In practical applications, APIGateway (API gateway) can protect internal services and provide unified authentication management, traffic limiting, and monitoring capabilities. Developers only need to pay attention to the service logic of internal services. This paper will introduce how to release Knative service externally through Ali Cloud API gateway combined with Intranet SLB, so as to create production-level Knative service.
About Ali Cloud API gateway
Ali Cloud API gateway provides you with complete API hosting services to assist users to open their capabilities, services and data to partners in the form of API, and can also be released to the API market for more developers to purchase and use.
- Provides multiple methods to protect API security and reduce API opening risks, including attack defense, replay defense, request encryption, identity authentication, permission management, and traffic control
- Provide lifecycle management of API definition, test, release and offline, and generate SDK and API documentation to improve the efficiency of API management and iteration
- Provide convenient monitoring, alarm, analysis, API market and other operation and maintenance tools, reduce THE COST of API operation and maintenance
Release services based on Ali Cloud API gateway
Bind the Istio gateway to the Intranet SLB
Create an Intranet SLB and bind the Istio gateway application. You can create an Intranet SLB using yamL:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/alicloud-loadbalancer-address-type: "intranet"
labels:
app: istio-ingressgateway
istio: ingressgateway
name: istio-ingressgateway-intranet
namespace: istio-system
spec:
externalTrafficPolicy: Cluster
ports:
- name: status-port
port: 15020
protocol: TCP
targetPort: 15020
- name: http2
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
- name: tls
port: 15443
protocol: TCP
targetPort: 15443
selector:
app: istio-ingressgateway
istio: ingressgateway
sessionAffinity: None
type: LoadBalancerCopy the codeAfter creation, you can log inAli Cloud Container Service consoleEnter the Routing and Workload menu and selectistio-systemNamespace. You can view the information about the created Intranet SLB:
The Intranet SLB address is 192.168.0.23
Create the Knative service
Log in to ali Cloud Container Service console,Create the Knative service.
Here we create the HelloWorld service as shown:
Verify that the service is accessible:
[root@iZbp1c1wa320d487jdm78aZ ~]# curl - H "Host:helloworld.default.example.com" http://192.168.0.23
Hello World!Copy the codeConfiguring the API Gateway
Next comes the main part, how to configure the API gateway to access the Knative Service.
Create a group
Since the API needs to belong to groups, we create groups first. The loginAli Cloud API gateway console, Open API-> Group Management:
Click create Group and select a Shared instance (VPC)
After the creation, you need to enable the public domain name in group details to access public network services: Yes1Enable the public network secondary domain name test or pass the test2Set an independent domain name.
Here, we enable public network secondary domain name for test access, as shown in the figure after enabling:
Creating VPC Authorization
Since we are accessing services in K8s VPC, we need to create VPC authorization. Choose Open API->VPC Authorization:
Click Create Authorization and set the VPC Id and Intranet SLB instance Id. Here to createknative-testVPC authorization
Create an
Create an application forAli cloud APPIdentity authentication. The authentication requires the requestor to authenticate the APP when calling the API. So here we createknativeApplications.
Create API
Log in to aliccloud API Gateway console, open API->API list, and select create API. For details about creating an API, see:Create API.
Next, we input [Basic information] and select security authentication: Aliyun APP. AppCode authentication can be selected to allow AppCode authentication (Header & Query). For details about AppCode authentication, see:Call the API using simple authentication (AppCode)
Click Next to define the API request. The protocol can be HTTP or HTTPS, and the request Path can be set/.
Click Next to define the API backend service. We set the back-end service type to VPC and VPC authorization name.
Set up theConstant parameters, of which the back-end parameter name: Host, the parameter value: helloworld.default.example.com, parameter position: Header.
Click Next to complete the creation.
The publish API
Once created, you can publish directly.
chooseonline, click “Publish”
Validation of the API
After publishing, we can see the current API in the API List: Online (running)
Before calling the API test, we need to authorize the APPLICATION of the API. Enter the API details and select [Authorization Information].
Click “Add Authorization”, here we select the one created aboveknativeApplication Authorization
Next, we verify the API. Click “Debug API” and “Send request” in THE API details. You can see the test result information:
At this point, we released Knative service through Ali Cloud API gateway.
summary
Through the above introduction, I believe that you have a preliminary understanding of how to release Knative service through Ali Cloud API gateway. In actual production, our requirements for Serverless service, such as access security, flow control, monitoring operation and maintenance, are not minimal, and ali Cloud API gateway can precisely provide escort capability for Knative service. API services can be configured through ali Cloud API gateway:
- Flow control
- Access to the authentication
- Log monitoring
- API lifecycle management: test, release, roll-out
It is through these capabilities that Ali Cloud API Gateway provides production-level services to Knative. Welcome interested students to communicate together.