The author | ali cloud intelligent enterprise group of senior development engineer Yuan yi
In practical applications, APIGateway (API gateway) provides unified authentication management, traffic limiting, and monitoring capabilities for internal services. Developers only need to pay attention to the service logic of internal services. In this paper, the author Yuan Yi will introduce how to release Knative service externally through ali Cloud API gateway and Intranet SLB, so as to create production-level Knative service.
About Ali Cloud API gateway
Ali Cloud API gateway provides you with complete API hosting services to assist users to open their capabilities, services and data to partners in the form of API, and can also be released to the API market for more developers to purchase and use.
- Provides multiple methods to protect API security and reduce API opening risks, including attack defense, replay defense, request encryption, identity authentication, permission management, and traffic control
- Provide lifecycle management of API definition, test, release and offline, and generate SDK and API documentation to improve the efficiency of API management and iteration
- Provide convenient monitoring, alarm, analysis, API market and other operation and maintenance tools, reduce THE COST of API operation and maintenance
Release services based on Ali Cloud API gateway
Bind the Istio gateway to the Intranet SLB
Create an Intranet SLB and bind the Istio gateway application. You can create an Intranet SLB using yamL:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/alicloud-loadbalancer-address-type: "intranet"
labels:
app: istio-ingressgateway
istio: ingressgateway
name: istio-ingressgateway-intranet
namespace: istio-system
spec:
externalTrafficPolicy: Cluster
ports:
- name: status-port
port: 15020
protocol: TCP
targetPort: 15020
- name: http2
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
- name: tls
port: 15443
protocol: TCP
targetPort: 15443
selector:
app: istio-ingressgateway
istio: ingressgateway
sessionAffinity: None type: LoadBalancerCopy the codeAfter the creation, you can log in to the Ali Cloud Container Service console, enter the “Routing and Workload” menu, select istio-System namespace, and view the created Intranet SLB information:
The Intranet SLB address is 192.168.0.23
Create the Knative service
Log in to ali Cloud Container Service console to create Knative service. Here we create the HelloWorld service as shown:
Verify that the service is accessible:
[root@iZbp1c1wa320d487jdm78aZ ~]"Host:helloworld.default.example.com" http://192.168.0.23Hello # curl - H World!Copy the codeConfiguring the API Gateway
Next comes the main part, how to configure the API gateway to access the Knative Service.
Create a group
Since the API needs to belong to groups, we create groups first. Log in to Ali Cloud API Gateway console, open API-> Group Management:
Click Create Group and select a shared instance.
After the creation, you need to enable the public domain name in group details to access public network services. You can perform the following operations to enable the public secondary domain name in 1 or set an independent domain name in 2.
Here, we enable public network secondary domain name for test access, as shown in the figure after enabling:
Creating VPC Authorization
Since we are accessing services in K8s VPC, we need to create VPC authorization. Choose Open API->VPC Authorization:
Click Create Authorization and set the VPC Id and Intranet SLB instance Id. Here to createknative-testVPC authorization.
Create an
Create an application for aliyun APP authentication. The authentication requires the requestor to authenticate the APP when calling the API. Here we create the Knative application.
Create API
Log in to aliccloud API Gateway console, open API->API list, and select create API. For details about creating an API, see creating an API.
Next we enter [basic information]. Choose security certification: Ali Cloud APP; AppCode authentication The options are as follows: AppCode authentication (Header & Query) is allowed. For details about the AppCode authentication method, see: Using simple Authentication (AppCode) to invoke apis.
Click Next to define the API request. The protocol can be HTTP or HTTPS. The request Path can be set to /.
Click Next to define the API backend service. We set the back-end service type to VPC and VPC authorization name.
Set the constant parameters, including the back-end parameter name: Host, the parameter value: helloworld.default.example.com, the parameters of the position: the Header.
Click Next to complete the creation.
The publish API
Once created, you can publish directly.
Select online and click publish.
Validation of the API
After publishing, we can see the current API in API List: online (running).
Before calling the API test, we need to authorize the APPLICATION of the API. Go to the API details and select “Authorization Information”.
Click “Add Authorization”, here we select the Knative application created above for authorization.
Next, we verify the API. Click “Debug API” and “Send request” in THE API details. You can see the test result information:
At this point, we released Knative service through Ali Cloud API gateway.
[] summary
Through the above introduction, I believe that you have a preliminary understanding of how to release Knative service through Ali Cloud API gateway. In actual production, our requirements for Serverless service, such as access security, flow control, monitoring operation and maintenance, are not minimal, and ali Cloud API gateway can precisely provide escort capability for Knative service. API services can be configured through ali Cloud API gateway:
- Flow control
- Access to the authentication
- Log monitoring
- API lifecycle management: test, release, roll-out
It is through these capabilities that Ali Cloud API Gateway provides production-level services to Knative. Welcome interested students to communicate together.
The author: Yi Luzhou
The original link
This article is the original content of the cloud habitat community, shall not be reproduced without permission.