You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/03/20 06:37:52 UTC

[GitHub] [apisix] tokers commented on a change in pull request #6663: feat: improve kubernetes discovery

tokers commented on a change in pull request #6663:
URL: https://github.com/apache/apisix/pull/6663#discussion_r830566826



##########
File path: docs/en/latest/discovery/kubernetes.md
##########
@@ -0,0 +1,169 @@
+---
+title: Kubernetes
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Summary
+
+The kubernetes service discovery plugin list&watch real-time changes of kubernetes cluster v1.endpoints, \
+then store its value into ngx.shared.kubernetes.\
+Discovery plugin also provides a query interface in accordance with the _APISIX Discovery specification_
+
+## Configuration
+
+A detailed configuration for the kubernetes service discovery plugin is as follows:
+
+```yaml
+discovery:
+  kubernetes:
+    service:
+      # apiserver schema, options [http, https]
+      schema: https #default https
+
+      # apiserver host, options [ipv4, ipv6, domain, environment variable]
+      host: ${KUBERNETES_SERVICE_HOST} #default ${KUBERNETES_SERVICE_HOST}
+
+      # apiserver port, options [port number, environment variable]
+      port: ${KUBERNETES_SERVICE_PORT}  #default ${KUBERNETES_SERVICE_PORT}
+
+    client:
+      # serviceaccount token or token_file
+      token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+
+      #token: |-
+       # eyJhbGciOiJSUzI1NiIsImtpZCI6Ikx5ME1DNWdnbmhQNkZCNlZYMXBsT3pYU3BBS2swYzBPSkN3ZnBESGpkUEEif
+       # 6Ikx5ME1DNWdnbmhQNkZCNlZYMXBsT3pYU3BBS2swYzBPSkN3ZnBESGpkUEEifeyJhbGciOiJSUzI1NiIsImtpZCI
+
+    # kubernetes discovery plugin support use namespace_selector
+    # you can use one of [equal, not_equal, match, not_match] filter namespace
+    namespace_selector:
+      # only save endpoints with namespace equal default
+      equal: default
+
+      # only save endpoints with namespace not equal default
+      #not_equal: default
+
+      # only save endpoints with namespace match one of [default, ^my-[a-z]+$]
+      #match:
+       #- default
+       #- ^my-[a-z]+$
+
+      # only save endpoints with namespace not match one of [default, ^my-[a-z]+$ ]
+      #not_match:
+       #- default
+       #- ^my-[a-z]+$
+
+    # kubernetes discovery plugin support use label_selector
+    # for the expression of label_selector, please refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+    label_selector: |-
+      first="a",second="b"
+```
+
+If the kubernetes service discovery plugin runs inside a pod, you can use minimal configuration:
+
+```yaml
+discovery:
+  kubernetes: { }
+```
+
+If the kubernetes service discovery plugin runs outside a pod, you need to create or select a specified _ServiceAccount_,
+get its token value, then use following configuration:
+
+```yaml
+discovery:
+  kubernetes:
+    service:
+      schema: https
+      host: # enter apiserver host value here
+      port: # enter apiServer port value here
+    client:
+      token: # enter serviceaccount token value here
+      #token_file: # enter file path here
+```
+
+## Interface
+
+the kubernetes service discovery plugin provides a query interface in accordance with the _APISIX Discovery specification_
+
+**function:** \
+ nodes(service_name)
+
+**description:** \
+  nodes() function attempts to look up the ngx.shared.kubernetes for nodes corresponding to service_name, \
+  service_name should match pattern: _[namespace]/[name]:[portName]_
+
+  + namespace: The namespace where the kubernetes endpoint is located
+
+  + name: The name of the kubernetes endpoint
+
+  + portName: The portName of the kubernetes endpoint, if there is no portName, use targetPort, port instead
+
+**return value:** \
+  if the kubernetes endpoint value is as follows:
+
+  ```yaml
+  apiVersion: v1
+  kind: Endpoints
+  metadata:
+    name: plat-dev
+    namespace: default
+  subsets:
+    - addresses:
+        - ip: "10.5.10.109"
+        - ip: "10.5.10.110"
+      ports:
+        - port: 3306
+  ```
+
+  a nodes("default/plat-dev:3306") call will get follow result:
+
+  ```
+   {
+       {
+           host="10.5.10.109",
+           port= 3306,
+           weight= 100,
+       },
+       {
+           host="10.5.10.110",
+           port= 3306,
+           weight= 100,
+       },
+   }
+  ```
+
+## Q&A
+
+> Q: Why only support configuration token to access _Kubernetes ApiServer_ \
+> A: Usually, we will use three ways to complete the authentication of _Kubernetes ApiServer_:
+>
+>+ mTLS
+>+ token
+>+ basic authentication
+>
+> Because lua-resty-http does not currently support mTLS, and basic authentication is not recommended,\

Review comment:
       I think lua-resty-http has the capability to support mTLS, see https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L279-L287, we already support mTLS in the communication with ETCD.

##########
File path: docs/en/latest/discovery/kubernetes.md
##########
@@ -0,0 +1,169 @@
+---
+title: Kubernetes
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Summary
+
+The kubernetes service discovery plugin list&watch real-time changes of kubernetes cluster v1.endpoints, \

Review comment:
       ```suggestion
   The [Kubernetes](https://kubernetes.io/) service discovery plugin list & watch real-time changes of [Endpoints](https://kubernetes.io/docs/concepts/services-networking/service/) resources in Kubernetes cluster, \
   ```

##########
File path: docs/en/latest/discovery/kubernetes.md
##########
@@ -0,0 +1,169 @@
+---
+title: Kubernetes
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Summary
+
+The kubernetes service discovery plugin list&watch real-time changes of kubernetes cluster v1.endpoints, \
+then store its value into ngx.shared.kubernetes.\
+Discovery plugin also provides a query interface in accordance with the _APISIX Discovery specification_
+
+## Configuration
+
+A detailed configuration for the kubernetes service discovery plugin is as follows:
+
+```yaml
+discovery:
+  kubernetes:
+    service:
+      # apiserver schema, options [http, https]
+      schema: https #default https
+
+      # apiserver host, options [ipv4, ipv6, domain, environment variable]
+      host: ${KUBERNETES_SERVICE_HOST} #default ${KUBERNETES_SERVICE_HOST}
+
+      # apiserver port, options [port number, environment variable]
+      port: ${KUBERNETES_SERVICE_PORT}  #default ${KUBERNETES_SERVICE_PORT}
+
+    client:
+      # serviceaccount token or token_file
+      token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+
+      #token: |-
+       # eyJhbGciOiJSUzI1NiIsImtpZCI6Ikx5ME1DNWdnbmhQNkZCNlZYMXBsT3pYU3BBS2swYzBPSkN3ZnBESGpkUEEif
+       # 6Ikx5ME1DNWdnbmhQNkZCNlZYMXBsT3pYU3BBS2swYzBPSkN3ZnBESGpkUEEifeyJhbGciOiJSUzI1NiIsImtpZCI
+
+    # kubernetes discovery plugin support use namespace_selector
+    # you can use one of [equal, not_equal, match, not_match] filter namespace
+    namespace_selector:
+      # only save endpoints with namespace equal default
+      equal: default
+
+      # only save endpoints with namespace not equal default
+      #not_equal: default
+
+      # only save endpoints with namespace match one of [default, ^my-[a-z]+$]
+      #match:
+       #- default
+       #- ^my-[a-z]+$
+
+      # only save endpoints with namespace not match one of [default, ^my-[a-z]+$ ]
+      #not_match:
+       #- default
+       #- ^my-[a-z]+$
+
+    # kubernetes discovery plugin support use label_selector
+    # for the expression of label_selector, please refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+    label_selector: |-
+      first="a",second="b"
+```
+
+If the kubernetes service discovery plugin runs inside a pod, you can use minimal configuration:
+
+```yaml
+discovery:
+  kubernetes: { }
+```
+
+If the kubernetes service discovery plugin runs outside a pod, you need to create or select a specified _ServiceAccount_,

Review comment:
       I suggest giving the way to fetch the token value. For instance, if the token in the SA was specified in a Secret `default-token-abc`, then we can:
   
   ```shell
   kubectl get secrets default-token-abc  -o jsonpath={.data.token} | base64 -d
   ```

##########
File path: apisix/discovery/kubernetes/init.lua
##########
@@ -30,7 +30,11 @@ local util = require("apisix.cli.util")
 local local_conf = require("apisix.core.config_local").local_conf()
 local informer_factory = require("apisix.discovery.kubernetes.informer_factory")
 
-local endpoint_dict
+local endpoint_dict = ngx.shared.kubernetes
+if not endpoint_dict then
+    error("failed to get nginx shared dict: kubernetes, please check your APISIX version")

Review comment:
       ```suggestion
       error("failed to get lua_shared_dict: kubernetes, please check your APISIX version")
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org