Ambassador Edge Stack(AES)是一個基於Envoy Proxy實現的高效能的Ingress Controller和API Gateway。AES通過Custom Resource Definitions(CRD)使用Envoy提供的功能,整合了速率限制、身份認證、負載平衡和可觀測性等功能。本文將介紹如何使用AES管理K8s Ingress資源。
前提條件
安裝部署AES
ACK預設不支援部署AES,您可以自行根據需要進行部署。下文以YAML方式為例介紹如何安裝部署AES,更多其他安裝部署方式請參見AES官方文檔。
執行以下命令部署AES。
kubectl apply -f https://www.getambassador.io/yaml/aes-crds.yaml && \
kubectl wait --for condition=established --timeout=90s crd -lproduct=aes && \
kubectl apply -f https://www.getambassador.io/yaml/aes.yaml && \
kubectl -n ambassador wait --for condition=available --timeout=90s deploy -lproduct=aes輸出以下內容即表示部署成功。
customresourcedefinition.apiextensions.k8s.io/authservices.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/consulresolvers.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/hosts.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/kubernetesendpointresolvers.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/kubernetesserviceresolvers.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/logservices.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/mappings.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/modules.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/ratelimitservices.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/tcpmappings.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/tlscontexts.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/tracingservices.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/filterpolicies.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/filters.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/ratelimits.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/projectcontrollers.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/projects.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/projectrevisions.getambassador.io created
customresourcedefinition.apiextensions.k8s.io/authservices.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/consulresolvers.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/filterpolicies.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/filters.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/hosts.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/kubernetesendpointresolvers.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/kubernetesserviceresolvers.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/logservices.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/mappings.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/modules.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/projectcontrollers.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/projectrevisions.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/projects.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/ratelimits.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/ratelimitservices.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/tcpmappings.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/tlscontexts.getambassador.io condition met
customresourcedefinition.apiextensions.k8s.io/tracingservices.getambassador.io condition met
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
namespace/ambassador configured
serviceaccount/ambassador created
clusterrole.rbac.authorization.k8s.io/ambassador created
clusterrolebinding.rbac.authorization.k8s.io/ambassador created
clusterrole.rbac.authorization.k8s.io/ambassador-projects created
clusterrolebinding.rbac.authorization.k8s.io/ambassador-projects created
service/ambassador-redis created
deployment.apps/ambassador-redis created
ratelimitservice.getambassador.io/ambassador-edge-stack-ratelimit created
authservice.getambassador.io/ambassador-edge-stack-auth created
secret/ambassador-edge-stack created
mapping.getambassador.io/ambassador-devportal created
mapping.getambassador.io/ambassador-devportal-api created
service/ambassador created
service/ambassador-admin created
deployment.apps/ambassador created
deployment.extensions/ambassador condition met
deployment.extensions/ambassador-redis condition met使用AES測試Ingress Controller功能
為了測試AES的Ingress Controller功能,您需要部署一個測試用的Deployment。
- 執行以下命令,建立Deployment部署配置。
cat <<-EOF | kubectl apply -f - apiVersion: v1 kind: Service metadata: name: quote spec: ports: - name: http port: 80 targetPort: 8080 selector: app: quote --- apiVersion: apps/v1 kind: Deployment metadata: name: quote spec: replicas: 1 selector: matchLabels: app: quote strategy: type: RollingUpdate template: metadata: labels: app: quote spec: containers: - name: backend image: quay.io/datawire/quote:0.3.0 ports: - name: http containerPort: 8080 EOF - 執行以下命令,建立Ingress配置。
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: ambassador name: test-ingress spec: rules: - http: paths: - path: /backend/ backend: service: name: quote port: number: 80 pathType: ImplementationSpecific EOFAES通過CRD提供了更多功能,如下面的配置CRD完全等同如上Ingress的配置。更多資訊,請參見官方文檔。
cat > quote-backend.yaml <<-EOF apiVersion: getambassador.io/v2 kind: Mapping metadata: name: backend spec: prefix: /backend/ service: quote EOF - 執行以下命令,擷取IP地址。
kubectl get -n ambassador service ambassador -o "go-template={{range .status.loadBalancer.ingress}}{{or .ip .hostname}}{{end}}" - 執行以下命令,測試AES的Ingress Controller功能。
curl -k https://{{AMBASSADOR_IP}}/backend/ #替換AMBASSADOR_IP為上面擷取的IP地址。輸出類似以下代碼即表示成功。
{ "server": "icky-grapefruit-xar5if66", "quote": "A small mercy is nothing at all?", "time": "2020-07-17T09:00:57.646315605Z" }