Kubernetes API网关配置与API管理构建统一的API入口一、API网关概述API网关是微服务架构中的核心组件用于统一管理所有API请求提供路由、认证、限流和监控等功能。1.1 API网关架构┌─────────────────────────────────────────────────────────────────┐ │ API Gateway │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ 路由 │→│ 认证 │→│ 限流 │→│ 监控 │ │ │ │ Router │ │ Auth │ │ Rate │ │ Monitor │ │ │ │ │ │ │ │ Limit │ │ │ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ └───────────────────────────┬───────────────────────────────────┘ │ ┌─────────────────┼─────────────────┐ ▼ ▼ ▼ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ Service A │ │ Service B │ │ Service C │ │ /api/users │ │ /api/orders │ │ /api/products │ └─────────────────┘ └─────────────────┘ └─────────────────┘1.2 API网关功能功能说明路由请求转发到对应服务认证OAuth2、JWT认证限流限制请求速率监控请求日志和指标熔断服务故障保护二、Kong API网关配置2.1 Kong部署apiVersion: v1 kind: Service metadata: name: kong-proxy spec: type: LoadBalancer ports: - name: proxy port: 80 targetPort: 8000 - name: proxy-ssl port: 443 targetPort: 8443 selector: app: kong --- apiVersion: apps/v1 kind: Deployment metadata: name: kong spec: replicas: 3 selector: matchLabels: app: kong template: spec: containers: - name: kong image: kong:latest env: - name: KONG_DATABASE value: postgres - name: KONG_PG_HOST value: kong-db - name: KONG_PG_DATABASE value: kong - name: KONG_PROXY_LISTEN value: 0.0.0.0:8000 - name: KONG_ADMIN_LISTEN value: 0.0.0.0:8001 ports: - containerPort: 8000 - containerPort: 8001 - containerPort: 84432.2 Kong Service配置apiVersion: configuration.konghq.com/v1 kind: KongService metadata: name: user-service spec: protocol: http host: user-service.default.svc.cluster.local port: 80802.3 Kong Route配置apiVersion: configuration.konghq.com/v1 kind: KongRoute metadata: name: user-route spec: routes: - paths: - /api/users strip_path: true protocols: - http - https三、APISIX API网关配置3.1 APISIX部署apiVersion: apps/v1 kind: Deployment metadata: name: apisix spec: replicas: 3 selector: matchLabels: app: apisix template: spec: containers: - name: apisix image: apache/apisix:latest ports: - containerPort: 9080 - containerPort: 9443 env: - name: APISIX_ADMIN_API_KEY value: admin volumeMounts: - name: config mountPath: /usr/local/apisix/conf volumes: - name: config configMap: name: apisix-config3.2 APISIX配置apiVersion: v1 kind: ConfigMap metadata: name: apisix-config data: config.yaml: | apisix: node_listen: 9080 enable_admin: true admin_listen: 0.0.0.0:9180 etcd: host: - http://etcd:2379 prefix: /apisix3.3 APISIX路由配置apiVersion: apisix.apache.org/v2 kind: ApisixRoute metadata: name: user-route spec: http: - name: user-service match: paths: - /api/users/* backends: - serviceName: user-service servicePort: 8080四、认证与授权配置4.1 JWT认证配置apiVersion: configuration.konghq.com/v1 kind: KongConsumer metadata: name: user-consumer spec: username: user123 credentials: - name: user-jwt4.2 JWT凭证配置apiVersion: configuration.konghq.com/v1 kind: KongCredential metadata: name: user-jwt labels: kongCredentialType: jwt data: algorithm: HS256 key: user123 secret: my-secret-key4.3 OAuth2配置apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: oauth2-plugin config: token_expiration: 7200 enable_authorization_code: true enable_client_credentials: true enable_implicit_grant: false enable_password_grant: true五、限流与熔断配置5.1 限流配置apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: rate-limit-plugin config: minute: 1000 hour: 10000 policy: local5.2 熔断配置apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: circuit-breaker-plugin config: break_duration: 30 max_failure_ratio: 0.5 max_breaker_timeout: 60六、API监控配置6.1 访问日志配置apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: logging-plugin config: http_endpoint: http://logging-service:8080/logs method: POST timeout: 100006.2 监控指标配置apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: api-gateway-monitor spec: selector: matchLabels: app: kong endpoints: - port: admin interval: 30s path: /metrics七、API版本管理7.1 版本路由配置apiVersion: configuration.konghq.com/v1 kind: KongRoute metadata: name: user-route-v1 spec: routes: - paths: - /api/v1/users strip_path: true protocols: - http - https7.2 蓝绿部署配置apiVersion: configuration.konghq.com/v1 kind: KongRoute metadata: name: user-route-canary spec: routes: - paths: - /api/users strip_path: true headers: x-canary: - true protocols: - http - https八、总结API网关配置实践包括网关选择根据需求选择Kong或APISIX路由配置配置API路径和后端服务认证授权配置JWT、OAuth2等认证方式限流熔断保护后端服务监控日志收集请求指标和日志版本管理支持API版本控制建议根据团队需求选择合适的API网关并配置完善的安全和监控体系。参考资料Kong文档APISIX文档Kubernetes Ingress文档
Kubernetes API网关配置与API管理:构建统一的API入口
Kubernetes API网关配置与API管理构建统一的API入口一、API网关概述API网关是微服务架构中的核心组件用于统一管理所有API请求提供路由、认证、限流和监控等功能。1.1 API网关架构┌─────────────────────────────────────────────────────────────────┐ │ API Gateway │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ 路由 │→│ 认证 │→│ 限流 │→│ 监控 │ │ │ │ Router │ │ Auth │ │ Rate │ │ Monitor │ │ │ │ │ │ │ │ Limit │ │ │ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ └───────────────────────────┬───────────────────────────────────┘ │ ┌─────────────────┼─────────────────┐ ▼ ▼ ▼ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ Service A │ │ Service B │ │ Service C │ │ /api/users │ │ /api/orders │ │ /api/products │ └─────────────────┘ └─────────────────┘ └─────────────────┘1.2 API网关功能功能说明路由请求转发到对应服务认证OAuth2、JWT认证限流限制请求速率监控请求日志和指标熔断服务故障保护二、Kong API网关配置2.1 Kong部署apiVersion: v1 kind: Service metadata: name: kong-proxy spec: type: LoadBalancer ports: - name: proxy port: 80 targetPort: 8000 - name: proxy-ssl port: 443 targetPort: 8443 selector: app: kong --- apiVersion: apps/v1 kind: Deployment metadata: name: kong spec: replicas: 3 selector: matchLabels: app: kong template: spec: containers: - name: kong image: kong:latest env: - name: KONG_DATABASE value: postgres - name: KONG_PG_HOST value: kong-db - name: KONG_PG_DATABASE value: kong - name: KONG_PROXY_LISTEN value: 0.0.0.0:8000 - name: KONG_ADMIN_LISTEN value: 0.0.0.0:8001 ports: - containerPort: 8000 - containerPort: 8001 - containerPort: 84432.2 Kong Service配置apiVersion: configuration.konghq.com/v1 kind: KongService metadata: name: user-service spec: protocol: http host: user-service.default.svc.cluster.local port: 80802.3 Kong Route配置apiVersion: configuration.konghq.com/v1 kind: KongRoute metadata: name: user-route spec: routes: - paths: - /api/users strip_path: true protocols: - http - https三、APISIX API网关配置3.1 APISIX部署apiVersion: apps/v1 kind: Deployment metadata: name: apisix spec: replicas: 3 selector: matchLabels: app: apisix template: spec: containers: - name: apisix image: apache/apisix:latest ports: - containerPort: 9080 - containerPort: 9443 env: - name: APISIX_ADMIN_API_KEY value: admin volumeMounts: - name: config mountPath: /usr/local/apisix/conf volumes: - name: config configMap: name: apisix-config3.2 APISIX配置apiVersion: v1 kind: ConfigMap metadata: name: apisix-config data: config.yaml: | apisix: node_listen: 9080 enable_admin: true admin_listen: 0.0.0.0:9180 etcd: host: - http://etcd:2379 prefix: /apisix3.3 APISIX路由配置apiVersion: apisix.apache.org/v2 kind: ApisixRoute metadata: name: user-route spec: http: - name: user-service match: paths: - /api/users/* backends: - serviceName: user-service servicePort: 8080四、认证与授权配置4.1 JWT认证配置apiVersion: configuration.konghq.com/v1 kind: KongConsumer metadata: name: user-consumer spec: username: user123 credentials: - name: user-jwt4.2 JWT凭证配置apiVersion: configuration.konghq.com/v1 kind: KongCredential metadata: name: user-jwt labels: kongCredentialType: jwt data: algorithm: HS256 key: user123 secret: my-secret-key4.3 OAuth2配置apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: oauth2-plugin config: token_expiration: 7200 enable_authorization_code: true enable_client_credentials: true enable_implicit_grant: false enable_password_grant: true五、限流与熔断配置5.1 限流配置apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: rate-limit-plugin config: minute: 1000 hour: 10000 policy: local5.2 熔断配置apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: circuit-breaker-plugin config: break_duration: 30 max_failure_ratio: 0.5 max_breaker_timeout: 60六、API监控配置6.1 访问日志配置apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: logging-plugin config: http_endpoint: http://logging-service:8080/logs method: POST timeout: 100006.2 监控指标配置apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: api-gateway-monitor spec: selector: matchLabels: app: kong endpoints: - port: admin interval: 30s path: /metrics七、API版本管理7.1 版本路由配置apiVersion: configuration.konghq.com/v1 kind: KongRoute metadata: name: user-route-v1 spec: routes: - paths: - /api/v1/users strip_path: true protocols: - http - https7.2 蓝绿部署配置apiVersion: configuration.konghq.com/v1 kind: KongRoute metadata: name: user-route-canary spec: routes: - paths: - /api/users strip_path: true headers: x-canary: - true protocols: - http - https八、总结API网关配置实践包括网关选择根据需求选择Kong或APISIX路由配置配置API路径和后端服务认证授权配置JWT、OAuth2等认证方式限流熔断保护后端服务监控日志收集请求指标和日志版本管理支持API版本控制建议根据团队需求选择合适的API网关并配置完善的安全和监控体系。参考资料Kong文档APISIX文档Kubernetes Ingress文档
