This is an automated email from the ASF dual-hosted git repository.
membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-apisix.git
The following commit(s) were added to refs/heads/master by this push:
new f653c1b feature: add example .yaml resource files which support to
run Apache APISIX on kubernetes (#1218)
f653c1b is described below
commit f653c1b115a4a51195de33082439769c79f6fa58
Author: wonglend <[email protected]>
AuthorDate: Fri Apr 3 12:54:25 2020 +0800
feature: add example .yaml resource files which support to run Apache
APISIX on kubernetes (#1218)
---
kubernetes/README.md | 85 +++++++++++++++++++
kubernetes/apisix-gw-config-cm.yaml | 154 +++++++++++++++++++++++++++++++++
kubernetes/deployment.yaml | 165 ++++++++++++++++++++++++++++++++++++
kubernetes/service-aliyun-slb.yaml | 78 +++++++++++++++++
kubernetes/service.yaml | 41 +++++++++
5 files changed, 523 insertions(+)
diff --git a/kubernetes/README.md b/kubernetes/README.md
new file mode 100644
index 0000000..3d914e7
--- /dev/null
+++ b/kubernetes/README.md
@@ -0,0 +1,85 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+### Usage
+
+#### Create configmap for apache incubator-apisix
+
+```
+$ kubectl apply -f apisix-gw-config-cm.yaml
+
+or
+
+$ kubectl create configmap apisix-gw-config.yaml
--from-file=../conf/config.yaml
+```
+
+##### Note: you should modify etcd addr in config file
`apisix-gw-config-cm.yaml` or `../conf/config.yaml` first
+
+```
+etcd:
+ host: # it's possible to define multiple etcd
hosts addresses of the same etcd cluster.
+ - "http://127.0.0.1:2379"; # multiple etcd address
+```
+
+#### Create deployment for apache incubator-apisix
+
+```
+$ kubectl apply -f deployment.yaml
+```
+
+#### Create service for apache incubator-apisix
+
+```
+$ kubectl apply -f service.yaml
+```
+
+#### Create service for apache incubator-apisix (when using Aliyun SLB)
+
+```
+$ kubectl apply -f service-aliyun-slb.yaml
+```
+
+#### Scale apache incubator-apisix
+
+```
+$ kubectl scale deployment apisix-gw-deployment --replicas=4
+```
+
+#### Check running status
+
+```
+$ kubectl get cm | grep -i apisix
+apisix-gw-config.yaml 1 1d
+
+$ kubectl get pod | grep -i apisix
+apisix-gw-deployment-68df7c7578-5pvxb 1/1 Running 0 1d
+apisix-gw-deployment-68df7c7578-kn89l 1/1 Running 0 1d
+apisix-gw-deployment-68df7c7578-i830r 1/1 Running 0 1d
+apisix-gw-deployment-68df7c7578-32ow1 1/1 Running 0 1d
+
+$ kubectl get svc | grep -i apisix
+apisix-gw-svc LoadBalancer 172.19.33.28 10.253.0.11
80:31141/TCP,443:30931/TCP 1d
+
+```
+
+#### Clean up (dangerous)
+
+```
+kubectl delete -f .
+```
diff --git a/kubernetes/apisix-gw-config-cm.yaml
b/kubernetes/apisix-gw-config-cm.yaml
new file mode 100644
index 0000000..67833f0
--- /dev/null
+++ b/kubernetes/apisix-gw-config-cm.yaml
@@ -0,0 +1,154 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: v1
+data:
+ config.yaml: |
+ #
+ # Licensed to the Apache Software Foundation (ASF) under one or more
+ # contributor license agreements. See the NOTICE file distributed with
+ # this work for additional information regarding copyright ownership.
+ # The ASF licenses this file to You under the Apache License, Version 2.0
+ # (the "License"); you may not use this file except in compliance with
+ # the License. You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+ #
+ apisix:
+ node_listen: 9080 # APISIX listening port
+ enable_heartbeat: true
+ enable_admin: true
+ enable_admin_cors: true # Admin API support CORS response
headers.
+ enable_debug: false
+ enable_dev_mode: false # Sets nginx worker_processes to 1 if
set to true
+ enable_reuseport: true # Enable nginx SO_REUSEPORT switch if
set to true.
+ enable_ipv6: true
+ config_center: etcd # etcd: use etcd to store the config
value
+ # yaml: fetch the config value from
local yaml file `/your_path/conf/apisix.yaml`
+
+ #proxy_protocol: # Proxy Protocol configuration
+ # listen_http_port: 9181 # The port with proxy protocol for
http, it differs from node_listen and port_admin.
+ # This port can only receive http
request with proxy protocol, but node_listen & port_admin
+ # can only receive http request. If you
enable proxy protocol, you must use this port to
+ # receive http request with proxy
protocol
+ # listen_https_port: 9182 # The port with proxy protocol for https
+ # enable_tcp_pp: true # Enable the proxy protocol for tcp
proxy, it works for stream_proxy.tcp option
+ # enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the
upstream server
+
+ # allow_admin: #
http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
+ # - 127.0.0.0/24 # If we don't set any IP list, then any
IP access is allowed by default.
+ # - "::/64"
+ # port_admin: 9180 # use a separate port
+
+ # Default token when use API to call for Admin API.
+ # *NOTE*: Highly recommended to modify this value to protect APISIX's
Admin API.
+ # Disabling this configuration item means that the Admin API does not
+ # require any authentication.
+ admin_key:
+ -
+ name: "admin"
+ key: edd1c9f034335f136f87ad84b625c8f1
+ role: admin # admin: manage all configuration data
+ # viewer: only can view configuration
data
+ -
+ name: "viewer"
+ key: 4054f7cf07e344346cd3f287985e76a2
+ role: viewer
+ router:
+ http: 'radixtree_uri' # radixtree_uri: match route by uri(base
on radixtree)
+ # radixtree_host_uri: match route by
host + uri(base on radixtree)
+ ssl: 'radixtree_sni' # radixtree_sni: match route by SNI(base
on radixtree)
+ # stream_proxy: # TCP/UDP proxy
+ # tcp: # TCP proxy port list
+ # - 9100
+ # - 9101
+ # udp: # UDP proxy port list
+ # - 9200
+ # - 9211
+ dns_resolver: # default DNS resolver, with disable
IPv6 and enable local DNS
+ - 114.114.114.114
+ - 223.5.5.5
+ - 1.1.1.1
+ - 8.8.8.8
+ dns_resolver_valid: 30 # valid time for dns result 30 seconds
+
+ ssl:
+ enable: true
+ enable_http2: true
+ listen_port: 9443
+ ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
+ ssl_ciphers:
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-
[...]
+
+ nginx_config: # config for render the template to
genarate nginx.conf
+ error_log: "logs/error.log"
+ error_log_level: "warn" # warn,error
+ worker_rlimit_nofile: 20480 # the number of files a worker process
can open, should be larger than worker_connections
+ event:
+ worker_connections: 10620
+ http:
+ access_log: "logs/access.log"
+ keepalive_timeout: 60s # timeout during which a keep-alive
client connection will stay open on the server side.
+ client_header_timeout: 60s # timeout for reading client request
header, then 408 (Request Time-out) error is returned to the client
+ client_body_timeout: 60s # timeout for reading client request
body, then 408 (Request Time-out) error is returned to the client
+ send_timeout: 10s # timeout for transmitting a response
to the client.then the connection is closed
+ underscores_in_headers: "on" # default enables the use of
underscores in client request header fields
+ real_ip_header: "X-Real-IP" #
http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
+ real_ip_from: #
http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
+ - 127.0.0.1
+ - 'unix:'
+
+ etcd:
+ host: "http://127.0.0.1:2379"; # etcd address
+ prefix: "/apisix" # apisix configurations prefix
+ timeout: 3 # 3 seconds
+
+ plugins: # plugin list
+ - example-plugin
+ - limit-req
+ - limit-count
+ - limit-conn
+ - key-auth
+ - basic-auth
+ - prometheus
+ - node-status
+ - jwt-auth
+ - zipkin
+ - ip-restriction
+ - grpc-transcode
+ - serverless-pre-function
+ - serverless-post-function
+ - openid-connect
+ - proxy-rewrite
+ - redirect
+ - response-rewrite
+ - fault-injection
+ - udp-logger
+ - wolf-rbac
+
+ stream_plugins:
+ - mqtt-proxy
+
+kind: ConfigMap
+metadata:
+ name: apisix-gw-config.yaml
+ # namespace: default
diff --git a/kubernetes/deployment.yaml b/kubernetes/deployment.yaml
new file mode 100644
index 0000000..60d54b2
--- /dev/null
+++ b/kubernetes/deployment.yaml
@@ -0,0 +1,165 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: apps/v1beta2 # for versions before 1.8.0 use apps/v1beta1
+kind: Deployment
+metadata:
+ labels:
+ app: apisix-gw
+ name: apisix-gw-deployment
+ # namespace: default
+spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app: apisix-gw
+ template:
+ metadata:
+ labels:
+ app: apisix-gw
+ spec:
+ # tolerations:
+ # - key: "group"
+ # operator: "Equal"
+ # value: "prod"
+ # effect: "NoSchedule"
+ # nodeSelector:
+ # env: prod
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: app
+ operator: In
+ values:
+ - apisix-gw
+ topologyKey: kubernetes.io/hostname
+ weight: 100
+ initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - |
+ sysctl -w net.core.somaxconn=65535
+ sysctl -w net.ipv4.ip_local_port_range="1024 65535"
+ sysctl -w net.ipv4.tcp_max_syn_backlog=8192
+ sysctl -w fs.file-max=1048576
+ sysctl -w fs.inotify.max_user_instances=16384
+ sysctl -w fs.inotify.max_user_watches=524288
+ sysctl -w fs.inotify.max_queued_events=16384
+ image: busybox:latest
+ name: init-sysctl
+ resources: {}
+ securityContext:
+ privileged: true
+ procMount: Default
+ restartPolicy: Always
+
+ containers:
+ - env:
+ - name: TZ
+ value: "Asia/Shanghai"
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ image: 'apache/apisix:latest'
+ imagePullPolicy: IfNotPresent
+ name: apisix-gw-deployment
+ ports:
+ - containerPort: 9080
+ name: http
+ protocol: TCP
+ - containerPort: 9443
+ name: https
+ protocol: TCP
+ # livenessProbe:
+ # failureThreshold: 3
+ # httpGet:
+ # path: /healthz
+ # port: 10254
+ # scheme: HTTP
+ # initialDelaySeconds: 10
+ # periodSeconds: 10
+ # successThreshold: 1
+ # timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 6
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ tcpSocket:
+ port: 9080
+ timeoutSeconds: 1
+ lifecycle:
+ # For alpine based image
+ # https://k8s.imroc.io/troubleshooting/cases/dns-lookup-5s-delay
+ # postStart:
+ # exec:
+ # command:
+ # - /bin/sh
+ # - -c
+ # - "/bin/echo 'options single-request-reopen' >>
/etc/resolv.conf"
+ preStop:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - "sleep 30"
+ # cpu core(s), 1 == 1000m
+ resources:
+ limits:
+ cpu: '2'
+ requests:
+ cpu: '50m'
+
+ volumeMounts:
+ - mountPath: /usr/local/apisix/conf/config.yaml
+ name: apisix-config-yaml-configmap
+ subPath: config.yaml
+ - mountPath: /etc/localtime
+ name: localtime
+ readOnly: true
+ # - mountPath: /usr/local/apisix/conf/nginx.conf
+ # name: apisix-nginx-conf-configmap
+ # subPath: nginx.conf
+ # - mountPath: /usr/local/openresty/openssl/ssl/openssl.cnf
+ # name: apisix-openssl-cnf-configmap
+ # subPath: openssl.cnf
+
+ volumes:
+ - configMap:
+ name: apisix-gw-config.yaml
+ name: apisix-config-yaml-configmap
+ - hostPath:
+ path: /etc/localtime
+ type: File
+ name: localtime
+ # - configMap:
+ # name: apisix-gw-nginx.conf
+ # name: apisix-nginx-conf-configmap
+ # - configMap:
+ # name: apisix-gw-openssl.cnf.conf
+ # name: apisix-openssl-cnf-configmap
diff --git a/kubernetes/service-aliyun-slb.yaml
b/kubernetes/service-aliyun-slb.yaml
new file mode 100644
index 0000000..a28f150
--- /dev/null
+++ b/kubernetes/service-aliyun-slb.yaml
@@ -0,0 +1,78 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
https://help.aliyun.com/document_detail/94925.html?spm=5176.2020520152.0.0.44ca16ddon5iJF
+apiVersion: v1
+kind: Service
+metadata:
+ name: apisix-gw-lb
+ # namespace: default
+ annotations:
+ #
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-additional-resource-tags:
""
+ #
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-AddressType:
"intranet"
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-network-type: "vpc"
+
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners:
"true"
+ service.beta.kubernetes.io/alibaba-cloud-loadbalancer-persistence-timeout:
"1800"
+ service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: "lb-xx"
+ #
+ # http
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: ''
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port:
'https:443'
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec:
"slb.s1.small"
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-forward-port
+ # http sticky-session
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session:
"on"
+ #
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session-type:
"insert"
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cookie-timeout:
"1800"
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port:
"http:80"
+ #
+ # health-check
+ service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-type:
"tcp"
+
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-connect-timeout:
"4"
+ service.beta.kubernetes.io/alibaba-cloud-loadbalancer-healthy-threshold:
"4"
+ service.beta.kubernetes.io/alibaba-cloud-loadbalancer-unhealthy-threshold:
"4"
+
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval: "6"
+ #
+ service.beta.kubernetes.io/alibaba-cloud-loadbalancer-scheduler: "wlc"
+ # ACL
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-status: "on"
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-id: "acl-xx"
+ # service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-type: "white"
+ #
+
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-remove-unscheduled-backend:
"on"
+ labels:
+ app: apisix-gw
+spec:
+ selector:
+ app: apisix-gw
+ ports:
+ - protocol: TCP
+ port: 80
+ name: http
+ targetPort: 9080
+ - protocol: TCP
+ port: 443
+ name: https
+ targetPort: 9443
+ # - protocol: TCP
+ # port: 9180
+ # name: admin-port
+ # targetPort: 9180
+ type: LoadBalancer
+ externalTrafficPolicy: Local
+ # sessionAffinity: ClientIP
diff --git a/kubernetes/service.yaml b/kubernetes/service.yaml
new file mode 100644
index 0000000..c207660
--- /dev/null
+++ b/kubernetes/service.yaml
@@ -0,0 +1,41 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: apisix-gw-lb
+ # namespace: default
+spec:
+ ports:
+ - name: http
+ port: 9080
+ protocol: TCP
+ targetPort: 9080
+ - name: https
+ port: 9443
+ protocol: TCP
+ targetPort: 9443
+ # - name: admin-port
+ # port: 9180
+ # protocol: TCP
+ # targetPort: 9180
+ selector:
+ app: apisix-gw
+ type: NodePort
+ externalTrafficPolicy: Local
+ # sessionAffinity: None
