In practical applications, APIGateway (API gateway) can protect internal services and provide unified authentication management, traffic limiting, and monitoring capabilities. Developers only need to pay attention to the service logic of internal services. This paper will introduce how to release Knative service externally through Ali Cloud API gateway combined with Intranet SLB, so as to create production-level Knative service.

About Ali Cloud API gateway

Ali Cloud API gateway provides you with complete API hosting services to assist users to open their capabilities, services and data to partners in the form of API, and can also be released to the API market for more developers to purchase and use.

  • Provides multiple methods to protect API security and reduce API opening risks, including attack defense, replay defense, request encryption, identity authentication, permission management, and traffic control
  • Provide lifecycle management of API definition, test, release and offline, and generate SDK and API documentation to improve the efficiency of API management and iteration
  • Provide convenient monitoring, alarm, analysis, API market and other operation and maintenance tools, reduce THE COST of API operation and maintenance

Release services based on Ali Cloud API gateway

Bind the Istio gateway to the Intranet SLB

Create an Intranet SLB and bind the Istio gateway application. You can create an Intranet SLB using yamL:

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alicloud-loadbalancer-address-type: "intranet"
  labels:
    app: istio-ingressgateway
    istio: ingressgateway
  name: istio-ingressgateway-intranet
  namespace: istio-system
spec:
  externalTrafficPolicy: Cluster
  ports:
  - name: status-port
    port: 15020
    protocol: TCP
    targetPort: 15020
  - name: http2
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  - name: tls
    port: 15443
    protocol: TCP
    targetPort: 15443
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  sessionAffinity: None
  type: LoadBalancerCopy the code

After creation, you can log inAli Cloud Container Service consoleEnter the Routing and Workload menu and selectistio-systemNamespace. You can view the information about the created Intranet SLB:

The Intranet SLB address is 192.168.0.23

Create the Knative service

Log in to ali Cloud Container Service console,Create the Knative service.

Here we create the HelloWorld service as shown:

Verify that the service is accessible:

[root@iZbp1c1wa320d487jdm78aZ ~]# curl - H "Host:helloworld.default.example.com" http://192.168.0.23
Hello World!Copy the code

Configuring the API Gateway

Next comes the main part, how to configure the API gateway to access the Knative Service.

Create a group

Since the API needs to belong to groups, we create groups first. The loginAli Cloud API gateway console, Open API-> Group Management:

Click create Group and select a Shared instance (VPC)

After the creation, you need to enable the public domain name in group details to access public network services: Yes1Enable the public network secondary domain name test or pass the test2Set an independent domain name.

Here, we enable public network secondary domain name for test access, as shown in the figure after enabling:

Creating VPC Authorization

Since we are accessing services in K8s VPC, we need to create VPC authorization. Choose Open API->VPC Authorization:

Click Create Authorization and set the VPC Id and Intranet SLB instance Id. Here to createknative-testVPC authorization

Create an

Create an application forAli cloud APPIdentity authentication. The authentication requires the requestor to authenticate the APP when calling the API. So here we createknativeApplications.

Create API

Log in to aliccloud API Gateway console, open API->API list, and select create API. For details about creating an API, see:Create API.

Next, we input [Basic information] and select security authentication: Aliyun APP. AppCode authentication can be selected to allow AppCode authentication (Header & Query). For details about AppCode authentication, see:Call the API using simple authentication (AppCode)

Click Next to define the API request. The protocol can be HTTP or HTTPS, and the request Path can be set/.

Click Next to define the API backend service. We set the back-end service type to VPC and VPC authorization name.

Set up theConstant parameters, of which the back-end parameter name: Host, the parameter value: helloworld.default.example.com, parameter position: Header.

Click Next to complete the creation.

The publish API

Once created, you can publish directly.

chooseonline, click “Publish”

Validation of the API

After publishing, we can see the current API in the API List: Online (running)

Before calling the API test, we need to authorize the APPLICATION of the API. Enter the API details and select [Authorization Information].

Click “Add Authorization”, here we select the one created aboveknativeApplication Authorization

Next, we verify the API. Click “Debug API” and “Send request” in THE API details. You can see the test result information:

At this point, we released Knative service through Ali Cloud API gateway.

summary

Through the above introduction, I believe that you have a preliminary understanding of how to release Knative service through Ali Cloud API gateway. In actual production, our requirements for Serverless service, such as access security, flow control, monitoring operation and maintenance, are not minimal, and ali Cloud API gateway can precisely provide escort capability for Knative service. API services can be configured through ali Cloud API gateway:

  • Flow control
  • Access to the authentication
  • Log monitoring
  • API lifecycle management: test, release, roll-out

It is through these capabilities that Ali Cloud API Gateway provides production-level services to Knative. Welcome interested students to communicate together.

Author: Yuan Yi

The original link

This article is the original content of the cloud habitat community, shall not be reproduced without permission.