Ambassador已經發布1.1.0版本,其中最大的變化就是將原來的版本Ambassador和Ambassador Pro版本拆爲三個版本:Ambassador API Gateway、Ambassador Edge Stack Community和Ambassador Edge Stack Enterprise。其中Ambassador API Gateway對應0.x版本的Ambassador,Ambassador Edge Stack對應o.x版本的Ambassador Pro,其中Ambassador Edge Stack Community是企業版本的試用版,Ambassador Edge Stack Enterprise是正式的企業版。
從Ambassador的文檔和部署方式看,Ambassador的重點放在了Ambassador Edge Stack版本了,Ambassador的缺省部署版本改爲Ambassador Edge Stack Community,主要是爲了推廣其企業版本。以下爲各個版本的特性列表。
下面介紹Ambassador Edge Stack Community的Helm部署。增加Helm倉庫。
helm repo add datawire https://www.getambassador.io
helm search repo ambassador
NAME CHART VERSION APP VERSION DESCRIPTION
aliyuncs/ambassador 4.4.7 0.85.0 A Helm chart for Datawire Ambassador
datawire/ambassador 6.1.1 1.1.0 A Helm chart for Datawire Ambassador
stable/ambassador 5.3.0 0.86.1 A Helm chart for Datawire Ambassador
先創建ambassador命名空間。
kubectl create namespace ambassador
安裝Ambassador Edge Stack,將Admin和Proxy服務改爲NodePort,使得Kubernetes集羣外可以訪問。忽略提示信息:manifest_sorter.go:175: info: skipping unknown hook: “crd-install”。
helm install ambassador --namespace ambassador datawire/ambassador \
--set adminService.type=NodePort \
--set service.type=NodePort
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
manifest_sorter.go:175: info: skipping unknown hook: "crd-install"
NAME: ambassador
LAST DEPLOYED: Sat Feb 8 06:01:35 2020
NAMESPACE: ambassador
STATUS: deployed
REVISION: 1
NOTES:
-------------------------------------------------------------------------------
Congratulations! You have successfully installed The Ambassador Edge Stack!
-------------------------------------------------------------------------------
NOTE: You are currently running The Ambassador Edge Stack in EVALUATION MODE.
Request a free community license key at https://SERVICE_IP/edge_stack_admin/#dashboard
to unlock all the features of The Ambassador Edge Stack and update the value of
licenseKey.value in your values.yaml file.
-------------------------------------------------------------------------------
WARNING:
With your installation of the Ambassador Edge Stack, you have created a:
- AuthService named ambassador-auth
- RateLimitService named ambassador-ratelimit
in the ambassador namespace.
Please ensure there is not another of these resources configured in your cluster.
If there is, please either remove the old resource or run
helm upgrade ambassador -n ambassador --set authService.create=false --set RateLimit.create=false
For help, visit our Slack at https://d6e.co/slack or view the documentation online at https://www.getambassador.io.
查看創建的CRDs。
kubectl get crds
NAME CREATED AT
authservices.getambassador.io 2020-02-07T22:01:30Z
consulresolvers.getambassador.io 2020-02-07T22:01:30Z
filterpolicies.getambassador.io 2020-02-07T22:01:31Z
filters.getambassador.io 2020-02-07T22:01:30Z
hosts.getambassador.io 2020-02-07T22:01:31Z
kubernetesendpointresolvers.getambassador.io 2020-02-07T22:01:31Z
kubernetesserviceresolvers.getambassador.io 2020-02-07T22:01:31Z
logservices.getambassador.io 2020-02-07T22:01:31Z
mappings.getambassador.io 2020-02-07T22:01:31Z
modules.getambassador.io 2020-02-07T22:01:31Z
ratelimits.getambassador.io 2020-02-07T22:01:31Z
ratelimitservices.getambassador.io 2020-02-07T22:01:31Z
tcpmappings.getambassador.io 2020-02-07T22:01:32Z
tlscontexts.getambassador.io 2020-02-07T22:01:32Z
tracingservices.getambassador.io 2020-02-07T22:01:32Z
查看Ambassador資源,可以看出增加了ambassador-redis,Ambassador依靠Redis來暫存的身份驗證憑據和速率限制等信息,所以內置了Redis服務。也可以看出Ambassador鏡像已經改爲aes:1.1.0,AES爲Ambassador Edge Stack的簡寫。
kubectl get all -nambassador -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/ambassador-86bbd7456d-2k8q2 1/1 Running 2 12m 10.244.1.2 k8s-node1 <none> <none>
pod/ambassador-86bbd7456d-4xj5n 1/1 Running 0 12m 10.244.1.4 k8s-node1 <none> <none>
pod/ambassador-86bbd7456d-sjds6 1/1 Running 2 12m 10.244.2.4 k8s-node2 <none> <none>
pod/ambassador-redis-8556cbb4c6-pj596 1/1 Running 0 12m 10.244.1.3 k8s-node1 <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/ambassador NodePort 10.1.106.113 <none> 80:35643/TCP,443:17699/TCP 12m app.kubernetes.io/instance=ambassador,app.kubernetes.io/name=ambassador
service/ambassador-admin NodePort 10.1.245.71 <none> 8877:30549/TCP 12m app.kubernetes.io/instance=ambassador,app.kubernetes.io/name=ambassador
service/ambassador-redis ClusterIP 10.1.1.37 <none> 6379/TCP 12m app.kubernetes.io/instance=ambassador,app.kubernetes.io/name=ambassador-redis
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/ambassador 3/3 3 3 12m ambassador quay.io/datawire/aes:1.1.0 app.kubernetes.io/instance=ambassador,app.kubernetes.io/name=ambassador
deployment.apps/ambassador-redis 1/1 1 1 12m redis redis:5.0.1 app.kubernetes.io/instance=ambassador,app.kubernetes.io/name=ambassador-redis
NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR
replicaset.apps/ambassador-86bbd7456d 3 3 3 12m ambassador quay.io/datawire/aes:1.1.0 app.kubernetes.io/instance=ambassador,app.kubernetes.io/name=ambassador,pod-template-hash=86bbd7456d
replicaset.apps/ambassador-redis-8556cbb4c6 1 1 1 12m redis redis:5.0.1 app.kubernetes.io/instance=ambassador,app.kubernetes.io/name=ambassador-redis,pod-template-hash=8556cbb4c6
打開瀏覽器,訪問proxy端口,http和https都會引導訪問Edge Policy Console。
http://192.168.1.55:35643/
https://192.168.1.55:17699/
點擊上圖的藍色鏈接,提示要打開Edge Policy Console的話,需要安裝edgectl,點擊下載Linux edgectl,並上傳到Master節點。
https://192.168.1.55:17699/edge_stack/admin/#dashboard
https://metriton.datawire.io/downloads/linux/edgectl
將edgectl移到Shell PATH中,此處移到/usr/local/bin目錄,並修改執行權限,並登陸Edge Policy Console。
mv edgectl /usr/local/bin/
chmod a+x /usr/local/bin/edgectl
edgectl login --namespace=ambassador 192.168.1.55:17699
Connecting to the Ambassador Edge Stack admin UI in this cluster...
Unexpected error while trying to open your browser.
Visit the following URL to access the Ambassador Edge Stack admin UI:
https://192.168.1.55:17699/edge_stack/admin/#eyJhbGciOiJQUzUxMiIsInR5cCIXXXXXXXXX.eyJsb2dpbl90b2tlblXXXXXXXXXXXjoidjEiLCJleHAiOjE1ODExMTY2NjYsImlhdCI6MTU4MTExNDg2NiwibmJmIjXXXXXXXXXXXXXXXXX.WcvB8HZtq2MehbMxXYc3pXTvGMzN6r0crXXXXXXXXXXXXXXXXAZ3I5VmrCeNGzq1e9ROWNyqhQFkwHoHTbNF8__vOMJOqHGUrgZROTPa2QFdy9xhS9f40owhHRoppglj6oqZae1aW9IqMF-s8f-nkjwjOw34-EpjuZ4wEJYjkQUN2G6_YwDo8IKPeM1qCKo6NJwmXBY5qCa3E8cupy-BI1fIE36ENc_rKxeM6H-sU_GfLQ35CLGf-gAKXXXXXXQRvW4it9NB2_zeJ9pQje-2NnYRfKfh_GEVDpfPVPFJbJxrx0LLmImrT1x7qlIKh0RGAgXXXXXXXXXXXXXXXXXXXXXXXXXXX
Error: browse: exec: "xdg-open": executable file not found in $PATH
打開瀏覽器,訪問以上給出的鏈接,真正打開了Edge Policy Console。
https://192.168.1.55:17699/edge_stack/admin/#eyJhbGciOiJQUzUxMiIsInR5cCIXXXXXXXXX.eyJsb2dpbl90b2tlblXXXXXXXXXXXjoidjEiLCJleHAiOjE1ODExMTY2NjYsImlhdCI6MTU4MTExNDg2NiwibmJmIjXXXXXXXXXXXXXXXXX.WcvB8HZtq2MehbMxXYc3pXTvGMzN6r0crXXXXXXXXXXXXXXXXAZ3I5VmrCeNGzq1e9ROWNyqhQFkwHoHTbNF8__vOMJOqHGUrgZROTPa2QFdy9xhS9f40owhHRoppglj6oqZae1aW9IqMF-s8f-nkjwjOw34-EpjuZ4wEJYjkQUN2G6_YwDo8IKPeM1qCKo6NJwmXBY5qCa3E8cupy-BI1fIE36ENc_rKxeM6H-sU_GfLQ35CLGf-gAKXXXXXXQRvW4it9NB2_zeJ9pQje-2NnYRfKfh_GEVDpfPVPFJbJxrx0LLmImrT1x7qlIKh0RGAgXXXXXXXXXXXXXXXXXXXXXXXXXXX
從上圖的License區域可以看出,當前是評估模式,點擊“Get a free Community license.”可以獲取Ambassador Edge Stack Community License。輸入郵件地址,點擊Sign up按鈕,會提示給郵箱發送了Ambassador Edge Stack Community License。訪問郵箱,獲取註冊碼。然後在master節點註冊。
edgectl license -n ambassador eyJhbGciOiJQUzUxMiIsXXXXXXXXXXXXXX.eyJsaWNlbnNlX2tleV92ZXJzaW9uIjoidjIiLCJjdXN0b21lcl9pZCI6InR3aW5nYW9Ac2luYS5jbiIsImN1c3RvbWVyX2VtYWlsIjoidHdpbmdhb0BzaW5hLmNuIiwiZW5hYmxlZF9mZWF0dXJlcyI6WyIiLCJmaWx0ZXIiLCJyYXRlbGltaXQiLCJ0cmFmZmlXXXXXXXXXXXXXGFsIl0sImVuZm9yY2VkX2xpbWl0cyI6W3sibCI6ImRldnBvcnRhbC1zZXJ2aWNlcyIsInYiOjV9LHsibCI6InJhdGVsaW1pdC1zZXJ2aWNlIiwidiI6NX0seyJsIjoiYXV0aGZpbHRlci1zZXJ2aWNlIiwidiI6NX1dLCJtZXRhZGF0YSI6e30sImV4cCI6MTYxMjUzMDk4NCwiaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.TKBPqYGitumz5iSbFQq8EN9KN_BAqCJs9x03K6W3WBJxUx4fpXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXDvAUtL__7PYfTS-17Jq0ZJygOAC8hGtrOz8iCw--oFkAhpZ14mvc0-CpZEn0DgKAHel0WQY7nYGQ6aEh2GYQG80rf3KBSxZwbp-sawBANArwvCvWw1W_5tSpBy3FBG33J0IIb2rS9lAuFr0ZvVdocJr5vIKb1KQAH3Ww9sxLKfFdFOLN_5fUIsFiAOYiPuo0hpQp1BbIllxCYrKAMigXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
secret/ambassador-edge-stack configured
Please wait a minute or two for your license to be refreshed in your running Ambassador Edge Stack.
等一分鐘左右,Edge Policy Console Dashboard頁面的License提示會自動消失。
下面我們嘗試創建一個Kubernetes的Service和Ambassador的Mapping。
vi echo-service.yaml
---
apiVersion: v1
kind: Service
metadata:
labels:
app: echo
name: echo
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: echo
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: echo
name: echo
spec:
replicas: 1
selector:
matchLabels:
app: echo
template:
metadata:
labels:
app: echo
spec:
containers:
- name: echo
image: e2eteam/echoserver:2.2
ports:
- containerPort: 8080
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
vi echo-mapping.yaml
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: echo-mapping
spec:
prefix: /foo
service: echo:8080
kubectl apply -f echo-service.yaml
kubectl apply -f echo-mapping.yaml
訪問https,發現Ambassador代理了echo服務的訪問。
curl -i https://192.168.1.55:17699/foo -k
HTTP/1.1 200 OK
date: Fri, 07 Feb 2020 23:02:02 GMT
content-type: text/plain
server: envoy
x-envoy-upstream-service-time: 5
transfer-encoding: chunked
Hostname: echo-75cf96d976-q8vhj
Pod Information:
node name: k8s-node2
pod name: echo-75cf96d976-q8vhj
pod namespace: default
pod IP: 10.244.2.5
Server values:
server_version=nginx: 1.14.2 - lua: 10015
Request Information:
client_address=10.244.2.4
method=GET
real path=/
query=
request_version=1.1
request_scheme=http
request_uri=http://192.168.1.55:8080/
Request Headers:
accept=*/*
content-length=0
host=192.168.1.55:17699
user-agent=curl/7.29.0
x-envoy-expected-rq-timeout-ms=3000
x-envoy-internal=true
x-envoy-original-path=/foo
x-forwarded-for=10.244.0.0
x-forwarded-proto=https
x-request-id=49720520-2d85-4747-86e5-3206d460273d
Request Body:
-no body in request-
訪問http,發現被https重定向了,應該缺省配置了https重定向,但我們的https缺省端口不是443,所以不能訪問。
curl -i http://192.168.1.55:35643/foo
HTTP/1.1 301 Moved Permanently
location: https://192.168.1.55:35643/foo
date: Fri, 07 Feb 2020 23:03:33 GMT
server: envoy
content-length: 0
也可以訪問admin端口。
http://192.168.1.55:30549/ambassador/v0/diag/
Ambassador系列文章
Ambassador系列-06-金絲雀發佈、斷路器、CORS和流量鏡像
Ambassador系列-07-TCP映射TCPMapping
Ambassador系列-08-TLS配置-HTTPS重定向和TLS終結
Ambassador系列-09-AuthService認證服務
