不使用pvc的方式在K8S中部署apisix-gateway
簡介
因為公司項目準備重構,現在做技術儲備,之前公司項目使用的ocelot做網關,ocelot是.net平台下的一個網關,也是很不錯,但是在選型的時候需要考慮到性能問題,是以在這次重構中抛棄了ocelot,看了apisix和kong,kong也是一個很不錯的網關,不過因為對kong不太了解,剛好有朋友在用apisix是以就選了apisix來做新的網關,避免了重複掉到坑裡面。不單單是部署,後面還要使用apisix進行身份認證等一系列的插件都會使用,是以慢慢更新吧。
- 我的apisix使用etcd作為資料存儲伺服器,官方的使用pvc方式或者docker-compose的方式,對于新手不太友好,本篇是從etcd的安裝到apisix的打通都會涉及。
- apisix是服務端,用來進行網絡請求轉發。
- apisix-dashboard是他的控制台,用來進行可視化配置。
-
apisix介紹
apisix是基于 OpenResty + etcd 實作的雲原生、高性能、可擴充的微服務 API 網關。它是國人開源,目前已經進入 Apache 進行孵化。APISIX 通過插件機制,提供了動态負載平衡、身份驗證、限流限速等等功能,當然我們也可以自己開發插件進行拓展。
- 動态負載均衡:跨多個上遊服務的動态負載均衡,目前已支援 round-robin 輪詢和一緻性雜湊演算法。
- 身份驗證:支援 key-auth、JWT、basic-auth、wolf-rbac 等多種認證方式。
- 限流限速:可以基于速率、請求數、并發等次元限制。
-
1、部署etcd
etcd 是一個分布式鍵值對存儲,設計用來可靠而快速的儲存關鍵資料并提供通路。通過分布式鎖,leader選舉和寫屏障(write barriers)來實作可靠的分布式協作。etcd叢集是為高可用,持久性資料存儲和檢索而準備。
-
ubuntu部署etcd
-
ubuntu中部署etcd的兩種方式:
一種是去GitHub下載下傳二進制的安裝包,還有一種是apt-get install etcd,第二種方式我也嘗試過,可能是我軟體源的問題,版本有點老,是以我就換成了使用第一種方式,而且也比較推薦使用第一種方式。
- 我用的etcd下載下傳的版本是3.5.2,廢話不多說直接看步驟:
-
1.1、将etcd etcdctl etcdutl 二進制檔案拷貝到/usr/local/bin目錄下
/usr/local/bin -
1.2、建立一個etcd的etcd.conf.yml,将下面代碼拷貝進去,我這裡etcd就簡單的配置了一下,沒有做叢集,是以yml很簡單。
name: etcd-1 data-dir: /home/etcd/data listen-client-urls: http://0.0.0.0:2379 advertise-client-urls: http://0.0.0.0:2379 -
1.3、通過etcd --config-file etcd.conf.yml的路徑運作,如下圖就是成功了,也可以使用etcd manager用戶端來測試。
K8S中部署apisix(非ingress) 
K8S中部署apisix(非ingress) -
1.4、如果使用etcd直接啟動的話沒有辦法背景運作,是以我們需要在/etc/systemd/system目錄下建立一個etcd.service來進行背景運作。
[Unit] Description=ETCD Server Documentation=https://github.com/coreos/etcd After=network-online.target Wants=network-online.target [Service] User=root Group=root ExecStart= etcd --config-file /home/etcd/etcd.conf.yml [Install] WantedBy=multi-user.target -
1.5、建立好之後可以通過以下指令來确定運作狀态如下圖:
# 啟動 sudo systemctl start etcd.service # 檢視狀态 sudo systemctl status etcd.service # 開機自啟 sudo systemctl enable etcd.service K8S中部署apisix(非ingress) -
1.6、設定使用者名和密碼
# 設定版本為V3 export ETCDCTL_API=3 # 添加使用者 etcdctl user add root # 開啟認證 etcdctl auth enable
-
2、K8S部署apisix
apisix-gateway在部署的時候分為兩塊,分别是apisix和apisix-dashboard面闆,是以看起來比較繞,不過apisix在部署的時候使用的是yaml檔案覆寫的方式,是以我這裡是将yaml存儲到configmap中了,友善進行統一管理。我使用的k8s是Ubuntu出品的microk8s,用它的主要原因是因為配置簡單。
-
2.1部署apisix
2.1.1、建立apisix.conf.yaml,并存儲到configmap中,
apisix: node_listen: 9080 # APISIX listening port enable_ipv6: false allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow - 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test. admin_key: - name: "admin" key: edd1c9f034335f136f87ad84b625c8f1 role: admin # admin: manage all configuration data # viewer: only can view configuration data - name: "viewer" key: 4054f7cf07e344346cd3f287985e76a2 role: viewer enable_control: true control: ip: "0.0.0.0" port: 9092 etcd: host: # supports defining multiple etcd host addresses for an etcd cluster - "http://192.168.31.170:2379" user: "root" # ignore etcd username if not enable etcd auth password: "root" # ignore etcd password if not enable etcd auth discovery: nacos: host: - "http://47.100.213.49:8848" prefix: "/nacos/v1/" fetch_interval: 30 # default 30 sec weight: 100 # default 100 timeout: connect: 2000 # default 2000 ms send: 2000 # default 2000 ms read: 5000 # default 5000 ms plugin_attr: prometheus: export_addr: ip: "0.0.0.0" port: 9091 plugins: - client-control - ext-plugin-pre-req - zipkin - request-id - fault-injection - serverless-pre-function - batch-requests - cors - ip-restriction - ua-restriction - referer-restriction - uri-blocker - request-validation - openid-connect - wolf-rbac - hmac-auth - basic-auth - jwt-auth - key-auth - consumer-restriction - authz-keycloak - proxy-mirror - proxy-cache - proxy-rewrite - api-breaker - limit-conn - limit-count - limit-req - gzip - server-info - traffic-split - redirect - response-rewrite - grpc-transcode - prometheus - echo - http-logger - sls-logger - tcp-logger - kafka-logger - syslog - udp-logger - serverless-post-function - ext-plugin-post-req stream_plugins: - ip-restriction - limit-conn - mqtt-proxy2.1.2、使用kubectl指令建立configmap
# 将config.yaml 存儲到k8s的configmap中 kubectl create configmap sukt-apisix-gateway-config --from-file=config.yaml=/home/sukt-platform/apisix/apisix-gateway-config.yaml -n sukt-platform2.1.3、建立apisix-deployment.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: sukt-apisix-gateway namespace: sukt-platform spec: selector: matchLabels: app: sukt-apisix-gateway template: metadata: labels: app: sukt-apisix-gateway spec: containers: - name: sukt-apisix-gateway image: apache/apisix:2.10.3-alpine imagePullPolicy: IfNotPresent resources: limits: cpu: 500m memory: 1Gi requests: cpu: 250m memory: 256Mi securityContext: privileged: false terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /usr/local/apisix/conf/config.yaml name: config subPath: config.yaml ports: - containerPort: 9080 - containerPort: 9443 dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 30 volumes: - configMap: defaultMode: 420 name: sukt-apisix-gateway-config name: config2.1.4、建立apisix-service.yaml
apiVersion: v1 kind: Service metadata: name: sukt-apisix-gateway-nodetype labels: app: sukt-apisix-gateway-nodetype namespace: sukt-platform spec: type: NodePort selector: app: sukt-apisix-gateway ports: - port: 9080 name: transfer1 targetPort: 9080 nodePort: 30107 - port: 9443 name: transfer2 targetPort: 9443 nodePort: 30108 -
2、部署apisix-dashboard
2.2.1、建立apisix-dashboard-config.yaml,并存儲到configmap中,
# # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # conf: listen: host: 0.0.0.0 # `manager api` listening ip or host name port: 9000 # `manager api` listening port allow_list: # If we don't set any IP list, then any IP access is allowed by default. - 0.0.0.0/0 etcd: endpoints: # supports defining multiple etcd host addresses for an etcd cluster - "http://192.168.31.170:2379" # yamllint disable rule:comments-indentation # etcd basic auth info username: "root" # ignore etcd username if not enable etcd auth password: "root" # ignore etcd password if not enable etcd auth mtls: key_file: "" # Path of your self-signed client side key cert_file: "" # Path of your self-signed client side cert ca_file: "" # Path of your self-signed ca cert, the CA is used to sign callers' certificates # prefix: /apisix # apisix config's prefix in etcd, /apisix by default log: error_log: level: warn # supports levels, lower to higher: debug, info, warn, error, panic, fatal file_path: logs/error.log # supports relative path, absolute path, standard output # such as: logs/error.log, /tmp/logs/error.log, /dev/stdout, /dev/stderr access_log: file_path: logs/access.log # supports relative path, absolute path, standard output # such as: logs/access.log, /tmp/logs/access.log, /dev/stdout, /dev/stderr # log example: 2020-12-09T16:38:09.039+0800 INFO filter/logging.go:46 /apisix/admin/routes/r1 {"status": 401, "host": "127.0.0.1:9000", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "127.0.0.1", "method": "PUT", "errs": []} authentication: secret: secret # secret for jwt token generation. # NOTE: Highly recommended to modify this value to protect `manager api`. # if it's default value, when `manager api` start, it will generate a random string to replace it. expire_time: 3600 # jwt token expire time, in second users: # yamllint enable rule:comments-indentation - username: admin # username and password for login `manager api` password: P@ssW0rd - username: user password: P@ssW0rd plugins: # plugin list (sorted in alphabetical order) - api-breaker - authz-keycloak - basic-auth - batch-requests - consumer-restriction - cors # - dubbo-proxy - echo # - error-log-logger # - example-plugin - fault-injection - grpc-transcode - hmac-auth - http-logger - ip-restriction - jwt-auth - kafka-logger - key-auth - limit-conn - limit-count - limit-req # - log-rotate # - node-status - openid-connect - prometheus - proxy-cache - proxy-mirror - proxy-rewrite - redirect - referer-restriction - request-id - request-validation - response-rewrite - serverless-post-function - serverless-pre-function # - skywalking - sls-logger - syslog - tcp-logger - udp-logger - uri-blocker - wolf-rbac - zipkin - server-info - traffic-split2.2.2、使用kubectl指令建立configmap
# 将config.yaml 存儲到k8s的configmap中 kubectl create configmap sukt-apisix-dashboard-config --from-file=config.yaml=/home/sukt-platform/apisix/apisix-dashboard-config.yaml -n sukt-platform2.2.3、建立apisix-dashboard-deployment.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: sukt-apisix-dashboard namespace: sukt-platform spec: selector: matchLabels: app: sukt-apisix-dashboard template: metadata: labels: app: sukt-apisix-dashboard spec: nodeName: microk8sslave1 # 部署到指定的node節點 containers: - name: sukt-apisix-dashboard image: apache/apisix-dashboard:2.10.1-alpine imagePullPolicy: IfNotPresent resources: limits: cpu: 500m memory: 1Gi requests: cpu: 250m memory: 256Mi securityContext: privileged: false terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /usr/local/apisix-dashboard/conf/conf.yaml name: config subPath: config.yaml #這個位置對應的是comfigmap中的名字,不是 /usr/local/apisix-dashboard/conf/conf.yaml ports: - containerPort: 9000 dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 30 volumes: - configMap: defaultMode: 420 name: sukt-apisix-dashboard-config name: config2.2.4、建立apisix-dashboard-service.yaml
apiVersion: v1 kind: Service metadata: name: sukt-apisix-dashboard-nodetype labels: app: sukt-apisix-dashboard-nodetype namespace: sukt-platform spec: type: NodePort selector: app: sukt-apisix-dashboard ports: - port: 9000 name: transfer1 targetPort: 9000 nodePort: 30109 -
運作效果圖
可以通過dashboard面闆的系統資訊檢視apisix-gateway的運作資訊 K8S中部署apisix(非ingress) K8S中部署apisix(非ingress)
結語
apisix-gateway文章分為一個專題,本篇隻是講解了如何在k8s中安裝以及啟動,後面會講解如何進行轉發以及其他功能等。
學不完的技術,寫不完的代碼。QQ群:773595012
▼-----------------------------------------▼-----------------------------------------▼