跳到主要内容

配置示例

APISIX Ingress Controller 支持 Ingress 资源和 Gateway API 用于 Kubernetes 中的流量管理。虽然两者都受支持,但 Gateway API 提供了更高的灵活性和可扩展性。建议新用户在未来的部署中采用 Gateway API。

除了这些标准的 Kubernetes API 之外,APISIX Ingress Controller 还支持一组专为 APISIX 原生功能设计的 CRD(自定义资源定义)

本文档提供了常见配置的示例,涵盖了如何以及何时使用这些资源。你应该根据你的环境调整自定义值,例如命名空间、路由 URI 和凭证。

备注

目前,APISIX Ingress Controller 和 API7 Ingress Controller 在功能上没有差异,尽管它们的发布计划可能不同。

配置控制面端点和管理员密钥

要在运行时更新 APISIX Ingress Controller 与控制面之间的连接控制面端点和管理员密钥:

apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
  namespace: ingress-apisix
  name: apisix-config
spec:
  provider:
    type: ControlPlane
    controlPlane:
      endpoints:
      - http://127.0.0.1:9180
      auth:
        type: AdminKey
        adminKey:
          value: replace-with-your-admin-key # 替换为你的管理员密钥

定义 Ingress Controller 和网关

在应用进一步配置之前,指定负责处理资源的 Ingress Controller:

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: apisix
spec:
  // Annotate 1
  controllerName: "apisix.apache.org/apisix-ingress-controller"
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  namespace: ingress-apisix
  name: apisix
spec:
  gatewayClassName: apisix
  listeners:
  - name: http
    protocol: HTTP
    port: 80
  infrastructure:
    parametersRef:
      // Annotate 2
      group: apisix.apache.org
      // Annotate 3
      kind: GatewayProxy
      // Annotate 4
      name: apisix-config

❶ 如果在同一个集群中运行多个不同的 APISIX Ingress Controller 实例(而不是具有多个副本的单个实例),则应自定义 Controller 名称。每个 Ingress Controller 实例必须在其配置文件中使用唯一的 controllerName,并且相应的 GatewayClass 应引用该值。

❷ 被引用资源的 API 组。

❸ 被引用资源的种类。

❹ 被引用资源的名称。应与 GatewayProxy 资源的 metadata.name 匹配。

备注

Gateway 监听器中的 port 是必需的但会被忽略。这是由于数据平面的限制:它无法动态打开新端口。由于 Ingress Controller 不管理数据平面部署,因此它无法自动更新配置或重启数据平面以应用端口更改。

路由到 Kubernetes 服务

创建一条路由,将请求代理到 Kubernetes 上的服务:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  namespace: ingress-apisix
  name: httpbin
spec:
  parentRefs:
  - name: apisix
  rules:
  - matches:
    - path:
        type: Exact
        value: /ip
    backendRefs:
    - name: httpbin
      port: 80

路由到外部服务

创建一条路由,将请求代理到公共托管的服务:

apiVersion: v1
kind: Service
metadata:
  namespace: ingress-apisix
  name: httpbin-external-domain
spec:
  type: ExternalName
  externalName: httpbin.org
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  namespace: ingress-apisix
  name: get-ip
spec:
  parentRefs:
  - name: apisix
  rules:
  - matches:
    - path:
        type: Exact
        value: /ip
    backendRefs:
    - name: httpbin-external-domain
      port: 80

配置带权重的服务

创建一条路由,按权重将流量代理到上游服务:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  namespace: ingress-apisix
  name: httpbin
spec:
  parentRefs:
  - name: apisix
  rules:
  - matches:
    - path:
        type: Exact
        value: /ip
    backendRefs:
    - name: httpbin-1
      port: 80
      weight: 3
    - name: httpbin-2
      port: 80
      weight: 7

Ingress 资源不支持此配置。

配置上游

配置上游相关设置,包括负载均衡算法、如何将 Host 标头传递给上游、服务超时等:

apiVersion: apisix.apache.org/v1alpha1
kind: BackendTrafficPolicy
metadata:
  namespace: ingress-apisix
  name: httpbin
spec:
  targetRefs:
  - name: httpbin
    kind: Service
    group: ""
  timeout:
    send: 10s
    read: 10s
    connect: 10s
  scheme: http
  retries: 10
  loadbalancer:
    type: roundrobin
  passHost: rewrite
  upstreamHost: httpbin.example.com

使用 appProtocol 检测上游协议

Service 端口上的 appProtocol 字段告知 APISIX 如何与后端通信。 APISIX 会根据此值自动配置上游协议方案。如果未设置,默认方案为 http

APISIX Ingress Controller 支持 Service 端口的以下 appProtocol 值:

描述
http将上游协议方案设置为 http
https将上游协议方案设置为 https
kubernetes.io/ws将上游协议方案设置为 http,并在路由上设置 enable_websockettrue
kubernetes.io/wss将上游协议方案设置为 https,并在路由上设置 enable_websockettrue

以下是一个 Service 配置示例,为 HTTP 和 HTTPS 端口设置了 appProtocol 值:

apiVersion: v1
kind: Service
metadata:
  namespace: ingress-apisix
  name: httpbin
spec:
  selector:
    app: httpbin
  ports:
    - name: http
      port: 80
      targetPort: 80
      appProtocol: http
    - name: https
      port: 443
      targetPort: 443
      appProtocol: https

然后,你可以创建一条指向该 Service 端口的路由,让 APISIX 自动检测上游协议。使用以下配置,APISIX 会自动将上游协议方案设置为 https

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  namespace: ingress-apisix
  name: httpbin-route
spec:
  parentRefs:
  - name: apisix
  rules:
  - matches:
    - path:
        type: Exact
        value: /anything
    backendRefs:
    - name: httpbin
      port: 443

配置消费者和凭证

直接在消费者上创建消费者并配置认证凭证:

apiVersion: apisix.apache.org/v1alpha1
kind: Consumer
metadata:
  namespace: ingress-apisix
  name: alice
spec:
  gatewayRef:
    name: apisix
  credentials:
    - type: key-auth
      name: primary-key
      config:
        key: alice-primary-key # 替换为你的密钥

你也可以使用 Secret 资源,其中凭证应进行 base64 编码:

apiVersion: v1
kind: Secret
metadata:
  namespace: ingress-apisix
  name: key-auth-primary
data:
  key: YWxpY2UtcHJpbWFyeS1rZXk= # alice-primary-key 的 base64 编码
---
apiVersion: apisix.apache.org/v1alpha1
kind: Consumer
metadata:
  namespace: ingress-apisix
  name: alice
spec:
  gatewayRef:
    name: apisix
  credentials:
    - type: key-auth
      name: key-auth-primary
      secretRef:
        name: key-auth-primary

在消费者上配置插件

在消费者上配置插件,例如限流插件:

apiVersion: apisix.apache.org/v1alpha1
kind: Consumer
metadata:
  namespace: ingress-apisix
  name: alice
spec:
  gatewayRef:
    name: apisix
  credentials:
    - type: key-auth
      name: alice-key
      config:
        key: alice-key # 替换为你的密钥
  plugins:
    - name: limit-count
      config:
        count: 3
        time_window: 60
        key: remote_addr
        key_type: var
        policy: local
        rejected_code: 429
        rejected_msg: Too many requests # 请求过多
        show_limit_quota_header: true
        allow_degradation: false

配置路由优先级和匹配条件

在目标路由上配置路由优先级和请求匹配条件:

apiVersion: apisix.apache.org/v1alpha1
kind: HTTPRoutePolicy
metadata:
  namespace: ingress-apisix
  name: http-route-policy
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: httpbin
  priority: 10
  vars:
  - - http_x_test_name
    - ==
    - new_name
  - - arg_test
    - ==
    - test_name

在路由上配置插件

在路由上配置插件:

apiVersion: apisix.apache.org/v1alpha1
kind: PluginConfig
metadata:
  namespace: ingress-apisix
  name: auth-plugin-config
spec:
  plugins:
    - name: key-auth
      config:
        _meta:
          disable: false
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  namespace: ingress-apisix
  name: get-ip
spec:
  parentRefs:
  - name: apisix
  rules:
  - matches: 
    - path:
        type: Exact
        value: /ip
    filters:
    - type: ExtensionRef
      extensionRef:
        group: apisix.apache.org
        kind: PluginConfig
        name: auth-plugin-config
    backendRefs:
    - name: httpbin
      port: 80

配置全局插件

配置全局插件:

apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
  namespace: ingress-apisix
  name: apisix-config
spec:
  provider:
    type: ControlPlane
    controlPlane:
      # 在此处添加你的控制面连接配置
      # ...
  plugins:
  - name: clickhouse-logger
    config:
      endpoint_addr: http://clickhouse-clickhouse-installation.apisix.svc.cluster.local:8123
      user: quickstart-user # 替换为你的用户名
      password: quickstart-pass # 替换为你的密码
      logtable: test
      database: quickstart_db

配置插件元数据

配置插件元数据:

apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
  namespace: ingress-apisix
  name: apisix-config
spec:
  provider:
    type: ControlPlane
    controlPlane:
      # 在此处添加你的控制面连接配置
      # ...
  pluginMetadata:
    opentelemetry: {
      "trace_id_source": "x-request-id",
      "resource": {
        "service.name": "APISIX"
      },
      "collector": {
        "address": "simplest-collector:4318",
        "request_timeout": 3,
        "request_headers": {
          "Authorization": "token"
        }
      },
      "batch_span_processor": {
        "drop_on_queue_full": false,
        "max_queue_size": 1024,
        "batch_timeout": 2,
        "inactive_timeout": 1,
        "max_export_batch_size": 16
      },
      "set_ngx_var": true
    }

配置插件配置

创建插件配置并在路由中引用它:

apiVersion: apisix.apache.org/v1alpha1
kind: PluginConfig
metadata:
  namespace: ingress-apisix
  name: example-plugin-config
spec:
  plugins:
  - name: response-rewrite
    enable: true
    config:
      headers:
        X-Plugin-Config: "example-response-rewrite"
        X-Plugin-Test: "enabled"
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  namespace: ingress-apisix
  name: httpbin
spec:
  parentRefs:
  - name: apisix
  rules:
  - matches: 
    - path:
        type: Exact
        value: /ip
    filters:
    - type: ExtensionRef
      extensionRef:
        group: apisix.apache.org
        kind: PluginConfig
        name: example-plugin-config
    backendRefs:
    - name: httpbin
      port: 80

配置网关访问信息

这些配置允许 Ingress Controller 用户访问网关。

配置 statusAddress

apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
  namespace: ingress-apisix
  name: apisix-config
spec:
  provider:
    type: ControlPlane
    controlPlane:
      # 在此处添加你的控制面连接配置
      # ...
  statusAddress:
    - 10.24.87.13