【架构之路8】apisix-ingress-controller搭建与使用

编程架构运维从0.5开始的运维架构之路

字数统计: 1.6k阅读时长: 8 min

 2024/07/23   Share

前言

apisix是一个常用的api网关，在上家公司一般作为nginx的替代和入口网关。

APISIX ingress controller是k8s Ingress 控制器的实现，用apisix网关作为Ingress 控制器。

Ingress 是对集群中服务的外部访问进行管理的 API 对象，典型的访问方式是 HTTP。

Ingress 可以提供负载均衡、SSL 和基于名称的虚拟托管。

简单来说客户端通过访问Ingress所管理的负载均衡器，由负载均衡器根据路由规则再发送给对应的service。

正文

安装

官网上有针对k3s的安装教程。我们把NodePort改成LoadBalancer

helm repo add apisix https://charts.apiseven.com
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
#  We use Apisix 3.0 in this example. If you're using Apisix v2.x, please set to v2
ADMIN_API_VERSION=v3
helm install apisix apisix/apisix \
  --set service.type=LoadBalancer \
  --set ingress-controller.enabled=true \
  --create-namespace \
  --namespace ingress-apisix \
  --set ingress-controller.config.apisix.serviceNamespace=ingress-apisix \
  --set ingress-controller.config.apisix.adminAPIVersion=$ADMIN_API_VERSION \
  --kubeconfig /etc/rancher/k3s/k3s.yaml
kubectl get service --namespace ingress-apisix

查看apisix的地址

1
2
3

kubectl get svc -n ingress-apisix | grep gateway
apisix-gateway                             LoadBalancer   10.43.82.110    192.168.28.211   80:30202/TCP                 7m2s
apisix-ingress-controller-apisix-gateway   NodePort       10.43.82.209    <none>           80:31064/TCP,443:32717/TCP   7m2s

访问看看是否正常

1 2	[root@worker1 ~]# curl http://192.168.28.211/ {"error_msg":"404 Route Not Found"}

说明网关搭建成功。

使用

先创建一个nginx作为上游。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx
          resources:
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  type: ClusterIP 
  ports:
    - name: http
      port: 80
    - name: https
      port: 443
  selector:
    app: nginx

增加一个路由规则。

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-route
spec:
  ingressClassName: apisix
  rules:
    - host: local.nginx
      http:
        paths:
          - backend:
              service:
                name: nginx
                port:
                  number: 80
            path: /
            pathType: Prefix

注意这里我们指定了host，因此需要配置hosts或者请求时修改Host

1	curl --location --request GET "http://192.168.28.211" -H "Host: local.nginx"

或者

// 增加hosts
192.168.28.211 	local.nginx
// 请求
curl http://local.nginx

这里我们就能访问到后端服务了。

当然我们这里使用的是k8s原生的Ingress Resource。我们也可以改用apisix为我们提供的CRDs创建路由。

这里需要把刚才的test-route删除。

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: test-route-1
spec:
  http:
  - name: rule1
    match:
      paths:
      - /*
    backends:
       - serviceName: nginx
         servicePort: 80

也是可以正常工作的，但是不方便的是我们搭建的kubepi的ingresses中没法看到这条路由，所以差不多的情况下还是建议用原生的CRDs。当然ApisixRoute可以让我们应用apisix的插件，这才是关键所在。

搭建dashboard

个人而言，缺少了dashboard，apisix的配置效率其实不是特别高。

所以我们可以搭建一个dashboard，用于配置其他路由。

对于dashboard，其实在官方github中明确指出它与apisix ingress controller的相性不是很好。

Works with APISIX Ingress Controller
Currently, APISIX Ingress Controller automatically manipulates some APISIX resources, which is not very compatible with APISIX Dashboard. In addition, users should not modify resources labeled managed-by: apisix-ingress-controllers via APISIX Dashboard.

先从github下载了dashboard的配置文件稍加改造。然后创建为configMap。注意这里没有配置allow_list，生产环境需要注意。当然如果有账号密码的话问题也不是太大。

apiVersion: v1
kind: ConfigMap
metadata:
  name: apisix-dashboard-config-map
  namespace: ingress-apisix
data:

  conf.yaml: |
    conf:
      listen:
     
        port: 9000           

      # allow_list:             # If we don't set any IP list, then any IP access is allowed by default.
      #  - 127.0.0.1           # The rules are checked in sequence until the first match is found.
      #  - ::1                 # In this example, access is allowed only for IPv4 network 127.0.0.1, and for IPv6 network ::1.
                              # It also support CIDR like 192.168.1.0/24 and 2001:0db8::/32
      etcd:
        endpoints:            # supports defining multiple etcd host addresses for an etcd cluster
          - apisix-etcd-headless:2379
                              # yamllint disable rule:comments-indentation
                              # etcd basic auth info
        # username: "root"    # ignore etcd username if not enable etcd auth
        # password: "123456"  # ignore etcd password if not enable etcd auth
        mtls:
          key_file: ""          # Path of your self-signed client side key
          cert_file: ""         # Path of your self-signed client side cert
          ca_file: ""           # Path of your self-signed ca cert, the CA is used to sign callers' certificates
        # prefix: /apisix       # apisix config's prefix in etcd, /apisix by default
      log:
        error_log:
          level: warn       # supports levels, lower to higher: debug, info, warn, error, panic, fatal
          file_path:
            logs/error.log  # supports relative path, absolute path, standard output
                            # such as: logs/error.log, /tmp/logs/error.log, /dev/stdout, /dev/stderr
                            # such as absolute path on Windows: winfile:///C:\error.log
        access_log:
          file_path:
            logs/access.log  # supports relative path, absolute path, standard output
      max_cpu: 0             # supports tweaking with the numbe

    authentication:
      secret:
        secret              # secret for jwt token generation.
                            # NOTE: Highly recommended to modify this value to protect `manager api`.
                            # if it's default value, when `manager api` start, it will generate a random string to replace it.
      expire_time: 3600     # jwt token expire time, in second
      users:                # yamllint enable rule:comments-indentation
        - username: admin   # username and password for login `manager api`
          password: admin
        - username: user
          password: user

    oidc:
      enabled: false
      expire_time: 3600
      client_id: dashboard
      client_secret: dashboard
      auth_url: http://172.17.0.1:8080/auth/realms/master/protocol/openid-connect/auth
      token_url: http://172.17.0.1:8080/auth/realms/master/protocol/openid-connect/token
      user_info_url: http://172.17.0.1:8080/auth/realms/master/protocol/openid-connect/userinfo
      redirect_url: http://127.0.0.1:9000/apisix/admin/oidc/callback
      scope: openid

    plugins:
      - api-breaker
      - authz-casbin
      - authz-casdoor
      - authz-keycloak
      - aws-lambda
      - azure-functions
      - basic-auth
      # - batch-requests
      - clickhouse-logger
      - client-control
      - consumer-restriction
      - cors
      - csrf
      - datadog
      # - dubbo-proxy
      - echo
      - error-log-logger
      # - example-plugin
      - ext-plugin-post-req
      - ext-plugin-post-resp
      - ext-plugin-pre-req
      - fault-injection
      - file-logger
      - forward-auth
      - google-cloud-logging
      - grpc-transcode
      - grpc-web
      - gzip
      - hmac-auth
      - http-logger
      - ip-restriction
      - jwt-auth
      - kafka-logger
      - kafka-proxy
      - key-auth
      - ldap-auth
      - limit-conn
      - limit-count
      - limit-req
      - loggly
      # - log-rotate
      - mocking
      # - node-status
      - opa
      - openid-connect
      - opentelemetry
      - openwhisk
      - prometheus
      - proxy-cache
      - proxy-control
      - proxy-mirror
      - proxy-rewrite
      - public-api
      - real-ip
      - redirect
      - referer-restriction
      - request-id
      - request-validation
      - response-rewrite
      - rocketmq-logger
      - server-info
      - serverless-post-function
      - serverless-pre-function
      - skywalking
      - skywalking-logger
      - sls-logger
      - splunk-hec-logging
      - syslog
      - tcp-logger
      - traffic-split
      - ua-restriction
      - udp-logger
      - uri-blocker
      - wolf-rbac
      - zipkin
      - elasticsearch-logge
      - openfunction
      - tencent-cloud-cls
      - ai
      - cas-auth

然后创建容器和svc。


apiVersion: apps/v1
kind: Deployment
metadata:
  name: apisix-dashboard
  namespace: ingress-apisix
  labels:
    app: apisix-dashboard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: apisix-dashboard
  template:
    metadata:
      labels:
        app: apisix-dashboard
    spec:
      containers:
        - name: apisix-dashboard
          image: apache/apisix-dashboard
          ports:
            - containerPort: 9000
          volumeMounts:
            - name: config
              mountPath: /usr/local/apisix-dashboard/conf/conf.yaml
              subPath: conf.yaml
      volumes:
        - configMap:
            name: apisix-dashboard-config-map
          name: config

--- 
apiVersion: v1
kind: Service
metadata:
  name: apisix-dashboard
spec:
  selector:
    app: apisix-dashboard
  type: LoadBalancer
  ports:
  - port: 9000
    targetPort: 9000