Run Ingress APISIX on Amazon EKS
@Chao Zhang, Apache APISIX Committer from Shenzhen Zhiliu Technology Co.
Source:
This post is based on Install Ingress APISIX on Amazon EKS.
Amazon Elastic Kubernetes Service (Amazon EKS) gives you the flexibility to start, run, and scale Kubernetes applications in the AWS cloud or on-premises. This article explains how to run Ingress APISIX on it.
Ingress APISIX brings good features (traffic splitting, multiple protocols, authentication and etc) of Apache APISIX to Kubernetes, with a well-designed Controller component to drive it, which helps users to achieve complex demands for the north-south traffic.
#
PrerequisitesBefore you go ahead, make sure you have an available EKS cluster on Amazon AWS. If you don't have one, please create it according to the guide.
You shall have kubectl tool in your own environment, set the context to your EKS cluster by running:
aws eks update-kubeconfig --name <your eks cluster name> --region <your region>
After the Kubernetes cluster is ready, creating the namespace ingress-apisix, all subsequent resources will be created at this namespace.
kubectl create namespace ingress-apisix
We use Helm to deploy all components in Ingress APISIX (Apache APISIX and apisix-ingress-controller), so please also install Helm according to its installation guide. The helm charts for Apache APISIX and apisix-ingress-controller are in apache/apisix-helm-chart and apache/apisix-ingress-controller, clone them to get the charts.
#
Install Apache APISIXApache APISIX as the proxy plane of apisix-ingress-controller, should be deployed in advance.
cd /path/to/apisix-helm-charthelm repo add bitnami https://charts.bitnami.com/bitnamihelm dependency update ./chart/apisixhelm install apisix ./chart/apisix \ --set gateway.type=LoadBalancer \ --set allow.ipList="{0.0.0.0/0}" \ --namespace ingress-apisixkubectl get service --namespace ingress-apisix
The above commands created two Kubernetes Service resources, one is apisix-gateway
, which processes the real traffic; another is apisix-admin
, which acts as the control plane to process all the configuration changes. Here we created the apisix-gateway
as a LoadBalancer
type Service, which resorts the AWS Network Balancer to expose it to the Internet. You can find the load balancer hostname by the following command:
kubectl get service apisix-gateway \--namespace ingress-apisix \-o jsonpath='{.status.loadBalancer.ingress[].hostname}'
Another thing should be concerned that the allow.ipList
field should be customized according to the EKS CIDR Ranges in your EKS cluster, so that the apisix-ingress-controller can be authorized by Apache APISIX (for the resources pushing).
See values.yaml to learn all the configuration items if you have other requirements.
#
Install apisix-ingress-controllerAfter Apache APISIX is deployed successfully, now it's time to install the controller component.
cd /path/to/apisix-ingress-controller# install base resources, e.g. ServiceAccount.helm install ingress-apisix-base -n ingress-apisix ./charts/base# install apisix-ingress-controllerhelm install ingress-apisix ./charts/ingress-apisix \ --set ingressController.image.tag=dev \ --set ingressController.config.apisix.baseURL=http://apisix-admin:9180/apisix/admin \ --set ingressController.config.apisix.adminKey={YOUR ADMIN KEY} \ --namespace ingress-apisix
The ingress-apisix-base chart installed some basic dependencies for apisix-ingress-controller, such as ServiceAccount, its exclusive CRDs and etc.
The ingress-apisix chart guides us how to install the controller itself, you can change the image tag to the desired release version, also the value of ingressController.config.apisix.adminKey
in above mentioned commands should be filled according to your practical usage (and be sure the admin key is same as the on in Apache APISIX deployment). See values.yaml to learn all the configuration items if you have other requirements.
Now try to open your EKS console, choosing your cluster and clicking the Workloads tag, you shall see all pods of Apache APISIX, etcd and apisix-ingress-controller are ready.
#
TestNow we have deployed all components in Ingress APISIX, it's important to check whether it runs well. We will deploy a httpbin service and ask Apache APISIX to route all requests with Host "local.httpbin.org"
to it.
The first step we should do is created the httpbin workload and expose it.
kubectl run httpbin --image kennethreitz/httpbin --port 80kubectl expose pod httpbin --port 80
In order to let Apache APISIX routes requests correctly, we need create an ApisixRoute resource to drive it.
# ar-httpbin.yamlapiVersion: apisix.apache.org/v1kind: ApisixRoutemetadata: name: httpserver-routespec: rules: - host: local.httpbin.org http: paths: - backend: serviceName: httpbin servicePort: 80 path: /*
The above ApisixRoute resource asks Apache APISIX to route requests which Host header is "local.httpbin.org"
to the httpbin backend (the one we just created).
Now try to apply it, note the service and the ApisixRoute resource should be put in the same namespace., crossing namespaces is not allowed in apisix-ingress-controller.
kubectl apply -f ar-httpbin.yaml
Test it by a simple curl call from a place where the Apache APISIX service is reachable.
$ curl http://{apisix-gateway-ip}:{apisix-gateway-port}/headers -s -H 'Host: local.httpbin.org'
{ "headers": { "Accept": "*/*", "Host": "httpbin.org", "User-Agent": "curl/7.64.1", "X-Amzn-Trace-Id": "Root=1-5ffc3273-2928e0844e19c9810d1bbd8a" }}
If the Service type is ClusterIP,
you have to login to a pod in the EKS cluster, then accessing Apache APISIX with its ClusterIP
or Service FQDN. If it was exposed (no matter NodePort
or LoadBalancer
), just accessing its outside reachable endpoint.