apisix

apisix

https://apisix.apache.org/zh/docs/apisix/getting-started/README/

apisix-config.yaml

./conf/apisix-config.yaml
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#


apisix:
  node_listen: 9080              # APISIX listening port
  enable_ipv6: false


  enable_control: true
  control:
    ip: "0.0.0.0"
    port: 9092


deployment:
  admin:
    allow_admin:               # https://nginx.org/en/docs/http/ngx_http_access_module.html#allow
      - 127.0.0.0/24              # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
    admin_listen:
       ip: 0.0.0.0                 # Admin API 监听的 IP，如果不设置，默认为“0.0.0.0”。
       port: 9180                  # Admin API 监听的 端口，必须使用与 node_listen 不同的端口。
    admin_key:
      - name: "admin"
        key: edd1c9f034335f136f87ad84b625c8f1
        role: admin                 # admin: manage all configuration data


      - name: "viewer"
        key: 4054f7cf07e344346cd3f287985e76a2
        role: viewer


  etcd:
    host:                           # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
      - "http://etcd:2379"          # multiple etcd address
    prefix: "/apisix"               # apisix configurations prefix
    timeout: 30                     # 30 seconds


plugin_attr:
  prometheus:
    export_addr:
      ip: "0.0.0.0"
      port: 9091
  

apisix-dashboard.yaml

./conf/apisix-dashboard.yaml
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#


# yamllint disable rule:comments-indentation
conf:
  listen:
    #host: 127.0.0.1     # the address on which the `Manager API` should listen.
                          # The default value is 0.0.0.0, if want to specify, please enable it.
                          # This value accepts IPv4, IPv6, and hostname.
    port: 9000            # The port on which the `Manager API` should listen.


  # ssl:
  #   host: 127.0.0.1     # the address on which the `Manager API` should listen for HTTPS.
                          # The default value is 0.0.0.0, if want to specify, please enable it.
  #   port: 9001            # The port on which the `Manager API` should listen for HTTPS.
  #   cert: "/tmp/cert/example.crt" # Path of your SSL cert.
  #   key:  "/tmp/cert/example.key"  # Path of your SSL key.


  allow_list:             # If we don't set any IP list, then any IP access is allowed by default.
    - 0.0.0.0/0          # The rules are checked in sequence until the first match is found.
    - ::1                 # In this example, access is allowed only for IPv4 network 127.0.0.1, and for IPv6 network ::1.
                          # It also support CIDR like 192.168.1.0/24 and 2001:0db8::/32
  etcd:
    endpoints:            # supports defining multiple etcd host addresses for an etcd cluster
      - etcd:2379
                          # yamllint disable rule:comments-indentation
                          # etcd basic auth info
    # username: "root"    # ignore etcd username if not enable etcd auth
    # password: "123456"  # ignore etcd password if not enable etcd auth
    mtls:
      key_file: ""          # Path of your self-signed client side key
      cert_file: ""         # Path of your self-signed client side cert
      ca_file: ""           # Path of your self-signed ca cert, the CA is used to sign callers' certificates
    # prefix: /apisix       # apisix config's prefix in etcd, /apisix by default
  log:
    error_log:
      level: warn       # supports levels, lower to higher: debug, info, warn, error, panic, fatal
      file_path:
        logs/error.log  # supports relative path, absolute path, standard output
                        # such as: logs/error.log, /tmp/logs/error.log, /dev/stdout, /dev/stderr
                        # such as absolute path on Windows: winfile:///C:\error.log
    access_log:
      file_path:
        logs/access.log  # supports relative path, absolute path, standard output
                         # such as: logs/access.log, /tmp/logs/access.log, /dev/stdout, /dev/stderr
                         # such as absolute path on Windows: winfile:///C:\access.log
                         # log example: 2020-12-09T16:38:09.039+0800	INFO	filter/logging.go:46	/apisix/admin/routes/r1	{"status": 401, "host": "127.0.0.1:9000", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "127.0.0.1", "method": "PUT", "errs": []}
  max_cpu: 0             # supports tweaking with the number of OS threads are going to be used for parallelism. Default value: 0 [will use max number of available cpu cores considering hyperthreading (if any)]. If the value is negative, is will not touch the existing parallelism profile.
  # security:
  #   access_control_allow_origin: "http://httpbin.org"
  #   access_control_allow_credentials: true          # support using custom cors configration
  #   access_control_allow_headers: "Authorization"
  #   access_control-allow_methods: "*"
  #   x_frame_options: "deny"
  #   content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src xx.xx.xx.xx:3000"  # You can set frame-src to provide content for your grafana panel.


authentication:
  secret:
    secret              # secret for jwt token generation.
                        # NOTE: Highly recommended to modify this value to protect `manager api`.
                        # if it's default value, when `manager api` start, it will generate a random string to replace it.
  expire_time: 3600     # jwt token expire time, in second
  users:                # yamllint enable rule:comments-indentation
    - username: admin   # username and password for login `manager api`
      password: admin
    - username: user
      password: user


oidc:
  enabled: false
  expire_time: 3600
  client_id: dashboard
  client_secret: dashboard
  auth_url: http://172.17.0.1:8080/auth/realms/master/protocol/openid-connect/auth
  token_url: http://172.17.0.1:8080/auth/realms/master/protocol/openid-connect/token
  user_info_url: http://172.17.0.1:8080/auth/realms/master/protocol/openid-connect/userinfo
  redirect_url: http://127.0.0.1:9000/apisix/admin/oidc/callback
  scope: openid


plugins:
  - api-breaker
  - authz-casbin
  - authz-casdoor
  - authz-keycloak
  - aws-lambda
  - azure-functions
  - basic-auth
  # - batch-requests
  - clickhouse-logger
  - client-control
  - consumer-restriction
  - cors
  - csrf
  - datadog
  # - dubbo-proxy
  - echo
  - error-log-logger
  # - example-plugin
  - ext-plugin-post-req
  - ext-plugin-post-resp
  - ext-plugin-pre-req
  - fault-injection
  - file-logger
  - forward-auth
  - google-cloud-logging
  - grpc-transcode
  - grpc-web
  - gzip
  - hmac-auth
  - http-logger
  - ip-restriction
  - jwt-auth
  - kafka-logger
  - kafka-proxy
  - key-auth
  - ldap-auth
  - limit-conn
  - limit-count
  - limit-req
  - loggly
  # - log-rotate
  - mocking
  # - node-status
  - opa
  - openid-connect
  - opentelemetry
  - openwhisk
  - prometheus
  - proxy-cache
  - proxy-control
  - proxy-mirror
  - proxy-rewrite
  - public-api
  - real-ip
  - redirect
  - referer-restriction
  - request-id
  - request-validation
  - response-rewrite
  - rocketmq-logger
  - server-info
  - serverless-post-function
  - serverless-pre-function
  - skywalking
  - skywalking-logger
  - sls-logger
  - splunk-hec-logging
  - syslog
  - tcp-logger
  - traffic-split
  - ua-restriction
  - udp-logger
  - uri-blocker
  - wolf-rbac
  - zipkin
  - elasticsearch-logge
  - openfunction
  - tencent-cloud-cls
  - ai
  - cas-auth  

version: '3.8'
services:
  etcd:
    image: bitnami/etcd:3.5.14
    container_name: etcd
    environment:
      ALLOW_NONE_AUTHENTICATION: "yes"
      ETCD_ADVERTISE_CLIENT_URLS: "http://etcd:2379"
      ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379"
    ports:
      - "2379:2379/tcp"
    volumes:
      - /mnt/ssd/local-data/etcd:/bitnami/etcd
    networks:
      apisix:
  apisix:
    image: k8s.org/k8s/apisix:3.9.1
    container_name: apisix
    volumes:
      - ./conf/apisix-config.yaml:/usr/local/apisix/conf/config.yaml:ro
    depends_on:
      - etcd
    ports:
      - "9180:9180/tcp"
      - "9080:9080/tcp"
      - "9091:9091/tcp"
      - "9443:9443/tcp"
      - "9092:9092/tcp"
    networks:
      apisix:

  dashboard:
    image: k8s.org/k8s/apisix-dashboard:3.0.1-alpine
    container_name: apisix-dashboard
    volumes:
      - ./conf/apisix-dashboard.yaml:/usr/local/apisix-dashboard/conf/conf.yaml:ro
    depends_on:
      - etcd
      - apisix
    ports:
      - "9000:9000/tcp"
    networks:
      - apisix

验证 APISIX 运行状态

❯ kubectl get   -n apisix  svc/apisix-gateway
NAME             TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
apisix-gateway   NodePort   10.100.233.160   <none>        80:31388/TCP   18m
❯ kubectl port-forward -n apisix  svc/apisix-gateway  9080:80
Forwarding from 127.0.0.1:9080 -> 9080
Forwarding from [::1]:9080 -> 9080
Handling connection for 9080

❯ curl http://k8s01:31388/ –head | grep Server
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 –:–:– –:–:– –:–:– 0
Server: APISIX/3.9.1

❯ curl “http://127.0.0.1:9080" –head | grep Server
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 –:–:– –:–:– –:–:– 0
Server: APISIX/3.9.1

❯ kubectl debug -n apisix -it pod/apisix-77466dcc99-hpl8f  --image=k8s.org/cs/netshoot   -- bash
Defaulting debug container name to debugger-gqx4k.
If you don't see a command prompt, try pressing enter.
apisix-77466dcc99-hpl8f:~# curl http://httpbin.default/get
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Host": "httpbin.default", 
    "User-Agent": "curl/8.0.1"
  }, 
  "origin": "121.21.82.4", 
  "url": "http://httpbin.default/get"
}
apisix-77466dcc99-hpl8f:~# 

ApisixRoute

route

xxxx
# 定义 ApisixTls 对象
apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
  name: httpbin
  namespace: config
spec:
  hosts:
  - httpbin.local.org
  secret:
    name: local.org-tls
    namespace: config
---
# 定义访问后端的路由
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpbin
  namespace: config
spec:
  http:
  - name: httpbin
    match:
      paths:
      - /*
      hosts:
      - httpbin.local.org
    backends:
    - serviceName: httpbin
      servicePort: 80
  

❯ kubectl get -n config ApisixTls
NAME      SNIS                    SECRET NAME     SECRET NAMESPACE   AGE
httpbin   ["httpbin.local.org"]   local.org-tls   config             42m

故障

502 Bad Gateway

apisix@apisix-7d84b9c47f-6hn22:/usr/local/openresty/bin$ openresty -version
nginx version: openresty/1.25.3.1