ (๊ฐ€์žฅ ํ—ท๊ฐˆ๋ฆฌ๋Š” ์ง€์ ) #

Kong values์—์„œ proxy.tls์™€ proxy.stream์€ ์™„์ „ํžˆ ๋‹ค๋ฅธ ๊ณ„์ธต์ž…๋‹ˆ๋‹ค. ์ด๊ฑธ ํ˜ผ๋™ํ•˜๋ฉด raw TCP๋ฅผ HTTPS ๋ฆฌ์Šค๋„ˆ์— ๋ฌผ๋ฆฌ๋Š” ์‹ค์ˆ˜๋ฅผ ํ•ฉ๋‹ˆ๋‹ค.

๊ตฌ๋ถ„proxy.tlsproxy.stream
๊ณ„์ธตL7 (HTTP over TLS = HTTPS)L4 (raw TCP/UDP)
ํ•˜๋Š” ์ผTLS ํ•ด์ œ ํ›„ HTTP ์š”์ฒญ์„ ํ˜ธ์ŠคํŠธยท๊ฒฝ๋กœ๋กœ ๋ผ์šฐํŒ…HTTP๊ฐ€ ์•„๋‹Œ ๋ฐ”์ดํŠธ ์ŠคํŠธ๋ฆผ์„ ๊ทธ๋Œ€๋กœ ์ „๋‹ฌ
๋ผ์šฐํŒ… ๊ธฐ์ค€Host ํ—ค๋”ยท๊ฒฝ๋กœSNI(๋˜๋Š” ํฌํŠธ)
์šฉ๋„์›น API, ์›น์‚ฌ์ดํŠธRedisยทDBยทgRPC-raw ๋“ฑ TCP
Gateway API ๋ผ์šฐํŠธHTTPRouteTLSRoute / TCPRoute

RedisยทDB๋ฅผ ์™ธ๋ถ€๋กœ ๋‚ผ ๋•Œ ํ•„์š”ํ•œ ๊ฑด stream ์ชฝ์ž…๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  stream ํฌํŠธ์— ssl์„ ์–น์–ด์•ผ SNI ๊ธฐ๋ฐ˜ TLS ์ŠคํŠธ๋ฆผ ๋ผ์šฐํŒ…์ด ๋ฉ๋‹ˆ๋‹ค.

HTTP(S) ์„œ๋น„์Šค๋ผ๋ฉด ์ด ๊ธ€์ด ์•„๋‹ˆ๋ผ Ingress โ†’ Gateway API HTTPRoute ์ „ํ™˜์ด๋‚˜ Gateway API HTTPโ†’HTTPS ๋ฆฌ๋‹ค์ด๋ ‰ํŠธ๋ฅผ ์ฐธ๊ณ ํ•˜์„ธ์š”.


๐Ÿ”€ Gateway API ๋ฒ„์ „: TCPRouteยทTLSRoute๋Š” ์ง€๊ธˆ ์–ด๋””์—? #

์ด ์˜์—ญ์€ ๋น ๋ฅด๊ฒŒ ๋ฐ”๋€๋‹ˆ๋‹ค. L4 ๋ผ์šฐํŠธ(TLSRouteยทTCPRouteยทUDPRoute)๋Š” ์˜ค๋žซ๋™์•ˆ experimental์ด์—ˆ๊ณ , ์ตœ๊ทผ์—์•ผ ๋‹จ๊ณ„์ ์œผ๋กœ GA๋กœ ์Šน๊ฒฉ๋์Šต๋‹ˆ๋‹ค.

๋ฆฌ์†Œ์ŠคStandard(GA) ์ฑ„๋„ ์Šน๊ฒฉ๋น„๊ณ 
TLSRouteGateway API v1.5 (2026-02)v1๋กœ ์•ˆ์ •ํ™”
TCPRoute / UDPRouteGateway API v1.6๊ทธ ์ „(v1.5 ํฌํ•จ)๊นŒ์ง„ experimental

โš ๏ธ ํ•ต์‹ฌ ํ•จ์ •: ์—…์ŠคํŠธ๋ฆผ ์ŠคํŽ™์ด GA์—ฌ๋„ Kong(KIC)์ด ๊ทธ ๋ฒ„์ „์„ ๋”ฐ๋ผ์™”๋Š”์ง€๊ฐ€ ๊ด€๊ฑด์ž…๋‹ˆ๋‹ค. ํ˜„์žฌ Kong Ingress Controller๋Š” TLSRouteยทTCPRouteยทUDPRoute๋ฅผ v1alpha2 API ๊ทธ๋ฃน + GatewayAlpha ํ”ผ์ฒ˜ ๊ฒŒ์ดํŠธ + experimental CRD๋กœ ๋‹ค๋ฃน๋‹ˆ๋‹ค. ์ฆ‰ ์ŠคํŽ™์ƒ Standard์—ฌ๋„ Kong์—์„œ๋Š” ์—ฌ์ „ํžˆ experimental ์ฑ„๋„์ด ํ•„์š”ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ง€๊ธˆ ๋‚ด ํด๋Ÿฌ์Šคํ„ฐ๋Š” ์–ด๋–ค ์ƒํƒœ์ธ๊ฐ€? (ํ™•์ธ ๋ช…๋ น) #

1# ์„ค์น˜๋œ Gateway API ๋ฒˆ๋“ค ๋ฒ„์ „
2kubectl get crd gateways.gateway.networking.k8s.io \
3  -o jsonpath='{.metadata.annotations.gateway\.networking\.k8s\.io/bundle-version}'
4
5# TLSRoute/TCPRoute CRD๊ฐ€ ์ œ๊ณตํ•˜๋Š” ๋ฒ„์ „ (v1์ด ๋ณด์ด๋ฉด GA๋ณธ, v1alpha2๋ฟ์ด๋ฉด experimental)
6kubectl get crd tlsroutes.gateway.networking.k8s.io -o jsonpath='{.spec.versions[*].name}'
7kubectl get crd tcproutes.gateway.networking.k8s.io -o jsonpath='{.spec.versions[*].name}'

experimental ๋ฆฌ์†Œ์Šค๋ฅผ ์“ฐ๋ ค๋ฉด experimental ๋ฒˆ๋“ค ์„ค์น˜ + ์ปจํŠธ๋กค๋Ÿฌ ํ”ผ์ฒ˜ ๊ฒŒ์ดํŠธ๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

1# experimental ์ฑ„๋„ CRD ์„ค์น˜ (TCPRoute/UDPRoute/TLSRoute ํฌํ•จ)
2kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.6.0/experimental-install.yaml
1# KIC values ๋ฐœ์ทŒ โ€” ์ปจํŠธ๋กค๋Ÿฌ์— GatewayAlpha ํ”ผ์ฒ˜ ๊ฒŒ์ดํŠธ ํ™œ์„ฑํ™”
2controller:
3  ingressController:
4    env:
5      feature_gates: "GatewayAlpha=true"

โš ๏ธ ์—…๊ทธ๋ ˆ์ด๋“œ ์ฃผ์˜: v1.4 ์ดํ•˜์˜ experimental TLSRoute๊ฐ€ ์žˆ๋Š” ์ƒํƒœ์—์„œ v1.5 standard๋ฅผ ๋ฎ์–ด ์„ค์น˜ํ•˜๋ฉด, ๊ธฐ์กด ๋ฆฌ์†Œ์Šค๊ฐ€ v1alpha2๋กœ ์ €์žฅ๋ผ ๋ชป ์“ฐ๊ฒŒ ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๊ธฐ์กด ํด๋Ÿฌ์Šคํ„ฐ๋ฅผ ์˜ฌ๋ฆด ๋• ๋งˆ์ด๊ทธ๋ ˆ์ด์…˜ ๊ฒฝ๋กœ๋ฅผ ๋จผ์ € ํ™•์ธํ•˜์„ธ์š”.

Kong ์„ค์น˜ ์ž์ฒด๊ฐ€ ์ฒ˜์Œ์ด๋ผ๋ฉด Kong Ingress Controller ์„ค์น˜ (Gateway API)๋ฅผ ๋จผ์ € ๋ณด๊ณ  ์˜ค์„ธ์š”.


๐Ÿ› ๏ธ Kong ์„ค์น˜ (Helm): NodePort โ†’ LoadBalancer + stream ๋ฆฌ์Šค๋„ˆ #

LoadBalancer ํƒ€์ž…์œผ๋กœ ๋ฐ”๊พธ๊ณ , stream ๋ฆฌ์Šค๋„ˆ๋ฅผ ์ถ”๊ฐ€ํ•˜๊ณ , TLS ํฌํŠธ์— ssl์„ ์–น๋Š” ๊ฒƒ์ด ํ•ต์‹ฌ์ž…๋‹ˆ๋‹ค. ์˜ˆ์ „ NodePort ํ”์ (nodePort: 30054 ๋“ฑ)์€ ๊ฑท์–ด๋ƒ…๋‹ˆ๋‹ค.

 1# kong values.yaml ๋ฐœ์ทŒ
 2proxy:
 3  type: LoadBalancer          # NodePort โ†’ LoadBalancer (์™ธ๋ถ€ IP ์ž๋™ ํ• ๋‹น)
 4  http:
 5    enabled: true
 6    servicePort: 80
 7    containerPort: 8000
 8  tls:                        # = HTTPS(L7) ๋ฆฌ์Šค๋„ˆ
 9    enabled: true
10    servicePort: 443
11    containerPort: 8443
12  stream:                     # = raw TCP/TLS(L4) ์ŠคํŠธ๋ฆผ ๋ฆฌ์Šค๋„ˆ
13    - containerPort: 9000
14      servicePort: 9000
15      protocol: TCP           # ํ‰๋ฌธ TCP
16    - containerPort: 9443
17      servicePort: 9443
18      protocol: TCP
19      parameters:
20        - "ssl"               # โ˜… ์ด ํฌํŠธ๋ฅผ TLS ๋ฆฌ์Šค๋„ˆ๋กœ โ†’ SNI ๋ผ์šฐํŒ…์˜ ํ•„์ˆ˜ ์กฐ๊ฑด

ํฌ์ธํŠธ๋ฅผ ์ •๋ฆฌํ•˜๋ฉด:

  • nodePort ์‚ญ์ œ โ†’ LoadBalancer๊ฐ€ ํฌํŠธ๋ฅผ ์ž๋™ ํ• ๋‹น. ํด๋ผ์ด์–ธํŠธ๋Š” LB์™ธ๋ถ€IP:9443์œผ๋กœ ์ ‘์†.
  • servicePort = ์™ธ๋ถ€ ์ ‘์† ํฌํŠธ. containerPort = Kong ํŒŒ๋“œ ๋‚ด๋ถ€ ํฌํŠธ.
  • parameters: ["ssl"] = ๊ทธ stream ํฌํŠธ๋ฅผ TLS๋กœ ์ฒ˜๋ฆฌ(SNI๋ฅผ ์ฝ์„ ์ˆ˜ ์žˆ๊ฒŒ ๋จ). ์ด๊ฒŒ ๋น ์ง€๋ฉด Kong์ด ๊ทธ ํฌํŠธ๋ฅผ ํ‰๋ฌธ TCP๋กœ ์ทจ๊ธ‰ํ•ด TLS ํด๋ผ์ด์–ธํŠธ์™€ ๋ฏธ์Šค๋งค์น˜๊ฐ€ ๋‚ฉ๋‹ˆ๋‹ค.

๐Ÿ’ก parameters์—๋Š” ssl ์™ธ์— proxy_protocol, reuseport, backlog=N ๋“ฑ๋„ ๋„ฃ์„ ์ˆ˜ ์žˆ๊ณ , Kong ๋‚ด๋ถ€์˜ KONG_STREAM_LISTEN์— ์ž๋™ ๋ฐ˜์˜๋ฉ๋‹ˆ๋‹ค. ํ™˜๊ฒฝ๋ณ€์ˆ˜๋ฅผ kubectl set env๋กœ ์ง์ ‘ ๋„ฃ์œผ๋ฉด ๋‹ค์Œ helm ๋ฐฐํฌ ๋•Œ ๋ฎ์—ฌ ์‚ฌ๋ผ์ง€๋ฏ€๋กœ, ๋ฐ˜๋“œ์‹œ values์˜ parameters๋ฅผ ์“ฐ์„ธ์š”.

๋ฐฐํฌ:

1helm upgrade --install kong kong/kong -n kong --create-namespace -f values.yaml

๐Ÿšช Gateway + TLSRoute๋กœ SNI ๋ถ„๋ฐฐ ๊ตฌ์„ฑ #

Gateway์— stream ๋ฆฌ์Šค๋„ˆ๋ฅผ ์„ ์–ธํ•˜๊ณ , TLSRoute๋กœ SNI(๋„๋ฉ”์ธ) โ†’ ๋ฐฑ์—”๋“œ๋ฅผ ๋งคํ•‘ํ•ฉ๋‹ˆ๋‹ค. ๋ฆฌ์Šค๋„ˆ ํ”„๋กœํ† ์ฝœ์€ TLS์ž…๋‹ˆ๋‹ค.

1๏ธโƒฃ GatewayClass & Gateway #

 1apiVersion: gateway.networking.k8s.io/v1
 2kind: Gateway
 3metadata:
 4  name: kong
 5  namespace: kong
 6spec:
 7  gatewayClassName: kong
 8  listeners:
 9    - name: stream9443           # โ˜… ์ด ์ด๋ฆ„์ด Service ํฌํŠธ ์ด๋ฆ„๊ณผ ์ •๋ ฌ๋ผ์•ผ ํ•จ(ํ•จ์ • โ‘ก)
10      port: 9443
11      protocol: TLS
12      hostname: "*.example.com"  # SNI ์™€์ผ๋“œ์นด๋“œ
13      tls:
14        mode: Terminate          # Kong์ด TLS ์ข…๋ฃŒ ํ›„ SNI๋กœ ๋ฐฑ์—”๋“œ ๋ถ„๋ฐฐ
15        certificateRefs:
16          - kind: Secret
17            name: wildcard-example-com-tls
18      allowedRoutes:
19        kinds:
20          - kind: TLSRoute
21        namespaces:
22          from: All
  • mode: Terminate โ€” Kong์ด TLS๋ฅผ ํ’€๊ณ (์ธ์ฆ์„œ ํ•„์š”) SNI๋กœ ๋ฐฑ์—”๋“œ๋ฅผ ๊ณ ๋ฅธ ๋’ค ํ‰๋ฌธ์œผ๋กœ ์ „๋‹ฌ.
  • mode: Passthrough โ€” Kong์€ ๋ณตํ˜ธํ™”ํ•˜์ง€ ์•Š๊ณ  SNI๋งŒ ๋ณด๊ณ  ๊ทธ๋Œ€๋กœ ๋ฐฑ์—”๋“œ๋กœ ํ˜๋ฆผ(๋ฐฑ์—”๋“œ๊ฐ€ TLS๋ฅผ ์ง์ ‘ ์ฒ˜๋ฆฌ). ๋ฐฑ์—”๋“œ TLS๋ฅผ ์œ ์ง€ํ•ด์•ผ ํ•˜๋ฉด ์ด์ชฝ.
  • ์ธ์ฆ์„œ Secret์€ cert-manager๋กœ ๋ฐœ๊ธ‰ยท๊ด€๋ฆฌํ•˜๋ฉด ํŽธํ•ฉ๋‹ˆ๋‹ค.

2๏ธโƒฃ TLSRoute (SNI โ†’ ๋ฐฑ์—”๋“œ) #

 1apiVersion: gateway.networking.k8s.io/v1alpha2   # Kong์€ ์•„์ง v1alpha2 (๋ฒ„์ „ ํ™•์ธ!)
 2kind: TLSRoute
 3metadata:
 4  name: redis-a
 5  namespace: kong
 6spec:
 7  parentRefs:
 8    - name: kong
 9      sectionName: stream9443     # ์œ„ Gateway ๋ฆฌ์Šค๋„ˆ ์ด๋ฆ„๊ณผ ์ผ์น˜
10  hostnames:
11    - "redis-a.example.com"       # ์ด SNI๋กœ ์˜จ ํŠธ๋ž˜ํ”ฝ๋งŒ
12  rules:
13    - backendRefs:
14        - name: redis-a           # ๋Œ€์ƒ Service
15          port: 6379

๋ฐฑ์—”๋“œ๋ฅผ ํ•˜๋‚˜ ๋” ๋Š˜๋ฆฌ๋ ค๋ฉด TLSRoute๋งŒ ์ถ”๊ฐ€ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค(๊ฐ™์€ ๋ฆฌ์Šค๋„ˆ์— redis-b.example.com โ†’ redis-b:6379). ํฌํŠธ๋Š” ๊ทธ๋Œ€๋กœ 9443 ํ•˜๋‚˜์ž…๋‹ˆ๋‹ค.

ํ‰๋ฌธ TCP(ํฌํŠธ๋ณ„ ๋ถ„๋ฐฐ, SNI ๋ถˆํ•„์š”)๋งŒ ํ•„์š”ํ•˜๋ฉด protocol: TCP ๋ฆฌ์Šค๋„ˆ + TCPRoute๋ฅผ ์”๋‹ˆ๋‹ค. ์ด๋• ๋„๋ฉ”์ธ์ด ์•„๋‹ˆ๋ผ ํฌํŠธ๋กœ๋งŒ ๊ตฌ๋ถ„๋ฉ๋‹ˆ๋‹ค.


โš ๏ธ ํ•ต์‹ฌ ํ•จ์ • 3๊ฐ€์ง€ (์ง์ ‘ ๊ฒช์€ ๊ฒƒ) #

โ‘  stream ๋ฆฌ์Šค๋„ˆ์— ssl์ด ์—†์œผ๋ฉด โ†’ TLS ๋ฏธ์Šค๋งค์น˜ #

ํด๋ผ์ด์–ธํŠธ๋Š” TLS๋กœ ์ ‘์†ํ•˜๋Š”๋ฐ Kong์ด ๊ทธ ํฌํŠธ๋ฅผ ํ‰๋ฌธ์œผ๋กœ ๋ฐ›์œผ๋ฉด, “๋ด‰ํˆฌ๋ฅผ ์—ฝ์„œ๋กœ ์ฝ์œผ๋ ค๋‹ค” ๊นจ์ง‘๋‹ˆ๋‹ค. ๋Œ€ํ‘œ ์ฆ์ƒ์€ ssl: packet length too long. โ†’ stream ๋ฆฌ์Šค๋„ˆ์— parameters: ["ssl"] ๋กœ ํ•ด๊ฒฐ.

โ‘ก Gateway ๋ฆฌ์Šค๋„ˆ ์ด๋ฆ„ โ†” Service ํฌํŠธ ์ด๋ฆ„ ๋ถˆ์ผ์น˜ #

  • Gateway listener ์ด๋ฆ„: stream9443
  • Helm์ด ๋งŒ๋“  Service ํฌํŠธ ์ด๋ฆ„: stream-9443

์ด ๋‘˜์ด ์–ด๊ธ‹๋‚˜๋ฉด Gateway๊ฐ€ ๋ฆฌ์Šค๋„ˆ๋ฅผ ์‹ค์ œ ํฌํŠธ์— ๋ชป ๋ฌถ์–ด ์—ฐ๊ฒฐ์ด ์„ฑ๋ฆฝํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ์ด๋ฆ„์„ ๋งž์ถฐ์•ผ ํ•ฉ๋‹ˆ๋‹ค(ํ•„์š” ์‹œ Service/Deployment๋ฅผ patchํ•ด ํฌํŠธ ์ด๋ฆ„ ์ •๋ ฌ).

1# Service์˜ ์‹ค์ œ ํฌํŠธ ์ด๋ฆ„ ํ™•์ธ
2kubectl get svc -n kong kong-kong-proxy -o jsonpath='{.spec.ports[*].name}'; echo

โ‘ข LoadBalancer IP ์ ‘์†์€ ๋ฐฉํ™”๋ฒฝ/๋ณด์•ˆ๊ทธ๋ฃน์„ ๋„˜์–ด์•ผ ํ•จ #

ํฌํŠธํฌ์›Œ๋”ฉ(Pod ์ง์ ‘)์€ ๋˜๋Š”๋ฐ LB IP๋กœ๋งŒ ์•ˆ ๋˜๋ฉด, ์‹ญ์ค‘ํŒ”๊ตฌ ๊ฒฝ๋กœ์ƒ์˜ ๋ฐฉํ™”๋ฒฝ์ž…๋‹ˆ๋‹ค. ํ•ด๋‹น ํฌํŠธ(9443)์˜ ์ธ๋ฐ”์šด๋“œ ํ—ˆ์šฉ์„ ํ™•์ธํ•˜์„ธ์š”. (์‹ค์ œ ์‚ฌ๋ก€์˜ ์ตœ์ข… ์›์ธ์ด ์ด๊ฒƒ์ด์—ˆ์Šต๋‹ˆ๋‹ค.)


๐Ÿ”Ž ๋””๋ฒ„๊น…: ์—๋Ÿฌ๊ฐ€ ๋ฐ”๋€Œ๋ฉด ํ•œ ๋‹จ๊ณ„ ์ „์ง„ํ•œ ๊ฒƒ #

์ด ๋ฌธ์ œ์˜ ํ•ต์‹ฌ ๊ตํ›ˆ์€ “์—๋Ÿฌ ๋ฉ”์‹œ์ง€๊ฐ€ ๋ฐ”๋€๋‹ค๋Š” ๊ฑด ํ•œ ํ™‰ ์•ž์œผ๋กœ ๊ฐ”๋‹ค๋Š” ์‹ ํ˜ธ” ๋ผ๋Š” ์ ์ž…๋‹ˆ๋‹ค. ์‹ค์ œ๋กœ ๊ฒช์€ ์ˆœ์„œ:

๋‹จ๊ณ„์ฆ์ƒ์˜๋ฏธ์กฐ์น˜
1ssl_connect: ... connection abort์—ฐ๊ฒฐ์ด ๋„๋‹ฌ์กฐ์ฐจ ๋ชป ํ•จ๋ฐฉํ™”๋ฒฝ/ํฌํŠธ ์ธ๋ฐ”์šด๋“œ ์—ด๊ธฐ
2ssl: packet length too long์—ฐ๊ฒฐ์€ ๋จ, ํ”„๋กœํ† ์ฝœ ๋ฏธ์Šค๋งค์น˜(ํ‰๋ฌธ vs TLS)stream parameters: ["ssl"]
3timeout์‘๋‹ต ์—†์Œ, ๋Œ€์ƒ/๊ฒฝ๋กœ ์–ด๊ธ‹๋‚จGatewayโ†”Service ํฌํŠธ ์ด๋ฆ„ ์ •๋ ฌ, ๋ฐฑ์—”๋“œ endpoints ํ™•์ธ
โœ…์—ฐ๊ฒฐ ์„ฑ๊ณตโ€”๋ฐฉํ™”๋ฒฝ + ssl + ํฌํŠธ ์ด๋ฆ„, ์…‹ ๋‹ค ๋งž์•„์•ผ

ํ™‰ ๋‹จ์œ„๋กœ ๊ฒฉ๋ฆฌํ•ด ์ขํžˆ๊ธฐ #

“์–ด๋А ํ™‰์—์„œ ๊นจ์กŒ๋‚˜"๋ฅผ ๊ฒฉ๋ฆฌ๋กœ ์ขํžˆ๋Š” ๊ฒƒ์ด ๊ฐ€์žฅ ๋น ๋ฆ…๋‹ˆ๋‹ค.

 1# (1) Kong ์ž์ฒด๊ฐ€ ์ •์ƒ์ธ์ง€ โ€” LB๋ฅผ ๊ฑด๋„ˆ๋›ฐ๊ณ  Pod์— ์ง์ ‘
 2kubectl port-forward -n kong <kong-pod> 9443:9443
 3openssl s_client -connect 127.0.0.1:9443 -servername redis-a.example.com
 4#  โ†’ ๋˜๋ฉด Kong์€ ์ •์ƒ, ๋ฌธ์ œ๋Š” LB ๊ฒฝ๋กœ
 5
 6# (2) LB IP๋กœ TCP๋ถ€ํ„ฐ (TLS ์ด์ „ ๋‹จ๊ณ„)
 7nc -vz <LB_IP> 9443
 8#  โ†’ ์•ˆ ๋˜๋ฉด ๋ฐฉํ™”๋ฒฝ/ํฌํŠธ ๋ฏธ๋…ธ์ถœ, ๋˜๋ฉด TLS ๋‹จ๊ณ„ ๋ฌธ์ œ
 9
10# (3) LB IP๋กœ TLS ํ•ธ๋“œ์…ฐ์ดํฌ + SNI
11openssl s_client -connect <LB_IP>:9443 -servername redis-a.example.com

ํฌํŠธํฌ์›Œ๋”ฉ์€ ๋˜๋Š”๋ฐ LB๋งŒ ์•ˆ ๋˜๋ฉด, ๋ฌธ์ œ๋Š” ํ•ญ์ƒ LB โ†” Kong ์‚ฌ์ด(๋ฐฉํ™”๋ฒฝ / ํฌํŠธ ์ด๋ฆ„ / PROXY protocol)๋กœ ์ขํ˜€์ง‘๋‹ˆ๋‹ค.

๐Ÿ’ก ํด๋ผ์ด์–ธํŠธ๊ฐ€ SNI๋ฅผ ๋ชป ๋ณด๋‚ด๋Š” ๋„๊ตฌ๋ผ๋ฉด(์ผ๋ถ€ DB ํด๋ผ์ด์–ธํŠธ), ๋กœ์ปฌ์— stunnel ๋“ฑ์„ ๋‘๊ณ  SNI๋ฅผ ๋ถ€์—ฌํ•ด Kong์œผ๋กœ ๋ณด๋‚ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.


โœ… ๊ฒ€์ฆ ์ฒดํฌ๋ฆฌ์ŠคํŠธ #

1# ์™ธ๋ถ€ IPยทํฌํŠธ๊ฐ€ ์ œ๋Œ€๋กœ ๋…ธ์ถœ๋๋Š”์ง€ (EXTERNAL-IP ์‹ค์ œ ๊ฐ’, PORT(S)์— 9443)
2kubectl get svc -n kong
3
4# ๋ฐฑ์—”๋“œ Pod๊ฐ€ ์‹ค์ œ๋กœ ์žกํ˜€ ์žˆ๋Š”์ง€ (๋น„์–ด ์žˆ์œผ๋ฉด timeout์˜ ํ”ํ•œ ์›์ธ)
5kubectl get endpoints -n kong
6
7# ๋ฆฌ์Šค๋„ˆ ๋ฐ˜์˜๋๋Š”์ง€ (patch ํ›„ ๋กค์•„์›ƒ)
8kubectl rollout status deploy/kong-kong -n kong
  • proxy.type: LoadBalancer, nodePort ์ œ๊ฑฐ, servicePort ์ง€์ •
  • stream ๋ฆฌ์Šค๋„ˆ์— parameters: ["ssl"] (SNI์šฉ TLS)
  • Gateway ๋ฆฌ์Šค๋„ˆ ์ด๋ฆ„ โ†” Service ํฌํŠธ ์ด๋ฆ„ ์ผ์น˜
  • LB IP์˜ ํ•ด๋‹น ํฌํŠธ ๋ฐฉํ™”๋ฒฝ ์ธ๋ฐ”์šด๋“œ ํ—ˆ์šฉ
  • (ํด๋ผ์ด์–ธํŠธ๊ฐ€ SNI ๋ชป ๋ณด๋‚ด๋ฉด) stunnel ๋“ฑ์œผ๋กœ SNI ๋ถ€์—ฌ
  • Gateway API CRD ์ฑ„๋„/๋ฒ„์ „๊ณผ Kong ์ง€์› ๋ฒ„์ „(GatewayAlphaยทv1alpha2) ํ™•์ธ

๐Ÿ“ ๊ทœ๋ชจ๋ณ„ ๋ณ€ํ˜• #

๊ทœ๋ชจ์— ๋”ฐ๋ผ ๋‹ฌ๋ผ์ง€๋Š” ์ง€์ ๋งŒ ๋ชจ์œผ๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค. ๊ธฐ๋ณธ ์ „์ œ๋Š” LoadBalancer๊ฐ€ ์ œ๊ณต๋˜๋Š” ํ™˜๊ฒฝ์ž…๋‹ˆ๋‹ค.

๊ตฌ๋ถ„๋Œ€๊ทœ๋ชจ(๊ธฐ๋ณธ)์†Œ๊ทœ๋ชจ/๊ฐœ์ธ
์™ธ๋ถ€ ๋…ธ์ถœํด๋ผ์šฐ๋“œ LB / MetalLBNodePort๋กœ๋„ ๊ฐ€๋Šฅ
๋ฆฌ์Šค๋„ˆstream ํฌํŠธ ํ•˜๋‚˜ + SNI ๋‹ค์ค‘ ๋ฐฑ์—”๋“œํฌํŠธ ๋ช‡ ๊ฐœ๋ฉด TCPRoute ํฌํŠธ ๋ถ„๋ฐฐ๋„ ๋ฌด๋ฐฉ
์ธ์ฆ์„œcert-manager ์ž๋™ ๋ฐœ๊ธ‰ยท๊ฐฑ์‹ ์ˆ˜๋™ Secret๋„ ๊ฐ€๋Šฅ
Gateway APIexperimental ๊ด€๋ฆฌยท๋ฒ„์ „ ๊ณ ์ • ์šด์˜์ตœ์‹  ์‹คํ—˜ ์ฑ„๋„ ๊ทธ๋Œ€๋กœ

๐Ÿ’ก ์†Œ๊ทœ๋ชจ์—์„œ ๋ฐฑ์—”๋“œ๊ฐ€ 2~3๊ฐœ๋ฟ์ด๊ณ  ๋„๋ฉ”์ธ ๊ตฌ๋ถ„์ด ํ•„์š” ์—†์œผ๋ฉด, SNI ์—†์ด ํฌํŠธ๋ณ„ TCPRoute๊ฐ€ ๋” ๋‹จ์ˆœํ•ฉ๋‹ˆ๋‹ค. SNI ๋ถ„๋ฐฐ๋Š” “ํฌํŠธ๋Š” ์•„๋ผ๊ณ  ๋ฐฑ์—”๋“œ๋Š” ๋งŽ์ด"๊ฐ€ ํ•„์š”ํ•  ๋•Œ ๋น›๋‚ฉ๋‹ˆ๋‹ค.


๐Ÿค” ์–ธ์ œ ๋ฌด์—‡์„ ์“ฐ๋‚˜ #

“HTTP๋ƒ ์•„๋‹ˆ๋ƒ”, “๋„๋ฉ”์ธ์œผ๋กœ ๊ฐ€๋ฅด๋ƒ ํฌํŠธ๋กœ ๊ฐ€๋ฅด๋ƒ” ๋‘ ์ถ•์œผ๋กœ ๊ฒฐ์ •๋ฉ๋‹ˆ๋‹ค.

์ƒํ™ฉ์„ ํƒ
HTTP/HTTPS APIยท์›นHTTPRoute (์ด ๊ธ€ ์•„๋‹˜ โ†’ HTTPRoute ์ „ํ™˜ ๊ธ€)
TCP ์„œ๋น„์Šค๋ฅผ ๋„๋ฉ”์ธ๋ณ„๋กœ ํ•œ ํฌํŠธ์—์„œ ๋ถ„๋ฐฐstream(ssl) + TLSRoute + SNI (์ด ๊ธ€)
TCP ์„œ๋น„์Šค๋ฅผ ํฌํŠธ๋ณ„๋กœ ๋ถ„๋ฐฐ(๋„๋ฉ”์ธ ๋ถˆํ•„์š”)stream(TCP) + TCPRoute
๋ฐฑ์—”๋“œ TLS๋ฅผ ๊ทธ๋Œ€๋กœ ์œ ์ง€(์ข…๋‹จ๊ฐ„ ์•”ํ˜ธํ™”)TLSRoute Passthrough
Kong์ด TLS ์ข…๋ฃŒ ํ›„ ํ‰๋ฌธ ์ „๋‹ฌTLSRoute Terminate
gRPC์˜ L4/L7 ๋กœ๋“œ๋ฐธ๋Ÿฐ์‹ฑ์ด ๊ณ ๋ฏผgRPC L4/L7 ๋กœ๋“œ๋ฐธ๋Ÿฐ์‹ฑ ๊ธ€

โ“ ์ž์ฃผ ๋ฌป๋Š” ์งˆ๋ฌธ #

Q. Ingress๋กœ RedisยทDB๋ฅผ ์™ธ๋ถ€์— ๋ชป ์—ฌ๋‚˜์š”? IngressยทHTTPRoute๋Š” HTTP(L7) ์ „์šฉ์ด๋ผ raw TCP๋Š” ์•ˆ ๋ฉ๋‹ˆ๋‹ค. TCP๋Š” stream ๋ฆฌ์Šค๋„ˆ + TCPRoute/TLSRoute๋ฅผ ์จ์•ผ ํ•ฉ๋‹ˆ๋‹ค.

Q. packet length too long ์—๋Ÿฌ๋Š” ์™œ ๋‚˜๋‚˜์š”? ํด๋ผ์ด์–ธํŠธ๋Š” TLS์ธ๋ฐ Kong stream ํฌํŠธ๊ฐ€ ํ‰๋ฌธ(ssl ์—†์Œ)์ด๋ผ ์ƒ๊ธฐ๋Š” ํ”„๋กœํ† ์ฝœ ๋ฏธ์Šค๋งค์น˜์ž…๋‹ˆ๋‹ค. parameters: ["ssl"]์„ ์ถ”๊ฐ€ํ•˜์„ธ์š”.

Q. ํฌํŠธํฌ์›Œ๋”ฉ์€ ๋˜๋Š”๋ฐ LB IP๋กœ๋งŒ ์•ˆ ๋ฉ๋‹ˆ๋‹ค. ๋ฌธ์ œ๋Š” LBโ†”Kong ์‚ฌ์ด์ž…๋‹ˆ๋‹ค. ๋Œ€๊ฐœ ๋ฐฉํ™”๋ฒฝ/๋ณด์•ˆ๊ทธ๋ฃน ์ธ๋ฐ”์šด๋“œ(ํ•ด๋‹น ํฌํŠธ ๋ฏธ๊ฐœ๋ฐฉ)๋‚˜ ํฌํŠธ ์ด๋ฆ„ ๋ถˆ์ผ์น˜์ž…๋‹ˆ๋‹ค.

Q. ์™œ ํฌํŠธ ํ•˜๋‚˜(9443)์—์„œ ์—ฌ๋Ÿฌ ๋ฐฑ์—”๋“œ๊ฐ€ ๋˜๋‚˜์š”? TLS ClientHello์˜ SNI(๋„๋ฉ”์ธ) ๋กœ Kong์ด ๋ฐฑ์—”๋“œ๋ฅผ ๊ณ ๋ฅด๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค. ๋ฐฑ์—”๋“œ๋ฅผ ๋Š˜๋ ค๋„ LB ํฌํŠธ๋Š” ๊ทธ๋Œ€๋กœ์ž…๋‹ˆ๋‹ค.

Q. Terminate์™€ Passthrough ์ค‘ ๋ญ˜ ์“ฐ๋‚˜์š”? Kong์—์„œ TLS๋ฅผ ํ’€๊ณ  ํ‰๋ฌธ์œผ๋กœ ์ „๋‹ฌํ•˜๋ฉด Terminate, ๋ฐฑ์—”๋“œ๊นŒ์ง€ ์•”ํ˜ธํ™”๋ฅผ ์œ ์ง€ํ•˜๋ ค๋ฉด Passthrough์ž…๋‹ˆ๋‹ค.

Q. TLSRoute๋ฅผ applyํ–ˆ๋Š”๋ฐ ์ธ์‹์ด ์•ˆ ๋ฉ๋‹ˆ๋‹ค. Kong์€ ์•„์ง v1alpha2 + GatewayAlpha ํ”ผ์ฒ˜ ๊ฒŒ์ดํŠธ + experimental CRD๊ฐ€ ํ•„์š”ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. CRD ๋ฒ„์ „๊ณผ ์ปจํŠธ๋กค๋Ÿฌ ํ”ผ์ฒ˜ ๊ฒŒ์ดํŠธ๋ฅผ ํ™•์ธํ•˜์„ธ์š”.

Q. ํด๋ผ์ด์–ธํŠธ๊ฐ€ SNI๋ฅผ ๋ชป ๋ณด๋ƒ…๋‹ˆ๋‹ค. ๋กœ์ปฌ์— stunnel ๋“ฑ์„ ๋‘๊ณ  SNI๋ฅผ ๋ถ€์—ฌํ•ด Kong์œผ๋กœ ์ „๋‹ฌํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.


๐Ÿ“š ์ฐธ๊ณ  #