1. 什么是 API-Gateway ?什么是 Kong ?
API-Gateway 是微服务架构体系中一个比较重要的组件,它通常构成所有微服务的入口,它的职责比较多,其较为通用的一些功能是:
- 路由:路由是 API-Gateway 最重要的功能,基于路由 API-Gateway 通常能根据请求的特征,将流量导向不同的服务,或是不同服务的不同版本;或是同一服务的不同单元。
- 协议转换:在 API-Gateway 层可完成基本的协议转换,比如简单的 HTTPS 至 HTTP。
- 聚合数据:数据聚合的功能通常是指将不同 API-Gateway 后的服务返回后,统一返回。
- 认证:不同的服务之间常常有一些共有的逻辑需要处理,比如权限认证,由于 API-Gateway 恰巧在各个微服务的前端,可以在 API-Gateway 实现权限的认证,比如可以在 API-Gateway 层实现 Cookie 或 Token 的认证。
- 限流:可以做针对请求,针对服务的流量控制。
- 熔断:可以在后端服务异常时或者被限流保护时,进行统一的错误返回。
常见的 API-Gateway 的方案比较多,比较常见的有:TyK,Kong,Netflix zuul,api-umbrella 等。其中 Kong 是本文要介绍的主题。
Kong 是在客户端和(微)服务间转发 API 通信的 API 网关,通过插件扩展功能。Kong 有两个主要组件:
- Kong Server :基于 Nginx 的服务器,用来接收 API 请求。
- PostgreSQL:用来存储操作数据。
可以通过增加更多 Kong Server 机器对 Kong 服务进行水平扩展,通过前置的负载均衡器向这些机器分发请求。
Kong 比较突出的一个特性是可以通过插件扩展已有功能,这些插件在请求响应循环的生命周期中被执行。插件使用 Lua 编写,而且 Kong 还有如下几个基础功能:HTTP 基本认证、密钥认证、CORS( Cross-origin Resource Sharing,跨域资源共享)、TCP、UDP、文件日志、限流、路由, 监控。
Kong 是一个在 Nginx 运行的 Lua 应用程序,由 lua-nginx-module 实现。 Kong 和 OpenResty 一起打包发行,其中已经包含了 lua-nginx-module。 OpenResty 不是 Nginx 的分支,而是一组扩展其功能的模块。
下面介绍 Kong 的部署过程。
2. 环境准备
- OS: CentOS 7.4
- 虚拟机:2CPU 4G内存 40G SSD本地存储
购买完成后,可通过下面的命令登录服务器,并用 sudo -i 命令切换到 root 账户:
✗ ssh [email protected]
The authenticity of host '116.85.13.208 (116.85.13.208)' can't be established.
ECDSA key fingerprint is SHA256:wXuuSeD9X/Zh4r5AXlkippP021oJKJnuDzShfK4vIRA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '116.85.13.208' (ECDSA) to the list of known hosts.
[email protected]'s password:
[dc2-user@10-254-108-83 ~]$ sudo -i
[root@10-254-108-83 ~]#
下面的操作步骤,均会基于此会话进行,按步骤做应该会得到同样的效果。
3. Kong 部署
Kong 的部署需要完成下面三个组件的部署:
扫描二维码关注公众号,回复:
4870134 查看本文章
- PostgreSQL 的安装及配置
- Kong Server 的安装
- Kong Dashboard 的安装
3.1 PostgreSql 安装及配置
3.1.1 安装
使用下面的命令,完成 postgresql-10 的安装:
# yum install https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm
已加载插件:fastestmirror
pgdg-centos10-10-2.noarch.rpm
...
...
完毕!
# yum install postgresql10
已加载插件:fastestmirror
...
...
完毕!
# yum install postgresql10-server
已加载插件:fastestmirror
pgdg-centos10-10-2.noarch.rpm
...
...
完毕!
# sudo /usr/pgsql-10/bin/postgresql-10-setup initdb
Initializing database ... OK
# systemctl enable postgresql-10
Created symlink from /etc/systemd/system/multi-user.target.wants/postgresql-10.service to /usr/lib/systemd/system/postgresql-10.service.
# systemctl start postgresql-10
至此 postgresql-10 完成,下面开始配置过程。
3.1.2 配置
配置 PostgreSQL 数据库,并创建 Kong 相关的数据库信息,首先修改数据库的可访问配置:
# vim /var/lib/pgsql/10/data/postgresql.conf
将文件中的对应配置项,改为下面的内容:
listen_addresses = '*'
再修改下面的文件:
# vim /var/lib/pgsql/10/data/pg_hba.conf
同样将文件中的对应项,改成对应的配置:
host all all 127.0.0.1/32 trust
然后再重启服务,命令如下:
# systemctl restart postgresql-10
服务重启后,上面的配置应该会生效,下面建立相关的 Kong 相关的数据库信息:
# su - postgres
-bash-4.2$ psql
psql (10.6)
Type "help" for help.
postgres=# CREATE USER kong; CREATE DATABASE kong OWNER kong;
CREATE ROLE
CREATE DATABASE
postgres=# \q
-bash-4.2$ exit
logout
#
至此, postgresql-10 的安装及配置完成, Kong 相关的数据库信息也完成录入,可以用下面的命令简单测试:
[root@10-254-54-92 ~]# psql -h 127.0.0.1 -p 5432 -U kong -W kong
用户 kong 的口令:
psql (10.6)
输入 "help" 来获取帮助信息.
kong=>
如果配置成功,会与如上的输出一致,接着进行 Kong Server 的安装。
3.2 Kong Server 的安装
首先通过下面的命令,获取 Kong 的安装包:
# wget https://bintray.com/kong/kong-community-edition-rpm/download_file?file_path=centos/7/kong-community-edition-1.0.0.el7.noarch.rpm -O kong-community-edition-1.0.0.el7.noarch.rpm
然后再通过下面的命令进行安装:
# yum install kong-community-edition-1.0.0.el7.noarch.rpm
# export PATH=$PATH:/usr/local/bin/
# kong migrations up
# kong start
通过上面的命令,Kong 应该会被正常安装成功,可以用下面的命令完成测试:
# curl -i http://localhost:8001/
HTTP/1.1 200 OK
Date: Mon, 24 Dec 2018 12:15:59 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.14.1
Content-Length: 5591
{"plugins":{"enabled_in_cluster":[],"available_on_server":{"response-transformer":true,"oauth2":true,"acl":true,"correlation-id":true,"pre-function":true,"jwt":true,"cors":true,"ip-restriction":true,"basic-auth":true,"key-auth":true,"rate-limiting":true,"request-transformer":true,"http-log":true,"file-log":true,"hmac-auth":true,"ldap-auth":true,"datadog":true,"tcp-log":true,"zipkin":true,"post-function":true,"request-size-limiting":true,"bot-detection":true,"syslog":true,"loggly":true,"azure-functions":true,"udp-log":true,"response-ratelimiting":true,"aws-lambda":true,"statsd":true,"prometheus":true,"request-termination":true}},"tagline":"Welcome to kong","configuration":{"plugins":["bundled"],"admin_ssl_enabled":true,"lua_ssl_verify_depth":1,"trusted_ips":{},"prefix":"\/usr\/local\/kong","loaded_plugins":{"response-transformer":true,"request-termination":true,"prometheus":true,"ip-restriction":true,"pre-function":true,"jwt":true,"cors":true,"statsd":true,"basic-auth":true,"key-auth":true,"ldap-auth":true,"aws-lambda":true,"http-log":true,"response-ratelimiting":true,"hmac-auth":true,"request-size-limiting":true,"datadog":true,"tcp-log":true,"zipkin":true,"post-function":true,"bot-detection":true,"acl":true,"loggly":true,"syslog":true,"azure-functions":true,"udp-log":true,"file-log":true,"request-transformer":true,"correlation-id":true,"rate-limiting":true,"oauth2":true},"cassandra_username":"kong","admin_ssl_cert_csr_default":"\/usr\/local\/kong\/ssl\/admin-kong-default.csr","ssl_cert_key":"\/usr\/local\/kong\/ssl\/kong-default.key","admin_ssl_cert_key":"\/usr\/local\/kong\/ssl\/admin-kong-default.key","dns_resolver":{},"pg_user":"kong","mem_cache_size":"128m","cassandra_data_centers":["dc1:2","dc2:3"],"nginx_admin_directives":{},"custom_plugins":{},"pg_host":"127.0.0.1","nginx_acc_logs":"\/usr\/local\/kong\/logs\/access.log","proxy_listen":["0.0.0.0:8000","0.0.0.0:8443 ssl"],"client_ssl_cert_default":"\/usr\/local\/kong\/ssl\/kong-default.crt","ssl_cert_key_default":"\/usr\/local\/kong\/ssl\/kong-default.key","dns_no_sync":false,"db_update_propagation":0,"nginx_err_logs":"\/usr\/local\/kong\/logs\/error.log","cassandra_port":9042,"dns_order":["LAST","SRV","A","CNAME"],"dns_error_ttl":1,"headers":["server_tokens","latency_tokens"],"dns_stale_ttl":4,"nginx_optimizations":true,"database":"postgres","pg_database":"kong","nginx_worker_processes":"auto","lua_package_cpath":"","admin_acc_logs":"\/usr\/local\/kong\/logs\/admin_access.log","lua_package_path":".\/?.lua;.\/?\/init.lua;","nginx_pid":"\/usr\/local\/kong\/pids\/nginx.pid","upstream_keepalive":60,"cassandra_contact_points":["127.0.0.1"],"client_ssl_cert_csr_default":"\/usr\/local\/kong\/ssl\/kong-default.csr","proxy_listeners":[{"ssl":false,"ip":"0.0.0.0","proxy_protocol":false,"port":8000,"http2":false,"listener":"0.0.0.0:8000"},{"ssl":true,"ip":"0.0.0.0","proxy_protocol":false,"port":8443,"http2":false,"listener":"0.0.0.0:8443 ssl"}],"proxy_ssl_enabled":true,"admin_access_log":"logs\/admin_access.log","ssl_ciphers":"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256","enabled_headers":{"latency_tokens":true,"X-Kong-Proxy-Latency":true,"Via":true,"server_tokens":true,"Server":true,"X-Kong-Upstream-Latency":true,"X-Kong-Upstream-Status":false},"cassandra_ssl":false,"ssl_cert_csr_default":"\/usr\/local\/kong\/ssl\/kong-default.csr","db_resurrect_ttl":30,"client_max_body_size":"0","cassandra_consistency":"ONE","db_cache_ttl":0,"admin_error_log":"logs\/error.log","pg_ssl_verify":false,"dns_not_found_ttl":30,"pg_ssl":false,"client_ssl":false,"db_update_frequency":5,"cassandra_repl_strategy":"SimpleStrategy","nginx_kong_conf":"\/usr\/local\/kong\/nginx-kong.conf","cassandra_repl_factor":1,"nginx_http_directives":[{"value":"prometheus_metrics 5m","name":"lua_shared_dict"}],"error_default_type":"text\/plain","kong_env":"\/usr\/local\/kong\/.kong_env","real_ip_header":"X-Real-IP","dns_hostsfile":"\/etc\/hosts","admin_listeners":[{"ssl":false,"ip":"127.0.0.1","proxy_protocol":false,"port":8001,"http2":false,"listener":"127.0.0.1:8001"},{"ssl":true,"ip":"127.0.0.1","proxy_protocol":false,"port":8444,"http2":false,"listener":"127.0.0.1:8444 ssl"}],"admin_ssl_cert":"\/usr\/local\/kong\/ssl\/admin-kong-default.crt","ssl_cert":"\/usr\/local\/kong\/ssl\/kong-default.crt","proxy_access_log":"logs\/access.log","admin_ssl_cert_key_default":"\/usr\/local\/kong\/ssl\/admin-kong-default.key","cassandra_ssl_verify":false,"cassandra_lb_policy":"RoundRobin","ssl_cipher_suite":"modern","real_ip_recursive":"off","proxy_error_log":"logs\/error.log","client_ssl_cert_key_default":"\/usr\/local\/kong\/ssl\/kong-default.key","nginx_daemon":"on","anonymous_reports":true,"cassandra_timeout":5000,"nginx_proxy_directives":{},"pg_port":5432,"log_level":"notice","client_body_buffer_size":"8k","cassandra_schema_consensus_timeout":10000,"lua_socket_pool_size":30,"admin_ssl_cert_default":"\/usr\/local\/kong\/ssl\/admin-kong-default.crt","cassandra_keyspace":"kong","ssl_cert_default":"\/usr\/local\/kong\/ssl\/kong-default.crt","nginx_conf":"\/usr\/local\/kong\/nginx.conf","admin_listen":["127.0.0.1:8001","127.0.0.1:8444 ssl"]},"version":"0.14.1","node_id":"df033a39-c624-493d-b4d1-5bc1e0b7fa92","lua_version":"LuaJIT 2.1.0-beta3","prng_seeds":{"pid: 2160":135374124217,"pid: 2159":163100902462},"timers":{"pending":5,"running":0},"hostname":"10-254-108-83"}
至此,Kong 安装完成。下面安装 Kong Dashboard 。
3.3 Kong Dashboard 的安装
Kong Dashboard,可方便对 Kong 进行配置。 安装过程如下:
# curl --silent --location https://rpm.nodesource.com/setup_10.x | sudo bash -
...
...
sudo yum install yarn
# yum install -y nodejs
已加载插件:fastestmirror
...
...
完毕!
# npm install -g kong-dashboard
/usr/bin/kong-dashboard -> /usr/lib/node_modules/kong-dashboard/bin/kong-dashboard.js
+ [email protected]
added 186 packages from 115 contributors in 32.932s
# kong-dashboard start --kong-url http://127.0.0.1:8001
Connecting to Kong on http://127.0.0.1:8001 ...
Connected to Kong on http://127.0.0.1:8001.
Kong version is 0.14.1
Starting Kong Dashboard on port 8080
Kong Dashboard has started on port 8080
从上面的信息中,可看出 Kong Dashboard 在 8080 端口上提供服务,可以在浏览器中,通过 IP:8080 的方式访问。
但是在访问前,由于滴滴云默认的安全组配置是不打开 8080 端口的,因此,需要先到滴滴云的控制台对应的 DC2 云服务器上,添加对 8080 端口访问两条安全组的规则。
滴滴云默认为每个云服务器绑定了一个 default 的安全组,因此这里选择直接在此安全组上编辑,效果如下:
添加上面的安全组配置后,既可以在浏览器中打开 IP:8080 访问 Kong Dashboard,效果如下:
Kong Dashboard 可完成 Servies,Routes 的管理,功能就不具体介绍,推荐按教程,安成搭建,再自己体验。
到此,整个安装过程完成。