apisix ingress controller使用指南

作者: 一瓶多先生 | 来源:发表于2022-08-31 14:52 被阅读0次

1.ingress.class示例

通过ingress.class方式暴露服务

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: apisix-dashboard
  annotations:
    kubernetes.io/ingress.class: apisix
spec:
  rules:
  - host: apisix-dashboard.example.com
    http:
      paths:
      - backend:
          serviceName: apisix-dashboard
          servicePort: 80
        path: /*
        pathType: Prefix

首先确定apifix-ingress-controller配置文件中ingress_class的值，默认为apisix

注意如果要匹配跟下面的所有路径，需要将path配置为/*, 也可以配置pathType: Prefix会创建/ /* 两个路径 其它的用法完全符合ingress的默认配置，annotation可配置参数参考官方文档

2.crd基础示例

2.1.ApisixRoute基本用法

先在集群中部署httpbin服务

kubectl run httpbin --image kennethreitz/httpbin --port 80
kubectl expose pod httpbin --port 80

创建httpbin-route.yaml文件，内容如下：

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: rule1
    match:
      hosts:
      - httpbin.example.com
      paths:
      - /*
    backends:
       - serviceName: httpbin
         servicePort: 80

可以使用两种路径类型prefix、exact,默认为exact，如果prefix需要，只需附加一个，例如，/id/匹配前缀为的所有路径/id/。

测试过程如下：

➜  ~ curl -H "Host: httpbin.example.com" http://internal/headers/ -v
*   Trying internal...
* TCP_NODELAY set
* Connected to internal (internal) port 80 (#0)
> GET / HTTP/1.1
> Host: httpbin.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< Content-Length: 9593
< Connection: keep-alive
< Date: Tue, 16 Aug 2022 09:07:36 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< Server: APISIX/2.15.0

2.2.ApisixTls基本用法

ApisixTls主要用来维护https证书

需要先创建tls secret

kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt

创建httpbin-tls.yaml文件，内容如下：

apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
  name: wildcard.example.com-ApisixTls
spec:
  hosts:
  - "*.example.com"
  secret:
    name: wildcard.example.com-tls-secret
    namespace: ingress-apisix

通过该方式创建的ssl证书，对apisix全局服务都有效，apisix会根据请求域名动态选择

2.3.ApisixUpstream基本用法

ApisixUpstream 需要配置成和Kubernetes Service相同的名字，通过添加负载均衡、健康检查、重试、超时参数等使 Kubernetes Service 更加丰富。

如果不使用ApisixUpstream，则loadbalancer的类型为roundrobin

apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
  name: httpbin
spec:
  loadbalancer:
    type: ewma
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
spec:
  selector:
    app: httpbin
  ports:
  - name: http
    port: 80
    targetPort: 8080

其中loadbalancer支持如下四种类型

Round robin: 轮询，配置为type: roundrobin

Least loaded: 最小链接,配置为type: least_conn

Peak EWMA: 维护每个副本往返时间的移动平均值，按未完成请求的数量加权，并将流量分配到成本函数最小的副本。配置为type: ewma

chash: 一致性哈希配置为type: chash

3.ApisixRoute使用进阶

3.1.ApisixRoute配置多个域名和路径

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: rule1
    match:
      hosts:
      - local.example.com
      - local01.example.com
      paths:
      - /*
      - /api
    backends:
       - serviceName: httpbin
         servicePort: 80

3.2.路径`/api`特殊配制，路径`/`无特殊配制

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /api*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    plugins:
    - name: proxy-rewrite 
      enable: true
      config: 
        regex_uri: ["^/api(/|$)(.*)", "/$2"]
  - name: default-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000

apisix中会创建两个route，分别是httpserver-route 和 default-route

3.3.ApisixRoute添加插件

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpbin-route
spec:
  http:
    - name: httpbin
      match:
        hosts:
        - local.httpbin.org
        paths:
          - /*
      backends:
      - serviceName: foo
        servicePort: 80
      plugins:
        - name: gzip
          enable: true

3.4.HTTP强跳HTTPS

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    plugins:
    - name: redirect
      enable: true
      config: 
        http_to_https: true

3.5.域名跳转

local.example.com跳转到local01.example.com

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    plugins:
    - name: redirect
      enable: true
      config: 
        uri: "https://local01.example.com$request_uri"

3.6.rewrite路径跳转

3.6.1./api/header 转/header

方法一：使用redirect插件，页面会发生302跳转

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    plugins:
    - name: redirect
      enable: true
      config: 
        regex_uri: ["^/api(/|$)(.*)", "/$2"]

方法二：使用proxy-rewrite 插件，页面不会302跳转

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    plugins:
    - name: proxy-rewrite 
      enable: true
      config: 
        regex_uri: ["^/api(/|$)(.*)", "/$2"]

3.6.2./header转/api/header

使用proxy-rewrite 插件，页面不会302跳转

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    plugins:
    - name: proxy-rewrite 
      enable: true
      config: 
        uri: /api/$uri

3.7.基于用户名和密码的认证**

basix-auth插件需要与 Consumer 一起使用才能实现该功能。开启认证的apisixroute会自动匹配用户名

apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
  name: httpserver-basicauth
spec:
  authParameter:
    basicAuth:
      value:
        username: admin
        password: admin
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    authentication:
      enable: true 
      type: basicAuth

测试：

curl -i -uadmin:admin https://local.example.com/

3.8.基于apikey的认证

key-auth插件需要与 Consumer 一起使用才能实现该功能。开启认证的apisixroute会自动匹配key

apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
  name: httpserver-basicauth
spec:
  authParameter:
    keyAuth:
      value:
        key: admin
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    authentication:
      enable: true 
      type: keyAuth

测试:

curl -H 'apikey:admin' https://local.example.com/

3.9.限制站点的用户名和密码

通过3.6.基于用户名和密码的认证和3.7.基于apikey的说法，有没有办法用户名和密码只针对一个站点生效, 创建两个consumer，分别是admin01和宫秀德，只允许admin可以进行认证。

apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
  name: httpserver-basicauth-admin
spec:
  authParameter:
    basicAuth:
      value:
        username: admin
        password: admin
---
apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
  name: httpserver-basicauth-admin01
spec:
  authParameter:
    basicAuth:
      value:
        username: admin01
        password: admin01
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    plugins:
    - name: consumer-restriction
      enable: true
      config:
        whitelist: 
        - ingress_apisix_httpserver_basicauth_admin 
    authentication:
      enable: true 
      type: basicAuth

httpserver-basicauth-admin需要添加ingress-controller添加的默认前缀ingress_apisix，否则会报403，所以全名为ingress_apisix_httpserver_basicauth_admin

测试admin01访问

> curl -i -uadmin01:admin01 https://local.example.com/
HTTP/2 403
date: Tue, 30 Aug 2022 08:00:04 GMT
content-type: text/plain; charset=utf-8
server: APISIX/2.15.0

{"message":"The consumer_name is forbidden."}

测试admin访问

curl -i -uadmin:admin https://local.example.com/
HTTP/2 200
content-type: text/html; charset=utf-8
content-length: 615
date: Tue, 30 Aug 2022 07:55:55 GMT
last-modified: Wed, 25 May 2022 10:01:40 GMT
etag: "628dfe84-267"
accept-ranges: bytes
server: APISIX/2.15.0
.........

3.10.基于IP的白名单配置

ip-restriction插件实现该功能, 只允许10.10.50.207 10.0.0.0/16 访问站点

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    plugins:
    - name: ip-restriction
      enable: true
      config:
        whitelist: 
        - 10.10.50.207
        - 10.0.0.0/16

白名单中地址测试正常打开页面

非白名单地址测试

> curl  https://local.example.com/
{"message":"Your IP address is not allowed"}

3.11.基于IP的黑名单限制

ip-restriction插件实现该功能, 不允许10.10.50.207 访问站点

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpserver-route
    match:
      hosts:
      - local.example.com
      paths:
      - /*
    backends:
    - serviceName: httpbin
      servicePort: 8000
    plugins:
    - name: ip-restriction
      enable: true
      config:
        blacklist: 
        - 10.10.50.207

测试

> curl  https://local.example.com/
{"message":"Your IP address is not allowed"}

3.12.添加自定义配置

4.灰度发布

4.1.准备环境

4.1.1.stable版本

# vim s1-stable.yaml
---
apiVersion: v1
kind: Service
metadata:
  name: myapp-stable-service
  namespace: default
spec:
  ports:
  - port: 80
    targetPort: 80
    name: http-port
  selector:
    app: myapp
    version: stable
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-stable
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
      version: stable
  template:
    metadata:
      labels:
        app: myapp
        version: stable
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/public-registry-fzh/myapp:v1
        imagePullPolicy: IfNotPresent
        name: myapp-stable
        ports:
        - name: http-port
          containerPort: 80
        env:
        - name: APP_ENV
          value: stable

4.1.2.canary版本

# vim s2-canary.yaml
---
apiVersion: v1
kind: Service
metadata:
  name: myapp-canary-service
  namespace: canary
spec:
  ports:
  - port: 80
    targetPort: 80
    name: http-port
  selector:
    app: myapp
    version: canary
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-canary
  namespace: canary
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
      version: canary
  template:
    metadata:
      labels:
        app: myapp
        version: canary
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/public-registry-fzh/myapp:v2
        imagePullPolicy: IfNotPresent
        name: myapp-canary
        ports:
        - name: http-port
          containerPort: 80
        env:
        - name: APP_ENV
          value: canary

4.2.基于weight分流

# vim s3-apisixroute-weight.yaml 
---
apiVersion: apisix.apache.org/v2beta3
kind: ApisixRoute
metadata:
  name: myapp-canary-apisixroute
  namespace: canary 
spec:
  http:
  - name: myapp-canary-rule
    match:
      hosts:
      - myapp.example.com
      paths:
      - /
    backends:
    - serviceName: myapp-stable-service
      servicePort: 80
      weight: 10
    - serviceName: myapp-canary-service
      servicePort: 80
      weight: 1

创建服务和路由等

➜  kubectl apply -f ./
service/myapp-stable-service unchanged
deployment.apps/myapp-stable unchanged
service/myapp-canary-service unchanged
deployment.apps/myapp-canary unchanged
apisixroute.apisix.apache.org/myapp-canary-apisixroute unchanged
➜  kubectl get pods -n canary
NAME                           READY   STATUS    RESTARTS   AGE
myapp-canary-9ff4c55f9-ndjrs   1/1     Running   0          15s
myapp-stable-5fdf6bd75-sq8df   1/1     Running   0          75s
➜  kubectl get apisixroute -n canary
NAME                       HOSTS                   URIS   AGE
myapp-canary-apisixroute   [myapp.example.com]   [/]    97s

测试weight灰度

Stable和 Canary 的比例约为10:1

  ~ for i in `seq 30`;do curl https://myapp.example.com;done
myapp:v1
myapp:v1
.......
myapp:v2
myapp:v1
myapp:v1
myapp:v2
myapp:v1
myapp:v1
myapp:v1
.......
myapp:v1
myapp:v1
myapp:v2
myapp:v1
myapp:v1
myapp:v2

4.3.基于优先级分流

# vim s4-priority.yaml
apiVersion: apisix.apache.org/v2beta3
kind: ApisixRoute
metadata:
  name: myapp-canary-apisixroute2
  namespace: canary
spec:
  http:
  - name: myapp-stable-rule2
    priority: 1
    match:
      hosts:
      - myapp.example.com
      paths:
      - /
    backends:
    - serviceName: myapp-stable-service
      servicePort: 80
  - name: myapp-canary-rule2
    priority: 2
    match:
      hosts:
      - myapp.example.com
      paths:
      - /
    backends:
    - serviceName: myapp-canary-service
      servicePort: 80

测试，流量会优先打入优先级高的pod

➜  ~ for i in `seq 30`;do curl https://myapp.example.com;done
myapp:v2
myapp:v2
........
myapp:v2
myapp:v2
myapp:v2
myapp:v2

4.4.基于header分流

# vim  canary-header.yaml 
---
apiVersion: apisix.apache.org/v2beta3
kind: ApisixRoute
metadata:
  name: myapp-canary-apisixroute3
  namespace: canary 
spec:
  http:
  - name: myapp-stable-rule3
    priority: 1
    match:
      hosts:
      - myapp.example.com
      paths:
      - /
    backends:
    - serviceName: myapp-stable-service
      servicePort: 80
  - name: myapp-canary-rule3
    priority: 2
    match:
      hosts:
      - myapp.example.com
      paths:
      - /
      exprs:
      - subject:
          scope: Header
          name: canary
        op: RegexMatch
        value: ".*myapp.*"
    backends:
    - serviceName: myapp-canary-service
      servicePort: 80

测试

➜  ~ curl https://myapp.example.com
myapp:v1
➜  ~ curl https://myapp.example.com
myapp:v1
➜  ~ curl https://myapp.example.com
myapp:v1
➜  ~ curl https://myapp.example.com -X GET -H "canary: 124myapp"
myapp:v2
➜  ~ curl https://myapp.example.com -X GET -H "canary: myapp"
myapp:v2
➜  ~ curl https://myapp.example.com -X GET -H "canary: xiamyapp"
myapp:v2
➜  ~ curl https://myapp.example.com -X GET -H "stable: xiamyapp"
myapp:v1
➜  ~ curl https://myapp.example.com -X GET -H "stable: myapp"
myapp:v1

4.5.基于参数的分流

# cat vars.yaml 
---
apiVersion: apisix.apache.org/v2beta3
kind: ApisixRoute
metadata:
  name: myapp-canary-apisixroute3
  namespace: canary 
spec:
  http:
  - name: myapp-stable-rule3
    priority: 1
    match:
      hosts:
      - myapp.example.com
      paths:
      - /
    backends:
    - serviceName: myapp-stable-service
      servicePort: 80
  - name: myapp-canary-rule3
    priority: 2
    match:
      hosts:
      - myapp.example.com
      paths:
      - /
      exprs:
      - subject:
          scope: Query
          name: id
        op: In
        set:
        - "12"
        - "23"
        - "45"
        - "67"
    backends:
    - serviceName: myapp-canary-service
      servicePort: 80

测试

➜  ~ curl https://myapp.example.com
myapp:v1
➜  ~ curl https://myapp.example.com
myapp:v1
➜  ~ curl https://myapp.example.com
myapp:v1
➜  ~ curl https://myapp.example.com
myapp:v1
➜  ~ curl https://myapp.example.com/\?id\=12
myapp:v2
➜  ~ curl https://myapp.example.com/\?id\=23
myapp:v2
➜  ~ curl https://myapp.example.com/\?id\=45
myapp:v2
➜  ~ curl https://myapp.example.com/\?id\=67
myapp:v2
➜  ~ curl https://myapp.example.com/\?id\=89
myapp:v1
➜  ~ curl https://myapp.example.com/\?id\=143
myapp:v1

4.6.基于cookie分流

apiVersion: apisix.apache.org/v2beta3
kind: ApisixRoute
metadata:
  name: myapp-canary-apisixroute
  namespace: default 
spec:
  http:
  - name: myapp-stable-rule3
    priority: 1
    match:
      hosts:
      - myapp.example.com
      paths:
      - /
    backends:
    - serviceName: myapp-stable-service
      servicePort: 80
  - name: myapp-canary-rule3
    priority: 2
    match:
      hosts:
      - myapp.example.com
      paths:
      - /
      exprs:
      - subject:
          scope: Cookie
          name: canary_v5
        op: Equal
        value: "always"
    backends:
    - serviceName: myapp-canary-service
      servicePort: 80

测试携带cookie：

➜  ~ curl --cookie "canary_v5=always" "http://myapp.example.com"
myapp:v2

测试不携带cookie

➜  ~ curl  "http://myapp.example.com"
myapp:v1

apisix ingress controller使用指南

1.ingress.class示例

通过ingress.class方式暴露服务

2.crd基础示例

2.1.ApisixRoute基本用法

2.2.ApisixTls基本用法

2.3.ApisixUpstream基本用法

3.ApisixRoute使用进阶

3.1.ApisixRoute配置多个域名和路径

3.2.路径`/api`特殊配制，路径`/`无特殊配制

3.3.ApisixRoute添加插件

3.4.HTTP强跳HTTPS

3.5.域名跳转

3.6.rewrite路径跳转

3.6.1./api/header 转/header

3.6.2./header转/api/header

3.7.基于用户名和密码的认证**

3.8.基于apikey的认证

3.9.限制站点的用户名和密码

3.10.基于IP的白名单配置

3.11.基于IP的黑名单限制

4.灰度发布

4.1.准备环境

4.1.1.stable版本

4.1.2.canary版本

4.2.基于weight分流

4.3.基于优先级分流

4.4.基于header分流

4.5.基于参数的分流

4.6.基于cookie分流

相关文章

网友评论

延伸阅读

深度阅读

栏目导航

热点阅读

apisix ingress controller使用指南

1.ingress.class示例

通过ingress.class方式暴露服务

2.crd基础示例

2.1.ApisixRoute基本用法

2.2.ApisixTls基本用法

2.3.ApisixUpstream基本用法

3.ApisixRoute使用进阶

3.1.ApisixRoute配置多个域名和路径

3.2.路径/api特殊配制，路径/无特殊配制

3.3.ApisixRoute添加插件

3.4.HTTP强跳HTTPS

3.5.域名跳转

3.6.rewrite路径跳转

3.6.1./api/header 转/header

3.6.2./header转/api/header

3.7.基于用户名和密码的认证**

3.8.基于apikey的认证

3.9.限制站点的用户名和密码

3.10.基于IP的白名单配置

3.11.基于IP的黑名单限制

4.灰度发布

4.1.准备环境

4.1.1.stable版本

4.1.2.canary版本

4.2.基于weight分流

4.3.基于优先级分流

4.4.基于header分流

4.5.基于参数的分流

4.6.基于cookie分流

相关文章

网友评论

延伸阅读

深度阅读

栏目导航

热点阅读

3.2.路径`/api`特殊配制，路径`/`无特殊配制