目的
对于现存的多个微服务实例,需要对外提供服务,如果对每个微服务实现对外服务,单独配置十分麻烦,也不利于管理。API网关就是这些微服务对外提供服务的统一入口,客户端访问内部的微服务都需要通过API网关转发路由。除此外,我们还可以在网关层做授权认证,流量控制,负载均衡,使得各个微服务关注自己的业务,提高API的可用性、可维护性和可扩展性。
Kong
Kong Gateway是一个轻量级、快速、可扩展和平台无关的云原生API网关。Kong是基于Nginx和PostgreSQL构建的,能提供易于使用的RESTfulAPI操作和配置API管理系统。
服务和路由
客户端发送请求给Kong Gateway,有它来对路由进行匹配,然后交由具体的服务去处理,最后返回。
安装
docker compose安装:docker-kong/compose at master · Kong/docker-kong (github.com)
下载文件进入目录后执行命令:
# 无数据库支持模式
make kong-dbless
# 有数据库支持模式
make kong-postgres
启动后会存在几个端口映射:
8000: 代理HTTP请求并转发
8443:代理HTTPS请求并转发
8001:AdminAPI,管理API的端口,管理者可对Kong的监听服务进行配置
8444:管理者对HTTPS请求进行监控
安装konga
用于kong管理UI,通过UI观察到现在kong的所有的配置,并且可以对于管理kong节点情况进行查看、监控和预警
向docker-compose.yml文件中添加service, 有关数据库的配置也要修改一下
konga:
image: pantsel/konga:latest
container_name: konga
networks:
- kong-net
environment:
DB_ADAPTER: postgres
DB_HOST: postgres
DB_PORT: 5432
DB_USER: kong
DB_PASSWORD: kong
DB_DATABASE: kong
NODE_ENV: production
ports:
- "8888:1337"
restart: on-failure
depends_on:
- db
- kong
- kong-migrations
出现上面错误需要将Node_ENV: production => Node_ENV: development
创建Connections
创建services
创建routes
需要进入Service页面,然后再添加Route
代理访问效果
http:代理端口在8000
从这里开始我将 172.24.240.1 改成了 buddyxiao.com (在hosts文件中修改,容器中的kong也需要配置)
172.24.240.1 和 172.27.0.1 是我不同时间启动电脑自动分配的本机IP
extra_hosts:
- "buddyxiao.com:172.27.0.1"
添加插件
比如:添加 API KEYS 认证
创建一个Consumer
先添加一个使用wheel服务的消费者,表示使用该服务的访问需要携带key值进行认证。
在Route中添加Plugins
找到wheel路由,然后添加Key Auth
设置key的名称
再次访问,无法得到有效响应
在请求中携带key,value (前面设置了可以在url、header和body中)
负载均衡
创建upstream
进入upstreams页面
创建Target
点击Defalut,再找到Targets
配置文件
version: '3.9'
x-kong-config:
&kong-env
KONG_DATABASE: ${KONG_DATABASE:-off}
KONG_PG_DATABASE: kong
KONG_PG_HOST: db
KONG_PG_USER: kong
KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password
volumes:
kong_data: {}
kong_prefix_vol:
driver_opts:
type: tmpfs
device: tmpfs
kong_tmp_vol:
driver_opts:
type: tmpfs
device: tmpfs
networks:
kong-net:
external: false
services:
kong-migrations:
image: "${KONG_DOCKER_TAG:-kong:latest}"
command: kong migrations bootstrap
profiles: [ "database" ]
depends_on:
- db
environment:
<<: *kong-env
secrets:
- kong_postgres_password
networks:
- kong-net
restart: on-failure
kong-migrations-up:
image: "${KONG_DOCKER_TAG:-kong:latest}"
command: kong migrations up && kong migrations finish
profiles: [ "database" ]
depends_on:
- db
environment:
<<: *kong-env
secrets:
- kong_postgres_password
networks:
- kong-net
restart: on-failure
kong:
image: "${KONG_DOCKER_TAG:-kong:latest}"
user: root
extra_hosts:
- "buddyxiao.com:172.27.0.1"
environment:
<<: *kong-env
KONG_ADMIN_ACCESS_LOG: /dev/stdout
KONG_ADMIN_ERROR_LOG: /dev/stderr
KONG_PROXY_LISTEN: "0.0.0.0:8000"
KONG_ADMIN_LISTEN: "0.0.0.0:8001,0.0.0.0:8444 ssl"
KONG_PROXY_ACCESS_LOG: /dev/stdout
KONG_PROXY_ERROR_LOG: /dev/stderr
KONG_PREFIX: ${KONG_PREFIX:-/var/run/kong}
KONG_DECLARATIVE_CONFIG: "/opt/kong/kong.yaml"
secrets:
- kong_postgres_password
networks:
- kong-net
ports:
# The following two environment variables default to an insecure value (0.0.0.0)
# according to the CIS Security test.
# - "${KONG_INBOUND_PROXY_LISTEN:-0.0.0.0}:8000:8000/tcp"
# - "${KONG_INBOUND_SSL_PROXY_LISTEN:-0.0.0.0}:8443:8443/tcp"
# Making them mandatory but undefined, like so would be backwards-breaking:
# - "${KONG_INBOUND_PROXY_LISTEN?Missing inbound proxy host}:8000:8000/tcp"
# - "${KONG_INBOUND_SSL_PROXY_LISTEN?Missing inbound proxy ssl host}:8443:8443/tcp"
# Alternative is deactivating check 5.13 in the security bench, if we consider Kong's own config to be enough security here
- "8000:8000/tcp"
- "8001:8001/tcp"
- "8444:8444/tcp"
- "8443:8443/tcp"
healthcheck:
test: [ "CMD", "kong", "health" ]
interval: 10s
timeout: 10s
retries: 10
restart: on-failure:5
read_only: true
volumes:
- kong_prefix_vol:${KONG_PREFIX:-/var/run/kong}
- kong_tmp_vol:/tmp
- ./config:/opt/kong
security_opt:
- no-new-privileges
konga:
image: pantsel/konga:latest
container_name: konga
networks:
- kong-net
environment:
DB_ADAPTER: postgres
DB_HOST: postgres
DB_PORT: 5432
DB_USER: kong
DB_PASSWORD: kong
DB_DATABASE: kong
NODE_ENV: development
ports:
- "8888:1337"
restart: on-failure
depends_on:
- db
- kong
- kong-migrations
db:
image: postgres:9.5
hostname: postgres
profiles: [ "database" ]
environment:
POSTGRES_DB: kong
POSTGRES_USER: kong
POSTGRES_PASSWORD_FILE: /run/secrets/kong_postgres_password
secrets:
- kong_postgres_password
healthcheck:
test: [ "CMD", "pg_isready", "-U", "kong" ]
interval: 30s
timeout: 30s
retries: 3
restart: on-failure
stdin_open: true
tty: true
ports:
- 5432:5432
networks:
- kong-net
volumes:
- kong_data:/var/lib/postgresql/data
secrets:
kong_postgres_password:
file: ./POSTGRES_PASSWORD
相关链接
Kong Gateway - v3.2.x | Kong Docs (konghq.com)
docker-kong/compose at master · Kong/docker-kong (github.com)
KONG网关 — KongA管理UI使用 - 腾讯云开发者社区-腾讯云 (tencent.com)
pantsel/konga: More than just another GUI to Kong Admin API (github.com)
qianyugang/kong-docs-cn: 微服务 Api 网关 Kong 最新文档中文版 (github.com)
