1 缘起与目的
笔者所在的项目组是一个使用Springboot单体应用的项目,最近遇到一个需求是项目需要向外提供很多接口,希望有一套网关 + 可视化网关页面管理工具 + 监控的方案动态控制向外提供接口。考察对比了内部自研网关、shenyu、apisix三种网关,由于apisix优秀的可视化操作、易于理解、文档全面等优点,决定选择Apache APISIX + Dashboard + Prometheus + Grafana方案。
本系列会包含本地测试环境搭建、网关日志同步es、Grafana日志监控自定义、线上环境部署等一系列,本文只展示最基础的本地搭建用于学习的测试环境的过程。
2 环境说明
本地所有测试环境均为docker镜像部署。同时笔者本地为windows系统,且本地内存捉襟见肘不在想搭建虚拟机,所以会使用Docker Desktop进行部署。同时windows docker的坑。如果您本地有linux环境,非常建议您使用linux进行部署。当然,linux也可以依照本文介绍的方法部署,可以按照本文的思路,对命令(挂载等)进行少许修改即可。
3 搭建过程
注意:Docker Desktop默认是不支持host网络模式的,如果您想要通过host网络进行部署,请更新最新版本并在如下设置中开启。(笔者不建议开启host,可能会有一些奇奇怪怪的问题)
3.1 创建docker网络与拉取镜像
注意:现在国内大多镜像网站都不能用了,只能使用魔法。当然,如果读者使用Docker Desktop就没有问题了,因为如果没有魔法它根本起不来。如果您需要这些镜像,可以联系笔者,笔者可以分享给大家。
-
创建网络
docker network create mynetwork --driver=bridge --subnet=172.19.0.0/24 --gateway=172.19.0.1 -
拉取镜像
docker pull bitnami/etcd:3.5.7 docker pull apache/apisix:3.9.0-debian docker pull apache/apisix-dashboard docker pull prom/prometheus docker pull grafana/grafana
3.2 搭建Apache APISIX + Dashboard
-
启动etcd
docker run -d --name etcd-single --network=mynetwork -p2379:2379 -p2380:2380 --ip 172.19.0.2 -e ALLOW_NONE_AUTHENTICATION=yes -e ETCD_ADVERTISE_CLIENT_URLS=http://127.0.0.1:2379,http://172.19.0.2:2379 bitnami/etcd:3.5.7 -
启动APISIX
(1)创建config.yaml
apisix: enable_control: true control: ip: "0.0.0.0" port: 9092 deployment: role: traditional role_traditional: config_provider: etcd etcd: host: - "http://172.19.0.2:2379" admin: admin_key_required: false allow_admin: - 0.0.0.0/0 plugin_attr: prometheus: export_addr: ip: 172.19.0.3 port: 9091需要注意,需修改deployment.etcd.host的地址,即etcd的地址。同时将Prometheus需要的获取元数据的接口映射到172.19.0.3:9091,即plugin_attr.prometheus.export_addr相关配置。
(2)启动APISIX
docker run -d --name apisix-single --network=mynetwork -p9080:9080 -p9180:9180 -p9443:9443/tcp -p9443:9443/udp -p9092:9092 -p9100:9100 -p9091:9091 --ip 172.19.0.3 -v <自己的挂在文件地址>/config.yaml:/usr/local/apisix/conf/config.yaml apache/apisix:3.9.0-debian -
启动Dashboard
(1)创建config.yml
# # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # yamllint disable rule:comments-indentation conf: listen: host: 172.19.0.4 # the address on which the `Manager API` should listen. # The default value is 0.0.0.0, if want to specify, please enable it. # This value accepts IPv4, IPv6, and hostname. port: 9000 # The port on which the `Manager API` should listen. # ssl: # host: 127.0.0.1 # the address on which the `Manager API` should listen for HTTPS. # The default value is 0.0.0.0, if want to specify, please enable it. # port: 9001 # The port on which the `Manager API` should listen for HTTPS. # cert: "/tmp/cert/example.crt" # Path of your SSL cert. # key: "/tmp/cert/example.key" # Path of your SSL key. etcd: endpoints: # supports defining multiple etcd host addresses for an etcd cluster - 172.19.0.2:2379 # yamllint disable rule:comments-indentation # etcd basic auth info # username: "root" # ignore etcd username if not enable etcd auth # password: "123456" # ignore etcd password if not enable etcd auth mtls: key_file: "" # Path of your self-signed client side key cert_file: "" # Path of your self-signed client side cert ca_file: "" # Path of your self-signed ca cert, the CA is used to sign callers' certificates # prefix: /apisix # apisix config's prefix in etcd, /apisix by default log: error_log: level: warn # supports levels, lower to higher: debug, info, warn, error, panic, fatal file_path: logs/error.log # supports relative path, absolute path, standard output # such as: logs/error.log, /tmp/logs/error.log, /dev/stdout, /dev/stderr # such as absolute path on Windows: winfile:///C:\error.log access_log: file_path: logs/access.log # supports relative path, absolute path, standard output # such as: logs/access.log, /tmp/logs/access.log, /dev/stdout, /dev/stderr # such as absolute path on Windows: winfile:///C:\access.log # log example: 2020-12-09T16:38:09.039+0800 INFO filter/logging.go:46 /apisix/admin/routes/r1 {"status": 401, "host": "127.0.0.1:9000", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "127.0.0.1", "method": "PUT", "errs": []} max_cpu: 0 # supports tweaking with the number of OS threads are going to be used for parallelism. Default value: 0 [will use max number of available cpu cores considering hyperthreading (if any)]. If the value is negative, is will not touch the existing parallelism profile. # security: # access_control_allow_origin: "http://httpbin.org" # access_control_allow_credentials: true # support using custom cors configration # access_control_allow_headers: "Authorization" # access_control-allow_methods: "*" # x_frame_options: "deny" # content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src xx.xx.xx.xx:3000" # You can set frame-src to provide content for your grafana panel. authentication: secret: secret # secret for jwt token generation. # NOTE: Highly recommended to modify this value to protect `manager api`. # if it's default value, when `manager api` start, it will generate a random string to replace it. expire_time: 3600 # jwt token expire time, in second users: # yamllint enable rule:comments-indentation - username: admin # username and password for login `manager api` password: admin - username: user password: user oidc: enabled: false expire_time: 3600 client_id: dashboard client_secret: dashboard auth_url: http://172.17.0.1:8080/auth/realms/master/protocol/openid-connect/auth token_url: http://172.17.0.1:8080/auth/realms/master/protocol/openid-connect/token user_info_url: http://172.17.0.1:8080/auth/realms/master/protocol/openid-connect/userinfo redirect_url: http://127.0.0.1:9000/apisix/admin/oidc/callback scope: openid plugins: - api-breaker - authz-casbin - authz-casdoor - authz-keycloak - aws-lambda - azure-functions - basic-auth # - batch-requests - clickhouse-logger - client-control - consumer-restriction - cors - csrf - datadog # - dubbo-proxy - echo - error-log-logger # - example-plugin - ext-plugin-post-req - ext-plugin-post-resp - ext-plugin-pre-req - fault-injection - file-logger - forward-auth - google-cloud-logging - grpc-transcode - grpc-web - gzip - hmac-auth - http-logger - ip-restriction - jwt-auth - kafka-logger - kafka-proxy - key-auth - ldap-auth - limit-conn - limit-count - limit-req - loggly # - log-rotate - mocking # - node-status - opa - openid-connect - opentelemetry - openwhisk - prometheus - proxy-cache - proxy-control - proxy-mirror - proxy-rewrite - public-api - real-ip - redirect - referer-restriction - request-id - request-validation - response-rewrite - rocketmq-logger - server-info - serverless-post-function - serverless-pre-function - skywalking - skywalking-logger - sls-logger - splunk-hec-logging - syslog - tcp-logger - traffic-split - ua-restriction - udp-logger - uri-blocker - wolf-rbac - zipkin - elasticsearch-logge - openfunction - tencent-cloud-cls - ai - cas-auth(2)启动dashboard
docker run -d --name dashboard \ --network=mynetwork \ --ip 172.19.0.4 \ -p 9000:9000 \ -v <CONFIG_FILE>:/usr/local/apisix-dashboard/conf/conf.yaml \ apache/apisix-dashboard(3)配置Prometheus插件
-
登录http://127.0.0.1:9000/ 账号admin,密码admin。
-
设置prometheus插件
-
访问http://127.0.0.1:9091/apisix/prometheus/metrics 查看是否配置成功
这就是APISIX向Prometheus暴露出来的元数据信息
-
3.3 搭建Prometheus + Grafana
-
启动Prometheus
(1)创建prometheus.yml
```yaml global: # 数据采集间隔 scrape_interval: 45s # 告警检测间隔 evaluation_interval: 45s # 告警规则 rule_files: # 这里匹配指定目录下所有的.rules文件 - rules/*.rules # 采集配置 scrape_configs: # 采集项(prometheus) - job_name: 'prometheus' static_configs: # prometheus自带了对自身的exporter监控程序,所以不需额外安装exporter就可配置采集项 - targets: ['localhost:9090'] # 采集apisix任务 - job_name: 'apisix' scrape_interval: 10s metrics_path: '/apisix/prometheus/metrics' static_configs: - targets: ['172.19.0.3:9091'] ```(2)启动Prometheus
docker run --name prometheus -d \ --network=mynetwork \ --ip 172.19.0.5 \ -p 9090:9090 \ -v <挂载地址>:/prometheus/data \ -v <prometheus.yml位置>:/prometheus/config/prometheus.yml \ -v <挂载地址>:/prometheus/rules \ prom/prometheus --config.file=/prometheus/config/prometheus.yml --web.enable-lifecycle -
启动Grafana
(1)启动Grafana
docker run -d \ -p 3000:3000 \ --name=grafana \ --network=mynetwork \ --ip 172.19.0.6 \ -v <挂载地址>:/var/lib/grafana \ -v <挂载地址>:/var/lib/grafana/plugins \ -v <挂载地址>:/etc/grafana \ -e "GF_SECURITY_ADMIN_PASSWORD=admin" \ -e "GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-simple-json-datasource,grafana-piechart-panel" \ grafana/grafana(2)配置Prometheus数据源
(3)导入APISIX官方Dashboard
这里贴一个Grafana官网的APISIX Dashboard地址。grafana.com/grafana/das…
这里需要Grafana访问互联网,如果不行可以直接访问上述官方地址下载一下json配置,如果需要这个json无法自行下载可以联系笔者。
如果配置正常,这里应该可以正常监控数据。
可以在Apache APISIX Dashboard中新建路由去测一下监控,本文就不多做赘述了,后面会详细出相关文章。
3.4 Grafana嵌入Apache APISIX Dashboard
-
复制Grafana 链接
-
修改Grafana配置
找到grafana映射出来的grafana.ini文件,进行如下修改。
启用匿名访问
[auth.anonymous] enabled = true允许通过 iframe 访问
allow_embedding = true重启grafana容器。
-
修改APISIX Dashboard配置
修改apisix-dashboard映射出来的conf.yaml配置文件,添加如下配置。把192.168.145.103修改为安装Grafana的主机IP地址。
conf: security: content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 192.168.145.103:3000"注意不要复制,遵循yaml格式。
重启APISIX Dashboard容器。
-
APISIX Dashboard 配置 Grafana 仪表盘
最终展示效果如下:
至此本文完成。
