K8S中部署apisix(非ingress)
阅读原文时间:2023年07月09日阅读:5

不使用pvc的方式在K8S中部署apisix-gateway

因为公司项目准备重构,现在做技术储备,之前公司项目使用的ocelot做网关,ocelot是.net平台下的一个网关,也是很不错,但是在选型的时候需要考虑到性能问题,所以在这次重构中抛弃了ocelot,看了apisix和kong,kong也是一个很不错的网关,不过因为对kong不太了解,刚好有朋友在用apisix所以就选了apisix来做新的网关,避免了重复掉到坑里面。不单单是部署,后面还要使用apisix进行身份认证等一系列的插件都会使用,所以慢慢更新吧。

  • 我的apisix使用etcd作为数据存储服务器,官方的使用pvc方式或者docker-compose的方式,对于新手不太友好,本篇是从etcd的安装到apisix的打通都会涉及。

  • apisix是服务端,用来进行网络请求转发。

  • apisix-dashboard是他的控制面板,用来进行可视化配置。

    • apisix介绍

      apisix是基于 OpenResty + etcd 实现的云原生、高性能、可扩展的微服务 API 网关。它是国人开源,目前已经进入 Apache 进行孵化。APISIX 通过插件机制,提供了动态负载平衡、身份验证、限流限速等等功能,当然我们也可以自己开发插件进行拓展。

      • 动态负载均衡:跨多个上游服务的动态负载均衡,目前已支持 round-robin 轮询和一致性哈希算法。
      • 身份验证:支持 key-auth、JWT、basic-auth、wolf-rbac 等多种认证方式。
      • 限流限速:可以基于速率、请求数、并发等维度限制。

etcd 是一个分布式键值对存储,设计用来可靠而快速的保存关键数据并提供访问。通过分布式锁,leader选举和写屏障(write barriers)来实现可靠的分布式协作。etcd集群是为高可用,持久性数据存储和检索而准备。

  • ubuntu部署etcd

    • ubuntu中部署etcd的两种方式:

      一种是去GitHub下载二进制的安装包,还有一种是apt-get install etcd,第二种方式我也尝试过,可能是我软件源的问题,版本有点老,所以我就换成了使用第一种方式,而且也比较推荐使用第一种方式。

    • 我用的etcd下载的版本是3.5.2,废话不多说直接看步骤:

    • 1.1、将etcd etcdctl etcdutl 二进制文件拷贝到/usr/local/bin目录下

      /usr/local/bin
    • 1.2、创建一个etcd的etcd.conf.yml,将下面代码拷贝进去,我这里etcd就简单的配置了一下,没有做集群,所以yml很简单。

      name: etcd-1
      data-dir: /home/etcd/data
      listen-client-urls: http://0.0.0.0:2379
      advertise-client-urls: http://0.0.0.0:2379
    • 1.3、通过etcd --config-file etcd.conf.yml的路径运行,如下图就是成功了,也可以使用etcd manager客户端来测试。

    • 1.4、如果使用etcd直接启动的话没有办法后台运行,所以我们需要在/etc/systemd/system目录下创建一个etcd.service来进行后台运行。

      [Unit]
      Description=ETCD Server
      Documentation=https://github.com/coreos/etcd
      After=network-online.target
      Wants=network-online.target
      
      [Service]
      User=root
      Group=root
      ExecStart= etcd --config-file /home/etcd/etcd.conf.yml
      
      [Install]
      WantedBy=multi-user.target
    • 1.5、创建好之后可以通过以下命令来确定运行状态如下图:

      # 启动
      sudo systemctl start etcd.service
      # 查看状态
      sudo systemctl status etcd.service
      # 开机自启
      sudo systemctl enable etcd.service

    • 1.6、设置用户名和密码

      # 设置版本为V3
      export ETCDCTL_API=3
      # 添加用户
      etcdctl user add root
      # 开启认证
      etcdctl auth enable

apisix-gateway在部署的时候分为两块,分别是apisix和apisix-dashboard面板,所以看起来比较绕,不过apisix在部署的时候使用的是yaml文件覆盖的方式,所以我这里是将yaml存储到configmap中了,方便进行统一管理。我使用的k8s是Ubuntu出品的microk8s,用它的主要原因是因为配置简单。

  • 2.1部署apisix

    2.1.1、创建apisix.conf.yaml,并存储到configmap中,

    apisix:
    node_listen: 9080              # APISIX listening port
    enable_ipv6: false
    
    allow_admin:                  # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
        - 0.0.0.0/0              # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
    
    admin_key:
    - name: "admin"
        key: edd1c9f034335f136f87ad84b625c8f1
        role: admin                 # admin: manage all configuration data
                                    # viewer: only can view configuration data
    - name: "viewer"
        key: 4054f7cf07e344346cd3f287985e76a2
        role: viewer
    
    enable_control: true
    control:
        ip: "0.0.0.0"
        port: 9092
    
    etcd:
    host:          # supports defining multiple etcd host addresses for an etcd cluster
        - "http://192.168.31.170:2379"
    user: "root"    # ignore etcd username if not enable etcd auth
    password: "root"  # ignore etcd password if not enable etcd auth
    
    discovery:
    nacos:
        host:
        - "http://47.100.213.49:8848"
        prefix: "/nacos/v1/"
        fetch_interval: 30    # default 30 sec
        weight: 100           # default 100
        timeout:
        connect: 2000       # default 2000 ms
        send: 2000          # default 2000 ms
        read: 5000          # default 5000 ms
    
    plugin_attr:
    prometheus:
        export_addr:
        ip: "0.0.0.0"
        port: 9091
    
    plugins:
    - client-control
    - ext-plugin-pre-req
    - zipkin
    - request-id
    - fault-injection
    - serverless-pre-function
    - batch-requests
    - cors
    - ip-restriction
    - ua-restriction
    - referer-restriction
    - uri-blocker
    - request-validation
    - openid-connect
    - wolf-rbac
    - hmac-auth
    - basic-auth
    - jwt-auth
    - key-auth
    - consumer-restriction
    - authz-keycloak
    - proxy-mirror
    - proxy-cache
    - proxy-rewrite
    - api-breaker
    - limit-conn
    - limit-count
    - limit-req
    - gzip
    - server-info
    - traffic-split
    - redirect
    - response-rewrite
    - grpc-transcode
    - prometheus
    - echo
    - http-logger
    - sls-logger
    - tcp-logger
    - kafka-logger
    - syslog
    - udp-logger
    - serverless-post-function
    - ext-plugin-post-req
    
    stream_plugins:
    - ip-restriction
    - limit-conn
    - mqtt-proxy

    2.1.2、使用kubectl命令创建configmap

    # 将config.yaml 存储到k8s的configmap中
    kubectl create configmap sukt-apisix-gateway-config --from-file=config.yaml=/home/sukt-platform/apisix/apisix-gateway-config.yaml -n sukt-platform

    2.1.3、新建apisix-deployment.yaml

    apiVersion: apps/v1
    kind: Deployment
    metadata:
    name: sukt-apisix-gateway
    namespace: sukt-platform
    spec:
    selector:
        matchLabels:
        app: sukt-apisix-gateway
    template:
        metadata:
        labels:
            app: sukt-apisix-gateway
        spec:
        containers:
        - name: sukt-apisix-gateway
            image: apache/apisix:2.10.3-alpine
            imagePullPolicy: IfNotPresent
            resources:
            limits:
                cpu: 500m
                memory: 1Gi
            requests:
                cpu: 250m
                memory: 256Mi
            securityContext:
            privileged: false
            terminationMessagePath: /dev/termination-log
            terminationMessagePolicy: File
            volumeMounts:
            - mountPath: /usr/local/apisix/conf/config.yaml
            name: config
            subPath: config.yaml
            ports:
            - containerPort: 9080
            - containerPort: 9443
        dnsPolicy: ClusterFirst
        restartPolicy: Always
        schedulerName: default-scheduler
        securityContext: {}
        terminationGracePeriodSeconds: 30
        volumes:
            - configMap:
                defaultMode: 420
                name: sukt-apisix-gateway-config
            name: config

    2.1.4、新建apisix-service.yaml

    apiVersion: v1
    kind: Service
    metadata:
    name: sukt-apisix-gateway-nodetype
    labels:
        app: sukt-apisix-gateway-nodetype
    namespace: sukt-platform
    spec:
    type: NodePort
    selector:
        app: sukt-apisix-gateway
    ports:
    - port: 9080
        name: transfer1
        targetPort: 9080
        nodePort: 30107
    - port: 9443
        name: transfer2
        targetPort: 9443
        nodePort: 30108
  • 2、部署apisix-dashboard

    2.2.1、创建apisix-dashboard-config.yaml,并存储到configmap中,

    #
    # Licensed to the Apache Software Foundation (ASF) under one or more
    # contributor license agreements.  See the NOTICE file distributed with
    # this work for additional information regarding copyright ownership.
    # The ASF licenses this file to You under the Apache License, Version 2.0
    # (the "License"); you may not use this file except in compliance with
    # the License.  You may obtain a copy of the License at
    #
    #     http://www.apache.org/licenses/LICENSE-2.0
    #
    # Unless required by applicable law or agreed to in writing, software
    # distributed under the License is distributed on an "AS IS" BASIS,
    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    # See the License for the specific language governing permissions and
    # limitations under the License.
    #
    
    conf:
    listen:
        host: 0.0.0.0     # `manager api` listening ip or host name
        port: 9000          # `manager api` listening port
    allow_list:           # If we don't set any IP list, then any IP access is allowed by default.
        - 0.0.0.0/0
    etcd:
        endpoints:          # supports defining multiple etcd host addresses for an etcd cluster
        - "http://192.168.31.170:2379"
                            # yamllint disable rule:comments-indentation
                            # etcd basic auth info
        username: "root"    # ignore etcd username if not enable etcd auth
        password: "root"  # ignore etcd password if not enable etcd auth
        mtls:
        key_file: ""          # Path of your self-signed client side key
        cert_file: ""         # Path of your self-signed client side cert
        ca_file: ""           # Path of your self-signed ca cert, the CA is used to sign callers' certificates
        # prefix: /apisix     # apisix config's prefix in etcd, /apisix by default
    log:
        error_log:
        level: warn       # supports levels, lower to higher: debug, info, warn, error, panic, fatal
        file_path:
            logs/error.log  # supports relative path, absolute path, standard output
                            # such as: logs/error.log, /tmp/logs/error.log, /dev/stdout, /dev/stderr
        access_log:
        file_path:
            logs/access.log  # supports relative path, absolute path, standard output
                            # such as: logs/access.log, /tmp/logs/access.log, /dev/stdout, /dev/stderr
                            # log example: 2020-12-09T16:38:09.039+0800    INFO    filter/logging.go:46    /apisix/admin/routes/r1 {"status": 401, "host": "127.0.0.1:9000", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "127.0.0.1", "method": "PUT", "errs": []}
    authentication:
    secret:
        secret              # secret for jwt token generation.
                            # NOTE: Highly recommended to modify this value to protect `manager api`.
                            # if it's default value, when `manager api` start, it will generate a random string to replace it.
    expire_time: 3600     # jwt token expire time, in second
    users:                # yamllint enable rule:comments-indentation
        - username: admin   # username and password for login `manager api`
        password: P@ssW0rd
        - username: user
        password: P@ssW0rd
    
    plugins:                          # plugin list (sorted in alphabetical order)
    - api-breaker
    - authz-keycloak
    - basic-auth
    - batch-requests
    - consumer-restriction
    - cors
    # - dubbo-proxy
    - echo
    # - error-log-logger
    # - example-plugin
    - fault-injection
    - grpc-transcode
    - hmac-auth
    - http-logger
    - ip-restriction
    - jwt-auth
    - kafka-logger
    - key-auth
    - limit-conn
    - limit-count
    - limit-req
    # - log-rotate
    # - node-status
    - openid-connect
    - prometheus
    - proxy-cache
    - proxy-mirror
    - proxy-rewrite
    - redirect
    - referer-restriction
    - request-id
    - request-validation
    - response-rewrite
    - serverless-post-function
    - serverless-pre-function
    # - skywalking
    - sls-logger
    - syslog
    - tcp-logger
    - udp-logger
    - uri-blocker
    - wolf-rbac
    - zipkin
    - server-info
    - traffic-split

    2.2.2、使用kubectl命令创建configmap

    # 将config.yaml 存储到k8s的configmap中
    kubectl create configmap sukt-apisix-dashboard-config --from-file=config.yaml=/home/sukt-platform/apisix/apisix-dashboard-config.yaml -n sukt-platform

    2.2.3、新建apisix-dashboard-deployment.yaml

    apiVersion: apps/v1
    kind: Deployment
    metadata:
    name: sukt-apisix-dashboard
    namespace: sukt-platform
    spec:
    selector:
        matchLabels:
        app: sukt-apisix-dashboard
    template:
        metadata:
        labels:
            app: sukt-apisix-dashboard
        spec:
        nodeName: microk8sslave1 # 部署到指定的node节点
        containers:
        - name: sukt-apisix-dashboard
            image: apache/apisix-dashboard:2.10.1-alpine
            imagePullPolicy: IfNotPresent
            resources:
            limits:
                cpu: 500m
                memory: 1Gi
            requests:
                cpu: 250m
                memory: 256Mi
            securityContext:
            privileged: false
            terminationMessagePath: /dev/termination-log
            terminationMessagePolicy: File
            volumeMounts:
            - mountPath: /usr/local/apisix-dashboard/conf/conf.yaml
            name: config
            subPath: config.yaml #这个位置对应的是comfigmap中的名字,不是 /usr/local/apisix-dashboard/conf/conf.yaml
            ports:
            - containerPort: 9000
        dnsPolicy: ClusterFirst
        restartPolicy: Always
        schedulerName: default-scheduler
        securityContext: {}
        terminationGracePeriodSeconds: 30
        volumes:
            - configMap:
                defaultMode: 420
                name: sukt-apisix-dashboard-config
            name: config

    2.2.4、新建apisix-dashboard-service.yaml

    apiVersion: v1
    kind: Service
    metadata:
    name: sukt-apisix-dashboard-nodetype
    labels:
        app: sukt-apisix-dashboard-nodetype
    namespace: sukt-platform
    spec:
    type: NodePort
    selector:
        app: sukt-apisix-dashboard
    ports:
    - port: 9000
        name: transfer1
        targetPort: 9000
        nodePort: 30109
  • 运行效果图

    可以通过dashboard面板的系统信息查看apisix-gateway的运行信息

apisix-gateway文章分为一个专题,本篇只是讲解了如何在k8s中安装以及启动,后面会讲解如何进行转发以及其他功能等。

手机扫一扫

移动阅读更方便

阿里云服务器
腾讯云服务器
七牛云服务器