2024-07-15

APISIX ingress

ingress

doc https://apisix.apache.org/zh/docs/ingress-controller/deployments/kind/

helm https://github.com/apache/apisix-helm-chart

https://apisix.apache.org/zh/docs/ingress-controller/tutorials/the-hard-way/

config.yaml

config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: apisix-conf
  namespace: apisix
data:
  config.yaml: |-
    apisix:
      node_listen: 9080             # APISIX listening port
      enable_heartbeat: true
      enable_admin: true
      enable_admin_cors: true
      enable_debug: false
      enable_dev_mode: false          # when set to true, sets Nginx worker_processes to 1
      enable_reuseport: true          # when set to true, enables nginx SO_REUSEPORT switch
      enable_ipv6: true
      config_center: etcd             # use etcd to store configuration


      allow_admin:                  # see: http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
        - 0.0.0.0/0
      port_admin: 9180


      # default token used when calling the Admin API
      # it is recommended to modify this value in production
      # when disabled, Admin API won't require any authentication
      admin_key:
        # admin: full access to configuration data
        - name: "admin"
          key: edd1c9f034335f136f87ad84b625c8f1
          role: admin
        # viewer: can only view the configuration data
        - name: "viewer"
          key: 4054f7cf07e344346cd3f287985e76a2
          role: viewer
      # dns_resolver:
      #   - 127.0.0.1
      dns_resolver_valid: 30
      resolver_timeout: 5


    nginx_config:                     # template configuration to generate nginx.conf
      error_log: "/dev/stderr"
      error_log_level: "warn"         # warn, error
      worker_rlimit_nofile: 20480     # number of files a worker process can open. Should be larger than worker_connections
      event:
        worker_connections: 10620
      http:
        access_log: "/dev/stdout"
        keepalive_timeout: 60s         # timeout for which a keep-alive client connection will stay open on the server side
        client_header_timeout: 60s     # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client
        client_body_timeout: 60s       # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client
        send_timeout: 10s              # timeout for transmitting a response to the client, then the connection is closed
        underscores_in_headers: "on"   # enables the use of underscores in client request header fields
        real_ip_header: "X-Real-IP"    # see: http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
        real_ip_from:                  # see: http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
          - 127.0.0.1
          - 'unix:'


    etcd:
      host:
        - "http://etcd-headless.apisix.svc.cluster.local:2379"
      prefix: "/apisix"     # APISIX configurations prefix
      timeout: 30   # in seconds
    plugins:                          # list of APISIX Plugins
      - api-breaker
      - authz-keycloak
      - basic-auth
      - batch-requests
      - consumer-restriction
      - cors
      - echo
      - fault-injection
      - grpc-transcode
      - hmac-auth
      - http-logger
      - ip-restriction
      - jwt-auth
      - kafka-logger
      - key-auth
      - limit-conn
      - limit-count
      - limit-req
      - node-status
      - openid-connect
      - prometheus
      - proxy-cache
      - proxy-mirror
      - proxy-rewrite
      - redirect
      - referer-restriction
      - request-id
      - request-validation
      - response-rewrite
      - serverless-post-function
      - serverless-pre-function
      - sls-logger
      - syslog
      - tcp-logger
      - udp-logger
      - uri-blocker
      - wolf-rbac
      - zipkin
      - traffic-split
    stream_plugins:
      - mqtt-proxy

apisix-dep.yaml

apisix-dep.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: apisix
  namespace: apisix
  labels:
    app.kubernetes.io/name: apisix
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: apisix
  template:
    metadata:
      labels:
        app.kubernetes.io/name: apisix
    spec:
      containers:
        - name: apisix
          image: "apache/apisix:2.15.0-alpine"
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
              containerPort: 9080
              protocol: TCP
            - name: tls
              containerPort: 9443
              protocol: TCP
            - name: admin
              containerPort: 9180
              protocol: TCP
          readinessProbe:
            failureThreshold: 6
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            tcpSocket:
              port: 9080
            timeoutSeconds: 1
          lifecycle:
            preStop:
              exec:
                command:
                - /bin/sh
                - -c
                - "sleep 30"
          volumeMounts:
            - mountPath: /usr/local/apisix/conf/config.yaml
              name: apisix-config
              subPath: config.yaml
          resources: {}
      volumes:
        - configMap:
            name: apisix-conf
          name: apisix-config

installing-apisix-ingress-controller

https://apisix.apache.org/zh/docs/ingress-controller/tutorials/the-hard-way/#installing-apisix-ingress-controller

httpbin-route.yaml

httpserver-route
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: httpbin
    match:
      hosts:
      - local.httpbin.org
      paths:
      - /*
    backends:
      - serviceName: httpbin
        servicePort: 80

❯ kubectl debug -n apisix -it pod/apisix-77466dcc99-hpl8f  --image=k8s.org/cs/netshoot   -- bash
Defaulting debug container name to debugger-gqx4k.
If you don't see a command prompt, try pressing enter.
apisix-77466dcc99-hpl8f:~# 
apisix-77466dcc99-hpl8f:~# curl "http://127.0.0.1:9080/get" -H "Host: local.httpbin.org"
{"error_msg":"404 Route Not Found"}
apisix-77466dcc99-hpl8f:~# 
apisix-77466dcc99-hpl8f:~# curl "http://127.0.0.1:9080/get" -H "Host: local.httpbin.org"
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Host": "local.httpbin.org", 
    "User-Agent": "curl/8.0.1", 
    "X-Forwarded-Host": "local.httpbin.org"
  }, 
  "origin": "127.0.0.1", 
  "url": "http://local.httpbin.org/get"
}
apisix-77466dcc99-hpl8f:~#

httpbin-tls-route.yaml

httpbin-tls-route
apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
  name: httpbin
  namespace: config
spec:
  hosts:
  - cs.ui.k8s.cn
  secret:
    name: ui.k8s.cn-tls
    namespace: config


# 定义 ApisixTls 对象
---
# 定义访问后端的路由
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpbin
  namespace: config
spec:
  http:
  - name: httpbin
    match:
      paths:
      - /*
      hosts:
      - cs.ui.k8s.cn
    backends:
    - serviceName: httpbin
      servicePort: 80

❯ kubectl port-forward -n apisix svc/apisix-gateway 9443:443
Forwarding from 127.0.0.1:9443 -> 9443
Forwarding from [::1]:9443 -> 9443
Handling connection for 9443
Handling connection for 9443

❯ curl https://cs.ui.k8s.cn:9443/json --resolve 'cs.ui.k8s.cn:9443:127.0.0.1' -sk

{
  "slideshow": {
    "author": "Yours Truly", 
    "date": "date of publication", 
    "slides": [
      {
        "title": "Wake up to WonderWidgets!", 
        "type": "all"
      }, 
      {
        "items": [
          "Why <em>WonderWidgets</em> are great", 
          "Who <em>buys</em> WonderWidgets"
        ], 
        "title": "Overview", 
        "type": "all"
      }
    ], 
    "title": "Sample Slide Show"
  }
}