NGINX Plus - マイクロサービスの高可用性 / JapanContainerDays v18.12

Transcript

1. NGINX Plusͷ͝঺հ ϚΠΫϩαʔϏεͷߴՄ༻ੑ Ingress, αʔϏεϝογϡͷੈքʹ͓͚Δ ϩʔυόϥϯγϯά NGINX ςΫχΧϧ ιϦϡʔγϣϯζ ΞʔΩςΫτ

   ాล ໜ໵ @stanabe 2018/12/5

2. NGINXͷ͝঺հ NGINX Plus ϚΠΫϩαʔϏεͱαʔϏεϝογϡ΁ͷऔΓ૊Έ 1 2 3 ຊ೔ͷ಺༰ NGINX Ingress

   Controller 4 2

3. NGINXͷ͝঺հ 1

4. NGINXࣾ • ೥ʹઃཱɺ೥ʹNGINX 1MVTͷॳظϦϦʔε ೥044൛ॳظϦϦʔε • ສҎ্ͷ΢ΣϒαΠτ • ΤϯλʔϓϥΠζιϑτ΢ΣΞۀքͷϦʔμʔͷϕϯνϟʔΩϟϐλϧͷࢧԉ •

   αϯϑϥϯγείɺϩϯυϯɺίʔΫɺγϯΨϙʔϧɺγυχʔɺϞεΫϫɺ౦ژͷΦϑΟε • ࣾҎ্ͷސ٬ • ਓҎ্ͷैۀһ 4

5. NGINX Unit NGINX ͔Βͷ৽͍͠ಈతͳWebͱΞϓϦ έʔγϣϯɾαʔόʔɻΦʔϓϯιʔεɺ ෳ਺ͷݴޠͷαϙʔτɺ͓Αͼಈతͳ REST API ओಋͷߏ੒ɻ NGINX

   Plus ϩʔυόϥϯαʔɺWebαʔόʔɺίϯςϯ πΩϟογϡΛؚΉ།ҰͷΦʔϧΠϯϫϯι ϦϡʔγϣϯɻίετΛ࡟ݮ͠ͳ͕ΒɺΞʔ ΩςΫνϟΛ؆ૉԽ͠·͢ɻ ੡඼ NGINX Controller NGINX PlusͷͨΊͷूத؂ࢹ͓Αͼ؅ཧɻ ୯Ұͷඒ͍͠ΠϯλʔϑΣΠεΛ࢖༻ͯ͠ɺ Ծ૝ϩʔυόϥϯαʔΛల։͠·͢ɻ NGINX WAF Φʔϓϯιʔεͷ WebΞϓϦέʔγϣϯϑΝ ΠΞ΢Υʔϧ (WAF)SQL ΠϯδΣΫγϣϯɺ LFI
   RFI
   ͓ΑͼͦͷଞͷϨΠϠ7߈ܸΛ๷ ޚ͠·͢ɻ Powered by ModSecurity. 5

6. ݱࡏͷΞϓϦͷΠϯϑϥ͸ෳࡶ 6

7. NGINXʹΑΓ10ഒ؆ૉԽɾ 80%ίετ࡟ݮ 7

8. μΠφϛοΫ ΞϓϦέʔγϣϯ ήʔτ΢ΣΠ 8

9. NGINX ΞϓϦέʔγϣϯ ϓϥοτϑΥʔϜ ϨΨγʔͳϞϊϦγοΫ ΞϓϦ͔ΒϞμϯͳϚΠ ΫϩαʔϏε·Ͱ෯޿͘ ରԠ͠ɺσδλϧମݧΛ ։ൃఏڙ͢ΔͨΊͷςΫ ϊϩδʔεΠʔτ ϩʔυόϥϯαʔ

   API 
   αʔϏεϝογϡ 9

10. NGINX Plus 2

11. ߴੑೳͳΞϓϦέʔγϣϯͷ഑৴ • ৄࡉͰ๛෋ͳϝτϦοΫ • ڧྗͳෛՙ෼ࢄ • ϔϧενΣοΫ • αʔϏεϨδετϦͷ౷߹ •

    HTTP/HTTPS/H2/gRPC/TCP/UDP ΤϯλʔϓϥΠζαϙʔτ HTTP HTTPS HTTP/2 gRPC TCP UDP consul etcd 12

12. NGINX PlusͷμογϡϘʔυ 13 શମ αʔόʔͷঢ়گʢκʔϯʹ෼͚ͯදࣔʣ Ωϟογϡ ڞ༗ϝϞϦʔ NGINX Plusͷ Πϯελϯεຖͷ৘ใ

13. NGINX Plus: Upstreamͷಈతมߋ ϩʔυόϥϯεઌ (Upstream) ΛಈతʹมߋՄೳ μογϡϘʔυͷGUIͰ APIͰ

14. ϚΠΫϩαʔϏεͱ αʔϏεϝογϡ΁ͷऔΓ૊Έ 3

15. NGINX͸ɺ͞·͟·ͳϚΠΫϩ αʔϏεΞʔΩςΫνϟΛαϙʔτ 3. Fabric Model 2. Router Mesh Model 1.

    Proxy Model 17

16. Ҡߦεςοϓ 18

17. NGINX Unit 19 • μΠφϛοΫWebɾ ΞϓϦέʔγϣϯαʔόʔ ◦ γϯϓϧɾܰྔ ◦ ଟݴޠʹରԠ:

    Python, PHP, Go, Perl, Ruby, JavaScript (Node.js), Java(༧ఆ)
    ηοτΞοϓɾઃఆͳͲɺಉ༷ͷ؀ڥΛར༻Մೳ ◦ RESTful JSON APIͰͷಈతͳઃఆ ◦ Φʔϓϯιʔε ◦ NGINX PlusϢʔβʔ͸ αϙʔτར༻Մ ◦ NGINXΛαΠυΧʔʹ • Πϯετʔϧ ◦ DockerΠϝʔδɺLinuxύοέʔδɺ ιʔε͔ΒϏϧυ • ઃఆ ◦ APIͰ
    # curl -X PUT -d @/path/to/start.json --unix-socket /path/to/control.unit.sock http://localhost/config/ ◦ Dockerfileͷྫ
    FROM nginx/unit:1.3-php7.0 RUN mkdir /www COPY index.php /www/index.php COPY conf.json /var/lib/unit/conf.json CMD ["unitd", "--no-daemon", "--control", "unix:/var/run/control.unit.sock"]

18. ಈతͳϧʔςΟϯά: αʔϏεͷݕग़ • ͜Μͳͱ͖ʹඞཁ: ◦ ৽͍͠αʔϏε͕௥Ճ͞Εͨ ◦ طଘͷαʔϏεͷΠϯελϯε͕௥Ճ͞Εͨ • ϓϩΩγ͕ߏ੒͞ΕΔτϦΨʔ:

    ◦ Ansible Roles ◦ Consul templates ◦ DNS A, SRV Ϩίʔυ ◦ AWS Autoscaling άϧʔϓ ◦ Kubernetes (kube-dns) Ingress and Service-to- Service 20

19. DNSαʔϏεσΟεΧόϦ ༏ઌ౓ɾ΢ΣΠτ ϙʔτ൪߸ɾϗετ໊ NGINX಺ͷDNSΩϟογϡ༗ޮ࣌ؒ αʔόʔϦετΛDNSͰղܾ UpstreamΛࢀর 21 खಈͰDNSϨίʔυઃఆɺKubernetesͰ͸Headless Service

20. ࣍ͷεςοϓ: αʔϏεϝογϡͷΦʔέετϨʔγϣϯ • ෼ࢄαʔϏεؒͷ௨৴Λߴ଎ɺߴ৴ པɺ͓ΑͼηΩϡΞʹ͢Δωοτ ϫʔΫ૚ • සൟͳαʔϏεมߋʹରͯ͠΋ɺ ωοτϫʔΫ௨৴ͷ৴པੑΛ֬อ •

    αʔϏε͸ϝογϡΛҙࣝ͢Δඞཁ ͸ͳ͘ɺσʔλͱίϯτϩʔϧϓ Ϩʔϯͷ੍ޚΛ෼཭ αʔϏεϝογϡ ίϯτϩʔϧϓϨʔϯ ΦʔέετϨʔγϣϯ ϓϥοτϑΥʔϜͷ αʔϏεϝογϡ σʔλϓϨʔϯ 24

21. NGINX Controller: ϞχλϦϯά 25 ଟ਺ͷNGINX Plus͔Β౷ܭ৘ใΛू໿

22. NGINX Controller: ઃఆ 26 nginx.conf ͷ֬ೝ nginx.conf ͷมߋ ઃఆͷݕূ NGINXͷίϯτϩʔϧϓϨʔϯͱͯ͠

    ·ͣ͸API Gateway͔Β

23. NGINX Ingress Controller 4

24. NGINX Plus - Kubernetes Ingress Controller NGINX PlusΛೖΓޱͱͯ͠ KubernetesΞϓϦέʔγϣϯΛ࡞੒ :

    • ߴ౓ͳෛՙ෼ࢄͱSSL/TLS ऴ୺ • WebSocket ͱ HTTP/2 ͷαϙʔτ • ϦΫΤετ͕ΞϓϦέʔγϣϯʹసૹ͞ΕΔ લʹURI ॻ͖׵͑ • ಈతͳ࠶ߏ੒ • Session persistence • JWT authentication • Prometheusͷαϙʔτ • 24x7 αϙʔτ https://github.com/nginxinc/kubernetes-ingress 28

25. NGINX Ingress Controller 29 ػೳͳͲ kubernetes/ingress-nginx nginxinc/kubernetes-ingress with NGINX Plus

    ࡞ऀ Kubernetes ίϛϡχςΟ NGINX Inc ͱίϛϡχςΟ NGINX όʔδϣϯ αʔυύʔςΟϞδϡʔϧΛ ؚΉɺΧελϜNGINXϏϧυ NGINX Plus ঎༻αϙʔτ No ؚΉ ඪ४ Ingress Yes Yes Annotation Yes Yes ConfigMap Yes Yes TCP/UDP ֦ு Yes Yes JWT ݕূ No Yes ֦ுεςʔλε Yes, αʔυύʔςΟϞδϡʔϧ Yes Prometheus Yes Yes ಈతͳઃఆมߋ Yes (Lua֦ுܦ༝) Yes

26. GithubϨϙδτϦ 30 • https://github.com/nginxinc/kubernetes-ingress • Docker Πϝʔδ ◦ NGINX (OSS)

    ͷඪ४Πϝʔδ͋Γ or ΧελϚΠζͯ͠Ϗϧυ ◦ NGINX Plus ͸ূ໌ॻؚΉΠϝʔδΛϏϧυͯ͠ϓϥΠϕʔτϦϙδτϦ΁ ◦ Makefile͸Ϗϧυͯ͠Push·Ͱ • Πϯετʔϧ ◦ KubernetesͷϚχϑΣετɺ·ͨ͸HelmͰ (deployments σΟϨΫτϦ) ◦ ΧελϚΠζαϯϓϧ͸ example σΟϨΫτϦʹ͋Γ • υΩϡϝϯτ ◦ ΠϝʔδͷϏϧυํ๏ɾΧελϚΠζํ๏ ◦ Annotation, ConfigMapͷ࢖͍ํ ◦ ΧελϜAnnotationͷ࢖͍ํ

27. ઃఆͷରԠ upstream react-ui { server uin-demo:80; } upstream places {

    server psn-demo:80; } upstream weather { server wsn-demo:80; } server { listen 80 default_server; server_name "weather-demo.nginxps.com"; location /weather/ { proxy_pass http://weather/; } location /places/ { proxy_pass http://places/; } location / { proxy_pass http://react-ui; } } apiVersion: extensions/v1beta1 kind: Ingress metadata: name: weather-ingress namespace: demo spec: tls: - hosts: - weather-demo.nginxps.com secretName: cafe-secret rules: - host: weather-demo.nginxps.com http: paths: - path: /weather backend: serviceName: weather-service servicePort: 8080 - path: /places backend: serviceName: maps-service servicePort: 8080 - path: / backend: serviceName: poc-ui servicePort: 8080 31 NGINXͷconfϑΝΠϧ IngressͷYAMLϑΝΠϧ

28. Annotations apiVersion: extensions/v1beta1 kind: Ingress metadata: name: shapes-ingress annotations: kubernetes.io/ingress.class:

    "nginx" nginx.org/lb-method: "random" spec: rules: - host: shapes.example.com http: paths: - path: /circles backend: serviceName: circles servicePort: 80 - path: /triangles backend: serviceName: triangles servicePort: 80 33

29. Snippets apiVersion: extensions/v1beta1 kind: Ingress metadata: name: shapes-ingress annotations: kubernetes.io/ingress.class:

    "nginx" nginx.org/lb-method: "random" nginx.org/server-snippets: | location / { return 302 /circles; } spec: rules: - host: shapes.example.com http: paths: . . . 35

30. ΧελϜ Annotations apiVersion: extensions/v1beta1 kind: Ingress metadata: name: shapes-ingress annotations:

    kubernetes.io/ingress.class: "nginx" custom.nginx.org/rate-limiting: "on" custom.nginx.org/rate-limiting-rate: "5r/s" custom.nginx.org/rate-limiting-burst: "1" spec: rules: - host: ”shapes.example.com" http: paths: - path: /circles backend: serviceName: circles servicePort: 80 - path: /triangles backend: serviceName: triangles servicePort: 80 37

31. Configੜ੒ํ๏ ํ๏ ίϯςΫετ ؅ཧऀʹͱͬͯ Ϣʔβʔʹͱͬͯ ConfigMap main, http, server, location,

    upstream ؆୯ N/A Annotations server, location, upstream ؆୯ ؆୯ Snippets - ConfigMap main, http, server, location ΍΍೉͍͠ N/A Snippets - Annotations server, location ΍΍೉͍͠ ΍΍೉͍͠ Custom Template - nginx-plus.tmpl main, http ೉͍͠ N/A Custom Template - nginx-plus.ingress.tmpl http, server, location, upstream ೉͍͠ N/A Custom Annotations http, server, location, upstream ೉͍͠ ؆୯ 38

32. ϞχλϦϯά NGINX Plusͷ ϦΞϧλΠϜɾμογϡϘʔυ $ kubectl -n nginx-ingress port-forward <nginx-ingres—pod>

    8080:8080 39

33. ·ͱΊ • ࣗࣾͷWebγεςϜ͕ෳࡶʹͳΓ͍͗ͯ͢Δ ◦ → NGINX Plus! • ϩʔυόϥϯαʔͷϋʔυ΢ΣΞͷߋ৽࣌ظʹདྷ͍ͯΔ ◦

    → NGINX Plus! • KubernetesͷIngress Controller΍αʔϏεؒ௨৴Λݕূத ◦ → NGINX Plus! ϑϦʔτϥΠΞϧ͸ ͪ͜Β͔Β 40

34. Thank you! 41