Skip to content

Latest commit

 

History

History
142 lines (88 loc) · 7.7 KB

design.md

File metadata and controls

142 lines (88 loc) · 7.7 KB

ingress-controller

Apache APISIX ingress for Kubernetes.

Modules

Architecture

1.Ingress-types

  • defines the CRD(CustomResourceDefinition) needed by Apache APISIX

  • currently supports ApisixRoute/ApisixService/ApisixUpstream,and other service and route level plugins;

  • can be packaged as a stand-alone binary, keep in sync with the ingress definition;

  • CRD design

2.Types

  • define interface objects to match concepts from Apache APISIX like route, service, upstream, and plugin;

  • can be a packaged as a stand-alone binary, need to match with compatible Apache APISIX version;

  • add new types to this module to support new features;

3.Seven

  • contains main application logic;

  • Sync the k8s cluster states to Apache APISIX, based on Apisix-types object;

4.Ingress-controller

  • driver process for ingress controller; watches k8s apiserver;

  • match and covert Apisix-ingress-types to Apisix-types before handing the control over to the above module seven;

CRD design

Currently apisix-ingress-controller CRDs consist of 3 parts: ApisixRoute/ApisixService/ApisixUpstream. The design follows the following ideas.

  1. The most important part of the gateway is the route part, which is used to define the distribution rules of the gateway traffics.
  2. In order to facilitate understanding and configuration, the design structure of ApisixRoute is basically similar to Kubernetes Ingress.
  3. In the design of annotation, the structure of Kubernetes Ingress is used for reference, but the internal implementation is based on the plug-in of Apache APISIX.
  4. Both ApisixRoute and ApisixService can be bound to plug-ins, which is consistent with Apache APISIX.
  5. In the simplest case, you only need to define ApisixRoute, and the Ingress controller will automatically add ApisixService and ApisixUpstream.
  6. ApisixService, like Apache APISIX service, is a grouping of routes, which can simplify the configuration complexity of the same plug-in.
  7. ApisixUpstream can define some details on Apache APISIX upstream, such as load balancing/health check, etc.

Monitoring CRDs

apisix-ingress-controller is responsible for interacting with the Kubernetes Apiserver, applying for accessible resource permissions (RBAC), monitoring changes, and implementing object conversion within the Ingress controller, comparing the changes, and then synchronizing to Apache APISIX.

Timing diagram

flow

Conversion structure

apisix-ingress-controller provides external configuration methods for CRDs. It is aimed at operators such as daily operation and maintenance, who often need to process a large number of routes in batches, hoping to handle all related services in the same configuration file, and at the same time have convenient and understandable management capabilities. Apache APISIX is designed from the perspective of the gateway, and all routes are independent. This leads to obvious differences in the data structure between the two. One focuses on batch definition, while the other is discrete implementation.

Taking into account the usage habits of different groups of people, the data structure of CRDs draws on the data structure of Kubernetes Ingress, and is basically the same in shape.

A simple comparison is as follows, they have different definitions:

strut-compare

They are a many-to-many relationship.Therefore, apisix-ingress-controller has to do some conversion of CRDs to adapt to different gateways.

Cascade update

At present, we have defined multiple CRDs, and these CRDs are responsible for the definition of their respective fields. ApisixRoute/ ApisixService / ApisixUpstream correspond to objects such as route/ service / upstream in Apache APISIX. As the strong binding relationship between APISIX objects, when modifying and deleting batch data structures such as CRDs, you have to consider the impact of cascading between objects.

So, in apisix-ingress-controller, a broadcast notification mechanism is designed through channel, that is, the definition of any object must be notified to other objects related to it and trigger the corresponding behavior.

hierarchical

In a typical scenario, there is a many-to-many relationship between ApisixRoute and ApisixService, and a one-to-one relationship between ApisixService and ApisixUpstream.

  • When the ApisixService changes, it needs to be notified upwards to the ApisixRoute, and also needs to be notified downwards to the corresponding ApisixUpstream.
  • When one of the http-route in ApisixRoute changes, the relevant ApisixService and ApisixUpstream need to be notified.

This is particularly prominent in modify and delete.

We can initiate discussions in this area and propose a more reasonable design plan

Diff rules

The seven module internally saves memory data structures, which is currently very similar to the Apache Apisix resource object. When the Kubernetes resource object is newly changed, seven will compare the memory objects and update incrementally according to the result of the comparison.

The current comparison rule is based on the grouping of route / service / upstream resource objects, compare them separately, and make corresponding broadcast notifications after finding the differences.

diff-flow

Service Discovery

According to the namespace name port defined in the ApisixUpstream resource object, apisix-ingress-controller will register the endpoints node information in the running state to the nodes in Apache APISIX Upstream. And according to Kubernetes Endpoint status is synchronized in real time.

Based on service discovery, Apache APISIX Ingress can directly access backend Pod nodes. Bypassing Kubernetes Service, it is possible to implement customized load balancing strategies.

Annotation implementation

Unlike the implementation of Kubernetes Nginx Ingress, the implementation of Annotation by apisix-ingress-controller is based on the plug-in mechanism of Apache APISIX.

For example, the settings of the black and white list can be configured through the k8s.apisix.apache.org/whitelist-source-range annotation in the ApisixRoute resource object.

apiVersion: apisix.apache.org/v1
kind: ApisixRoute
metadata:
  annotations:
    k8s.apisix.apache.org/whitelist-source-range: 1.2.3.4,2.2.0.0/16
  name: httpserver-route
spec:
    ...

The black and white list here is implemented by the ip-restriction plugin.

There will be more annotation implementations in the future to facilitate the definition of some common configurations, such as CORS.

If you have some annotation needs, welcome to issue to discuss, let’s discuss how to implement it.