apache apisix

一、apisix介绍

APISIX 是一个微服务API网关,具有高性能、可扩展性等优点。它基于 nginx(openresty)和 Lua 实现功能,借鉴了Kong的思路,将Kong底层的关系型数据库(Postgres)替换成了NoSQL型的 etcd,这使得 APISIX 相较于 Kong 在性能上有了很大提升,在启用各类插件的情况下,Apache APISIX 的性能据说是 Kong 的 10 倍,极具吸引力。
且相较于 Kong 来说,源码更为简洁,二次开发难度更低,但是相对的,开源时间较短,在插件功能完备性上不如Kong,比如缺少关于灰度相关的插件,但是其已纳入Apache 基金会孵化,社区也较为活跃,后期的发展空间较为可观。
和传统的API网关相比,APISIX 和 Kong 一样也是通过插件的形式来提供负载均衡、日记记录、身份鉴权、流量控制等功能。
apisix更多的介绍可参考官网:

https://apisix.apache.org/
https://apisix.apache.org/zh/docs/apisix/getting-started

这里主要介绍apisix的api,apisix其它功能,在此不多加介绍。

、apisix环境搭建

# 二、apisix安装
apisix可以很容易的安装在eks、k8s等之上,在此我基于docker-compose的方式进行搭建,便于后续api功能的尝试,具体的安装步骤见下链接:
https://apisix.apache.org/zh/docs/apisix/getting-started

安装完成后,基本环境见下截图:

docker-compose安装apisix

图中可以看出:除了安装完成apisix之外,还额外安装了两个demo:web1和web2,以及grafana和apisix dashboard。
访问apisix dashboard:
http://192.168.13.210:9000/routes/list
apisix dashboard界面

我们可以在apisix dashboard上配置或创建:router、upstream、service、plugin、consumer等资源,在此我只介绍通过apisix api的方式进行资源的相关操作。

三、apisix admin api官网解释

https://apisix.apache.org/zh/docs/apisix/admin-api

官网的上诉链接对apisix admin api的解释足够详细,在此不再赘述。

四、apisix admin api实际使用

4.1、环境介绍

ip port 备注
192.168.13.210 9081 web1
192.168.13.210 9082 web2
192.168.13.220 9080 apisix admin api port

4.2、一个完整的例子

4.2.1、添加upstream

# 生产环境中,建议使用post,由系统自动生成upstream_id,防止put时覆盖掉已有的upstream_id。
curl "http://127.0.0.1:9080/apisix/admin/upstreams" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X POST -d '
{
  "type": "roundrobin",
  "nodes": {
    "192.168.13.210:9082": 1
  },
  "scheme": "http",
  "name": "web2-upstream",
  "desc": "web2 upstream"
}'

4.2.2、获取添加的upstream的upstream_id

[root@kafka-01 apache-apisix-sample]# curl http://127.0.0.1:9080/apisix/admin/upstreams -X GET -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1"
{"count":1,"node":{"nodes":[{"value":{"type":"roundrobin","hash_on":"vars","desc":"web2 upstream","scheme":"http","id":"00000000000000000065","create_time":1652780907,"update_time":1652780907,"nodes":{"192.168.13.210:9082":1},"pass_host":"pass","name":"web2-upstream"},"modifiedIndex":66,"createdIndex":66,"key":"\/apisix\/upstreams\/00000000000000000065"}],"dir":true,"key":"\/apisix\/upstreams"},"action":"get"}
upstream_id为:00000000000000000065。

4.2.3、添加route

curl "http://127.0.0.1:9080/apisix/admin/routes" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X POST -d '
{
  "methods": ["GET"],
  "name": "web2-route",
  "host": "web2.com",
  "desc": "web2 route",
  "uri": "/*",
  "upstream_id": "00000000000000000065"
}'
解释:
这条路由配置意味着,当它们满足下述的所有规则时,所有匹配的入站请求都将被转发到192.168.13.210:9082这个上游服务:
    1、请求的 HTTP 方法为 GET
    2、请求头包含 host 字段,且它的值为web2.com
    3、请求路径匹配 /*,* 意味着任意的子路径

4.2.4、测试

[root@kafka-01 apache-apisix-sample]# curl http://127.0.0.1:9080 -X GET -H "Host: web2.com"
hello web2
结果为:hello web2即为成功

4.3、patch

基于上面4.2对其进行修改

4.3.1 upstream添加node

curl "http://127.0.0.1:9080/apisix/admin/upstreams/00000000000000000065" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PATCH -d '
{
  "nodes": {
    "192.168.13.210:9081": 1
  }
}'
测试:
curl http://127.0.0.1:9080 -X GET -H "Host: web2.com",结果为:
hello web1
hello web2
hello web1
hello web2

4.3.2 upstream修改node

curl "http://127.0.0.1:9080/apisix/admin/upstreams/00000000000000000065" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PATCH -d '
{
  "nodes": {
    "192.168.13.210:9081": 2         # 修改了权重
  }
}'
测试:
curl http://127.0.0.1:9080 -X GET -H "Host: web2.com",结果为:
hello web1
hello web2
hello web1

4.3.3 upstream删除node

curl "http://127.0.0.1:9080/apisix/admin/upstreams/00000000000000000065" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PATCH -d '
{
  "nodes": {
    "192.168.13.210:9081": null
  }
}'
curl http://127.0.0.1:9080 -X GET -H "Host: web2.com",结果为:
hello web2
hello web2
hello web2

4.3.4、upstream替换node

curl "http://127.0.0.1:9080/apisix/admin/upstreams/00000000000000000065/nodes" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PATCH -d '
{
  "192.168.13.21:9081": 1
}'
curl http://127.0.0.1:9080 -X GET -H "Host: web2.com",结果为:
502

4.4、service

地址:/apisix/admin/services/{id}
说明:Service 是某类 API 的抽象(也可以理解为一组 Route 的抽象)。它通常与上游服务抽象是一一对应的,Route 与 Service 之间,通常是 N:1 的关系。
service请求方法

4.4.1、一个例子

4.4.1.1、创建upstream

curl "http://127.0.0.1:9080/apisix/admin/upstreams" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X POST -d '
{
  "type": "roundrobin",
  "nodes": {
    "192.168.13.210:9081": 1
  },
  "scheme": "http",
  "name": "web1-service-upstream",
  "desc": "web1 service upstream"
}'

4.4.1.2、创建service

curl "http://127.0.0.1:9080/apisix/admin/services" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X POST -d '
{
  "name": "web1-service",
  "desc": "web1 service",
  "upstream_id": "00000000000000000075" # 4.3.1.1中创建的upstream的upstream_id
}'

4.4.1.3、添加一组<两个路由>

# 路由1
curl "http://127.0.0.1:9080/apisix/admin/routes" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X POST -d '
{
  "methods": ["GET"],
  "name": "web1-service-route-01",
  "host": "web1-service-route-01.com",
  "desc": "web1 service route 01",
  "uri": "/*",
  "service_id": "408127894154379971" # 4.3.1.2中创建的serivice的service_id
}'
# 路由2
curl "http://127.0.0.1:9080/apisix/admin/routes" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X POST -d '
{
  "methods": ["GET"],
  "name": "web1-service-route-02",
  "host": "web1-service-route-02.com",
  "desc": "web1 service route 02",
  "uri": "/*",
  "service_id": "408127894154379971"
}'

4.4.1.4、验证

# Host: web1-service-route-01.com
[root@kafka-01 apache-apisix-sample]# curl http://127.0.0.1:9080 -X GET -H "Host: web1-service-route-01.com"
hello web1
# Host: web1-service-route-02.com
[root@kafka-01 apache-apisix-sample]# curl http://127.0.0.1:9080 -X GET -H "Host: web1-service-route-02.com"
hello web1

4.5、认证

4.5.1、key-auth

# 官网文档
https://apisix.apache.org/zh/docs/apisix/plugins/key-auth

4.5.1.1、创建consumer

curl "http://127.0.0.1:9080/apisix/admin/consumers" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PUT -d '
{
  "username": "zhangsan",
  "plugins": {
    "key-auth": {
      "key": "key-for-zhangsan"
    }
  }
}'

4.5.1.2、将consumer绑定到route

# 在4.2.3中我们已经创建了一个route:web2-route,在此我将zhangsan这个consumer绑定到这个肉特上面

确认route:web2-route的route_id

curl http://127.0.0.1:9080/apisix/admin/routes -X GET -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1"
得到web2-route的route_id为:00000000000000000067

绑定route:

curl "http://127.0.0.1:9080/apisix/admin/routes/00000000000000000067" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PATCH -d '
{
  "plugins": {
    "key-auth": {}
  }
}'

4.5.1.3 验证

[root@kafka-01 apache-apisix-sample]# curl http://127.0.0.1:9080 -X GET -H "Host: web2.com" -H "apikey: key-for-zhangsan"
hello web1

4.5.2 jwt-auth

4.5.2.1、简介

`jwt-auth` 是一个认证插件,它需要与 `consumer` 一起配合才能工作。
添加 JWT Authentication 到一个 `service` 或 `route`。 然后 `consumer` 将其密钥添加到查询字符串参数、请求头或 `cookie` 中以验证其请求。
有关 JWT 的更多信息,可参考 [JWT](https://jwt.io/) 查看更多信息。
`jwt-auth` 插件可以与 HashiCorp Vault 集成,用于存储和获取密钥,从其加密的 KV 引擎获取 RSA 密钥对。 阅读下面的 [例子](https://apisix.apache.org/zh/docs/apisix/plugins/jwt-auth#enable-jwt-auth-with-vault-compatibility) 来了解它如何工作。

4.5.2.2、consumer端属性

consumer端属性

4.5.2.3、router端属性

router端属性

4.5.2.4、创建consumer

在4.4.1中,我们创建了一个service:web1-service,并且绑定了两个路由:web1-service-route-01、web1-service-route-02,在此我以这个service为例,配置jwt-auth认证插件。
curl "http://127.0.0.1:9080/apisix/admin/consumers" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PUT -d '
{
  "username": "jwt_auth_consumer",
  "desc": "jwt-auth consumer",
  "plugins": {
    "jwt-auth": {
      "algorithm": "HS256",
      "exp": 86400,
      "key": "jwt-auth-consumer-key",
      "secret": "jwt-auth-consumer-secret"
    }
  }
}'

4.5.2.5、service中开启jwt-auth认证

# 查看service的service_id
curl http://127.0.0.1:9080/apisix/admin/services -X GET -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1"
得到service:web1-service的service_id为:408127894154379971
# 使用patch修改web1-service增加plugin
curl "http://127.0.0.1:9080/apisix/admin/services/408127894154379971" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PATCH -d '
{
  "plugins": {
    "jwt-auth": {}
  }
}'

4.5.2.6、暴露sign接口

访问接口,要先生成token,生成token的接口我们需要使用public-api的方式进行暴露:
https://apisix.apache.org/zh/docs/apisix/plugins/public-api/
# 暴露接口
curl "http://127.0.0.1:9080/apisix/admin/routes/jas" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PUT -d '
{
  "methods": ["GET", "POST"],
  "name": "public-api-route",
  "desc": "expose jwt-auth public api",
  "uri": "/apisix/plugin/jwt/sign",
  "plugins": {
    "public-api": {}
  }
}'

4.5.2.7、生成token

[root@kafka-01 apache-apisix-sample]# curl  http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=jwt-auth-consumer-key -i
HTTP/1.1 200 OK
Date: Wed, 18 May 2022 05:11:27 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.13.1

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NTI5MzcwODcsImtleSI6Imp3dC1hdXRoLWNvbnN1bWVyLWtleSJ9.nsiHJ7XZQLackjZQELAiyundsFZJzdhy1dFLpcQZ1d4

4.5.2.8、验证

不带token:

# web1-service-route-01.com
[root@kafka-01 apache-apisix-sample]# curl  http://127.0.0.1:9080/ -H "Host: web1-service-route-01.com" -i -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" 
结果为:
HTTP/1.1 401 Unauthorized
Date: Wed, 18 May 2022 05:16:20 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.13.1

{"message":"Missing JWT token in request"}
# web1-service-route-02.com
[root@kafka-01 apache-apisix-sample]# curl  http://127.0.0.1:9080/ -H "Host: web1-service-route-02.com" -i -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1"
结果为:
HTTP/1.1 401 Unauthorized
Date: Wed, 18 May 2022 05:16:14 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.13.1

{"message":"Missing JWT token in request"}

带token

# web1-service-route-01.com
[root@kafka-01 apache-apisix-sample]# curl http://127.0.0.1:9080/ -H "Host: web1-service-route-01.com" -i -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NTI5MzcwODcsImtleSI6Imp3dC1hdXRoLWNvbnN1bWVyLWtleSJ9.nsiHJ7XZQLackjZQELAiyundsFZJzdhy1dFLpcQZ1d4"
结果为:
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 10
Connection: keep-alive
Date: Wed, 18 May 2022 05:12:42 GMT
Server: APISIX/2.13.1

hello web1
# web1-service-route-02.com
[root@kafka-01 apache-apisix-sample]# curl http://127.0.0.1:9080/ -H "Host: web1-service-route-02.com" -i -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NTI5MzcwODcsImtleSI6Imp3dC1hdXRoLWNvbnN1bWVyLWtleSJ9.nsiHJ7XZQLackjZQELAiyundsFZJzdhy1dFLpcQZ1d4"
结果为:
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 10
Connection: keep-alive
Date: Wed, 18 May 2022 05:14:34 GMT
Server: APISIX/2.13.1

hello web1

你可能感兴趣的:(apache apisix)