跳到主要内容

emissary-ingress

  • emissary-ingress/emissary
    • Apache-2.0, Go+Python
    • API Gateway + Layer 7 LB + Kubernetes Ingress
    • Envoy Proxy
    • 之前为 Ambassador API Gateway
    • 支持 Kubernetest Ingress 和 Gateway API
    • 很多 CDR 供自定义服务
  • 参考
    • vs. Others
    • vs. Ambassador Edge Stack
      • Edge Stack 的核心 - 作为了 CNCF 孵化项目
  • 功能
    • 路由 - Ingress, Gateway API
    • 安全 - AuthService, RateLimitService
    • 监控 - TracingService
      • tracing
    • 统计 - statd, /metrics
    • 集成 - Knative, Istio, Linkerd2, Consul

CDR

  • getambassador.io/v3alpha1
  • Host - 可访问入口 Hostname
  • Listener - 定义监听方式
  • Mapping - HTTP 映射到 Host
  • TCPMappings
  • Module - 系统纬度配置
  • 服务发现
    • KubernetesServiceResolver
    • KubernetesEndpointResolver
    • ConsulResolver
  • 插件
    • AuthService - 只能定义一个
      • Ambassador 内使用 External, Filter
    • LogService
    • RateLimitService
    • TracingService
      • lightstep, zipkin, datadog
apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
name: minimal-host
spec:
# 支持 *.example.com, host.example.*
hostname: host.example.com
# 选择 Mapping
mappingSelector:
matchLabels:
examplehost: host
acmeProvider:
authority: none
email: [email protected]
tlsSecret:
name: tls-cert
requestPolicy:
insecure:
# Redirect, Route, Reject
# 默认 HTTP 会跳转 HTTPS
action: Redirect
additionalPort: 8080
---
apiVersion: getambassador.io/v3alpha1
kind: TLSContext
metadata:
name: upstream-context
spec:
hosts: []
secret: upstream-certs
# self-signed
# secret: self-signed-cert
min_tls_version: v1.3
sni: some-sni-hostname
---
apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
name: mapping-with-label-match
labels:
examplehost: host
spec:
# 可以配置 hostname 选择 Host
hostname: '*.example.com'
prefix: /httpbin/
service: http://httpbin.org
host_rewrite: httpbin.org
tls: upstream-context

---
apiVersion: getambassador.io/v3alpha1
kind: Listener
metadata:
name: example-listener
spec:
port: 8080
protocol: HTTPS # HTTP, HTTPS, HTTPPROXY, HTTPSPROXY, TCP
protocolStack: [HTTP, TCP]
securityModel: XFP # XFP (for X-Forwarded-Proto), SECURE, INSECURE
statsPrefix: example-listener # default depends on protocol
l7Depth: 0
hostBinding:
namespace:
from: SELF # SELF, ALL
selector: ... # Kubernetes label selector

---
apiVersion: getambassador.io/v3alpha1
kind: AuthService
metadata:
name: authentication
spec:
ambassador_id: ['ambassador-1']
auth_service: 'example-auth.authentication:3000'
tls: true
proto: http
timeout_ms: 5000
include_body:
max_bytes: 4096
allow_partial: true
status_on_error:
code: 403
failure_mode_allow: false

# proto: grpc only
protocol_version: v2

# proto: http only
path_prefix: '/path'
allowed_request_headers:
- 'x-example-header'
allowed_authorization_headers:
- 'x-qotm-session'
add_auth_headers:
x-added-auth: auth-added
add_linkerd_headers: false

Module

apiVersion: getambassador.io/v3alpha1
kind: Module
metadata:
name: ambassador
spec:
config:
grpc_stats:
upstream_stats: true
services:
- name: <package>.<service>
method_names: [<method>]