从上图可以看出 APISIX Ingress 采用了数据面与控制面的分离架构,所以用户可以选择将数据面部署在 K8s 集群内部或外部。但 Ingress Nginx 是将控制面和数据面放在了同一个 Pod 中,如果 Pod 或控制面出现一点闪失,整个 Pod 就会挂掉,进而影响到业务流量。这种架构分离,给用户提供了比较方便的部署选择,同时在业务架构调整场景下,也方便进行相关数据的迁移与使用。
apiVersion:v1 kind:ConfigMap metadata: name:apisix namespace:apisix data: config.yaml:|- apisix: # node_listen: 9080 # APISIX listening port. node_listen: # APISIX listening ports. - 9080 # - port: 9081 # enable_http2: true # If not set, default to `false`. # - ip: 127.0.0.2 # If not set, default to `0.0.0.0` # port: 9082 # enable_http2: true enable_admin: true # Admin API enable_dev_mode: false # If true, set nginx `worker_processes` to 1. enable_reuseport: true # If true, enable nginx SO_REUSEPORT option. show_upstream_status_in_response_header: false # If true, include the upstream HTTP status code in # the response header `X-APISIX-Upstream-Status`. # If false, show `X-APISIX-Upstream-Status` only if # the upstream response code is 5xx. enable_ipv6: true enable_server_tokens:true# If true, show APISIX version in the `Server` response header. extra_lua_path:""# Extend lua_package_path to load third-party code. extra_lua_cpath:""# Extend lua_package_cpath to load third-party code. # lua_module_hook: "my_project.my_hook" # Hook module used to inject third-party code into APISIX.
proxy_cache:# Proxy Caching configuration cache_ttl:10s# The default caching time on disk if the upstream does not specify a caching time. zones: -name:disk_cache_one# Name of the cache. memory_size:50m# Size of the memory to store the cache index. disk_size:1G# Size of the disk to store the cache data. disk_path:/tmp/disk_cache_one# Path to the cache file for disk cache. cache_levels:1:2# Cache hierarchy levels of disk cache. # - name: disk_cache_two # memory_size: 50m # disk_size: 1G # disk_path: "/tmp/disk_cache_two" # cache_levels: "1:2" -name:memory_cache memory_size:50m
delete_uri_tail_slash:false# Delete the '/' at the end of the URI normalize_uri_like_servlet:false# If true, use the same path normalization rules as the Java # servlet specification. See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization, which is used in Tomcat.
router: http:radixtree_host_uri# radixtree_host_uri: match route by host and URI # radixtree_uri: match route by URI # radixtree_uri_with_parameter: similar to radixtree_uri but match URI with parameters. See https://github.com/api7/lua-resty-radixtree/#parameters-in-path for more details. ssl:radixtree_sni# radixtree_sni: match route by SNI
# http is the default proxy mode. proxy_mode can be one of `http`, `stream`, or `http&stream` proxy_mode:http # stream_proxy: # TCP/UDP L4 proxy # only: true # Enable L4 proxy only without L7 proxy. # tcp: # - addr: 9100 # Set the TCP proxy listening ports. # tls: true # - addr: "127.0.0.1:9101" # udp: # Set the UDP proxy listening ports. # - 9200 # - "127.0.0.1:9201"
# dns_resolver: # If not set, read from `/etc/resolv.conf` # - 1.1.1.1 # - 8.8.8.8 # dns_resolver_valid: 30 # Override the default TTL of the DNS records. resolver_timeout:5# Set the time in seconds that the server will wait for a response from the # DNS resolver before timing out. enable_resolv_search_opt:true# If true, use search option in the resolv.conf file in DNS lookups.
ssl: enable:true listen:# APISIX listening port for HTTPS traffic. -port:9443 enable_http2:true # - ip: 127.0.0.3 # If not set, default to `0.0.0.0`. # port: 9445 # enable_http2: true ssl_trusted_certificate:/usr/local/apisix/ssl/ca.pem# 此处需要修改成连接etcd的ca证书位置,开启https连接必须配置 ssl_protocols:TLSv1.2TLSv1.3# TLS versions supported. ssl_ciphers:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_session_tickets:false# If true, session tickets are used for SSL/TLS connections. # Disabled by default because it renders Perfect Forward Secrecy (FPS) # useless. See https://github.com/mozilla/server-side-tls/issues/135.
key_encrypt_salt:# This field is only used to encrypt the private key of SSL. -edd1c9f0985e76a2# Set the encryption key for AES-128-CBC. It should be a # hexadecimal string of length 16. # If not set, APISIX saves the original data into etcd. # CAUTION: If you would like to update the key, add the new key as the # first item in the array and keep the older keys below the newly added # key, so that data can be decrypted with the older keys and encrypted # with the new key. Removing the old keys directly can render the data # unrecoverable.
# fallback_sni: "my.default.domain" # Fallback SNI to be used if the client does not send SNI during # # the handshake.
enable_control:true# Control API # control: # ip: 127.0.0.1 # port: 9090
disable_sync_configuration_during_start:false# Safe exit. TO BE REMOVED.
data_encryption:# Encrypt fields specified in `encrypt_fields` in plugin schema. enable:false keyring:# Set the encryption key for AES-128-CBC. It should be a -qeddd145sfvddff3# hexadecimal string of length 16. # If not set, APISIX saves the original data into etcd. # CAUTION: If you would like to update the key, add the new key as the # first item in the array and keep the older keys below the newly added # key, so that data can be decrypted with the older keys and encrypted # with the new key. Removing the old keys directly can render the data # unrecoverable.
nginx_config:# Config for render the template to generate nginx.conf # user: root # Set the execution user of the worker process. This is only # effective if the master process runs with super-user privileges. error_log:logs/error.log# Location of the error log. error_log_level:warn# Logging level: info, debug, notice, warn, error, crit, alert, or emerg. worker_processes:auto# Automatically determine the optimal number of worker processes based # on the available system resources. # If you want use multiple cores in container, you can inject the number of # CPU cores as environment variable "APISIX_WORKER_PROCESSES". enable_cpu_affinity:false# Disable CPU affinity by default as worker_cpu_affinity affects the # behavior of APISIX in containers. For example, multiple instances could # be bound to one CPU core, which is not desirable. # If APISIX is deployed on a physical machine, CPU affinity can be enabled. worker_rlimit_nofile:20480# The number of files a worker process can open. # The value should be larger than worker_connections. worker_shutdown_timeout:240s# Timeout for a graceful shutdown of worker processes.
max_pending_timers:16384# The maximum number of pending timers that can be active at any given time. # Error "too many pending timers" indicates the threshold is reached. max_running_timers:4096# The maximum number of running timers that can be active at any given time. # Error "lua_max_running_timers are not enough" error indicates the # threshold is reached.
event: worker_connections:10620
# envs: # Get environment variables. # - TEST_ENV
meta: lua_shared_dict:# Nginx Lua shared memory zone. Size units are m or k. prometheus-metrics:15m
stream: enable_access_log:false# Enable stream proxy access logging. access_log:logs/access_stream.log# Location of the stream access log. access_log_format:"$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time"# Customize log format: http://nginx.org/en/docs/varindex.html access_log_format_escape:default# Escape default or json characters in variables. lua_shared_dict:# Nginx Lua shared memory zone. Size units are m or k. etcd-cluster-health-check-stream:10m lrucache-lock-stream:10m plugin-limit-conn-stream:10m worker-events-stream:10m tars-stream:1m
# Add other custom Nginx configurations. # Users are responsible for validating the custom configurations # to ensure they are not in conflict with APISIX configurations. main_configuration_snippet:| # Add custom Nginx main configuration to nginx.conf. # The configuration should be well indented! http_configuration_snippet:| # Add custom Nginx http configuration to nginx.conf. # The configuration should be well indented! http_server_configuration_snippet:| # Add custom Nginx http server configuration to nginx.conf. # The configuration should be well indented! http_server_location_configuration_snippet:| # Add custom Nginx http server location configuration to nginx.conf. # The configuration should be well indented! http_admin_configuration_snippet:| # Add custom Nginx admin server configuration to nginx.conf. # The configuration should be well indented! http_end_configuration_snippet:| # Add custom Nginx http end configuration to nginx.conf. # The configuration should be well indented! stream_configuration_snippet:| # Add custom Nginx stream configuration to nginx.conf. # The configuration should be well indented! http: enable_access_log:true# Enable HTTP proxy access logging. access_log:logs/access.log# Location of the access log. access_log_buffer:16384# buffer size of access log. access_log_format:"$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"" # Customize log format: http://nginx.org/en/docs/varindex.html access_log_format_escape:default# Escape default or json characters in variables. keepalive_timeout:60s# Set the maximum time for which TCP connection keeps alive. client_header_timeout:60s# Set the maximum time waiting for client to send the entire HTTP # request header before closing the connection. client_body_timeout:60s# Set the maximum time waiting for client to send the request body. client_max_body_size:0# Set the maximum allowed size of the client request body. # Default to 0, unlimited. # Unlike Nginx, APISIX does not limit the body size by default. # If exceeded, the 413 (Request Entity Too Large) error is returned. send_timeout:10s# Set the maximum time for transmitting a response to the client before closing. underscores_in_headers:"on"# Allow HTTP request headers to contain underscores in their names. real_ip_header:X-Real-IP# https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header real_ip_recursive:"off"# http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive real_ip_from:# http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from -127.0.0.1 -172.17.120.1# 设置信任代理IP,在X-Forwarded-For 头部并提取真实客户端 IP 地址. -"unix:"
# custom_lua_shared_dict: # Custom Nginx Lua shared memory zone for nginx.conf. Size units are m or k. # ipc_shared_dict: 100m # Custom shared cache, format: `cache-key: cache-size`
proxy_ssl_server_name:true# Send the server name in the SNI extension when establishing an SSL/TLS # connection with the upstream server, allowing the upstream server to # select the appropriate SSL/TLS certificate and configuration based on # the requested server name.
upstream: keepalive:320# Set the maximum time of keep-alive connections to the upstream servers. # When the value is exceeded, the least recently used connection is closed. keepalive_requests:1000# Set the maximum number of requests that can be served through one # keep-alive connection. # After the maximum number of requests is made, the connection is closed. keepalive_timeout:60s# Set the maximum time for which TCP connection keeps alive. charset:utf-8# Add the charset to the "Content-Type" response header field. # See http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset variables_hash_max_size:2048# Set the maximum size of the variables hash table.
lua_shared_dict:# Nginx Lua shared memory zone. Size units are m or k. internal-status:10m plugin-limit-req:10m plugin-limit-count:10m prometheus-metrics:10m plugin-limit-conn:10m upstream-healthcheck:10m worker-events:10m lrucache-lock:10m balancer-ewma:10m balancer-ewma-locks:10m balancer-ewma-last-touched-at:10m plugin-limit-count-redis-cluster-slot-lock:1m tracing_buffer:10m plugin-api-breaker:10m etcd-cluster-health-check:10m discovery:1m jwks:1m introspection:10m access-tokens:1m ext-plugin:1m tars:1m cas-auth:10m
# discovery: # Service Discovery # dns: # servers: # - "127.0.0.1:8600" # Replace with the address of your DNS server. # order: # Resolve DNS records this order. # - last # Try the latest successful type for a hostname. # - SRV # - A # - AAAA # - CNAME
graphql: max_size:1048576# Set the maximum size limitation of graphql in bytes. Default to 1MiB.
stream_plugins:# stream plugin list (sorted by priority) -ip-restriction# priority: 3000 -limit-conn# priority: 1003 -mqtt-proxy# priority: 1000 #- prometheus # priority: 500 -syslog# priority: 401 # <- recommend to use priority (0, 100) for your custom plugins
plugin_attr:# Plugin attributes log-rotate:# Plugin: log-rotate interval:3600# Set the log rotate interval in seconds. max_kept:168# Set the maximum number of log files to keep. If exceeded, historic logs are deleted. max_size:-1# Set the maximum size of log files in bytes before a rotation. # Skip size check if max_size is less than 0. enable_compression:false# Enable log file compression (gzip). skywalking:# Plugin: skywalking service_name:APISIX# Set the service name for SkyWalking reporter. service_instance_name:APISIXInstanceName# Set the service instance name for SkyWalking reporter. endpoint_addr:http://127.0.0.1:12800# Set the SkyWalking HTTP endpoint. report_interval:3# Set the reporting interval in second. opentelemetry:# Plugin: opentelemetry trace_id_source:x-request-id# Specify the source of the trace ID for OpenTelemetry traces. resource: service.name:APISIX# Set the service name for OpenTelemetry traces. collector: address:127.0.0.1:4318# Set the address of the OpenTelemetry collector to send traces to. request_timeout:3# Set the timeout for requests to the OpenTelemetry collector in seconds. request_headers:# Set the headers to include in requests to the OpenTelemetry collector. Authorization:token# Set the authorization header to include an access token. batch_span_processor: drop_on_queue_full:false# Drop spans when the export queue is full. max_queue_size:1024# Set the maximum size of the span export queue. batch_timeout:2# Set the timeout for span batches to wait in the export queue before # being sent. inactive_timeout:1# Set the timeout for spans to wait in the export queue before being sent, # if the queue is not full. max_export_batch_size:16# Set the maximum number of spans to include in each batch sent to the set_ngx_var:false# export opentelemetry variables to nginx variables # OpenTelemetry collector. prometheus:# Plugin: prometheus export_uri:/apisix/prometheus/metrics# Set the URI for the Prometheus metrics endpoint. metric_prefix:apisix_# Set the prefix for Prometheus metrics generated by APISIX. enable_export_server:true# Enable the Prometheus export server. export_addr:# Set the address for the Prometheus export server. ip:127.0.0.1# Set the IP. port:9091# Set the port. # metrics: # Create extra labels from nginx variables: https://nginx.org/en/docs/varindex.html # http_status: # extra_labels: # - upstream_addr: $upstream_addr # - status: $upstream_status # The label name does not need to be the same as the variable name. # http_latency: # extra_labels: # - upstream_addr: $upstream_addr # bandwidth: # extra_labels: # - upstream_addr: $upstream_addr # default_buckets: # - 10 # - 50 # - 100 # - 200 # - 500 server-info:# Plugin: server-info report_ttl:60# Set the TTL in seconds for server info in etcd. # Maximum: 86400. Minimum: 3. dubbo-proxy:# Plugin: dubbo-proxy upstream_multiplex_count:32# Set the maximum number of connections that can be multiplexed over # a single network connection between the Dubbo Proxy and the upstream # Dubbo services. proxy-mirror:# Plugin: proxy-mirror timeout:# Set the timeout for mirrored requests. connect:60s read:60s send:60s redirect:# Plugin: redirect https_port:443# Set the default port used to redirect HTTP to HTTPS. inspect:# Plugin: inspect delay:3# Set the delay in seconds for the frequency of checking the hooks file. hooks_file:"/usr/local/apisix/plugin_inspect_hooks.lua"# Set the path to the Lua file that defines # hooks. Only administrators should have # write access to this file for security.
deployment:# Deployment configurations role:traditional# Set deployment mode: traditional, control_plane, or data_plane. role_traditional: config_provider:etcd# Set the configuration center.
#role_data_plane: # Set data plane details if role is data_plane. # config_provider: etcd # Set the configuration center: etcd, xds, or yaml.
#role_control_plane: # Set control plane details if role is control_plane. # config_provider: etcd # Set the configuration center.
admin:# Admin API admin_key_required:true# Enable Admin API authentication by default for security. admin_key: - name:admin# admin: write access to configurations. key:edd1c9f034335f136f87ad84b625c8f1# Set API key for the admin of Admin API. role:admin - name:viewer# viewer: read-only to configurations. key:4054f7cf07e344346cd3f287985e76a2# Set API key for the viewer of Admin API. role:viewer
enable_admin_cors:true# Enable Admin API CORS response header `Access-Control-Allow-Origin`. allow_admin:# Limit Admin API access by IP addresses. -127.0.0.0/24# If not set, any IP address is allowed. -0.0.0.0/0 # - "::/64" admin_listen:# Set the Admin API listening addresses. ip:0.0.0.0# Set listening IP. port:9180# Set listening port. Beware of port conflict with node_listen.
# https_admin: true # Enable SSL for Admin API on IP and port specified in admin_listen. # Use admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert_key. # admin_api_mtls: # Set this if `https_admin` is true. # admin_ssl_cert: "" # Set path to SSL/TLS certificate. # admin_ssl_cert_key: "" # Set path to SSL/TLS key. # admin_ssl_ca_cert: "" # Set path to CA certificate used to sign client certificates.
admin_api_version:v3# Set the version of Admin API (latest: v3).
创建后 apisix-ingress-controller 会将上面的资源对象通过 admin api 映射成 APISIX 中的配置:
1 2 3 4
kubectl apply -f dashboard-ing.yml kubectl get apisixroutes.apisix.apache.org -A NAMESPACE NAME HOSTS URIS AGE apisix dashboard ["apisix.boysec.cn"] ["/*"] 3m30s
