Kong 网关

平台使用的 Kong 的版本是 3.0.2

Kong 介绍

Kong 是一个开源的网关,基于 OpenResty + Lua实现。

Kong or Kong API Gateway is a cloud-native, platform-agnostic, scalable API Gateway distinguished for its high performance and extensibility via plugins. By providing functionality for proxying, routing, load balancing, health checking, authentication (and more), Kong serves as the central layer for orchestrating microservices or conventional API traffic with ease. Kong runs natively on Kubernetes thanks to its official Kubernetes Ingress Controller.

开源地址:https://github.com/kong/kong 文档地址:https://docs.konghq.com/gateway/latest/

在平台中,有两个 Kong 实例,分别命名为 kong、 kong2 每个平台的服务(应用)上,都会启动 Kong, 在这个网关上,注册的是这个服务中的接口 只有门户服务会启动 Kong2,在这个网关上,注册的是各个服务的接口,这个网关是作为租户下各个服务的路由的网关

Kong 网关模式

两种模式

  • 数据库模式
    • 可使用的数据库有:postgres, cassandra, sqlite3, mysql, kingbase8
    • 网关中的对象可以通过管理接口动态修改
  • off 模式
    • 接口的配置信息保存在 YAML 文件中
    • 网关中的对象是只读的,不可以通过管理接口动态修改
    • 网关有一个 config 接口,可以使用新的 YAML 文件,更新所有对象

接口选择规则

Kong 有三种路由模式:traditional,traditional_compat,expressions,后两种是3.0新引入的。 平台使用的是 traditional 模式。平台对 traditional 模式的路由策略做了一个修改:路由不支持前缀匹配,只支持完全匹配(将在下面示例中说明)

Kong 开源版本的路由策略:接口的选择由 route 中的 request path 决定。request path 的长度越长,优先级越高。下面是官方描述:

For each incoming request, Kong Gateway must determine which service gets to handle it based on the routes that are defined. With release 3.0, Kong Gateway introduced a new router that can be running in two modes, the traditional_compat mode, which is configured like prior releases, and the expressions mode which uses a new configuration scheme. It is recommended that new deployments use the expressions router as it is more powerful and expressive. The default mode of the router is traditional_compat and the following sections describe how it operates. traditional_compat mode is designed to behave like the router in versions before Kong Gateway 3.x. For a description of the expressions mode, see How to Configure Routes using Expressions. In general, the router orders all defined routes by their priority and uses the highest priority matching route to handle a request. If there are multiple matching routes with the same priority, it is not defined which of the matching routes will be used and Kong Gateway will use either of them according to how its internal data structures are organized. If a route contains prefix or regular expression paths, the priority of the route will be calculated separately for each of the paths and requests will be routed accordingly. In traditional_compat mode, the priority of a route is determined as follows, by the order of descending significance:

Priority points Wildcard hosts Header count Regular expressions and prefix paths

例如网关中有如下3个路由

route1: /
route2: /aa
route3: /aaaa
  • 当用户访问:/aa
    • 开源 Kong 匹配 route2
    • 平台匹配到 route2
  • 当用户访问:/aaa
    • 开源 Kong 匹配 route2
    • 平台匹配到 route1,当网关中没有 route1 时,匹配不到路由
  • 当用户访问:/aaaa
    • 开源 Kong 匹配 route3
    • 平台匹配到 route3
  • 当用户访问:/aaaaa
    • 开源 Kong 匹配 route3
    • 平台匹配到 route1,当网关中没有 route1 时,匹配不到路由

插件原理及规则

Kong Gateway is a Lua application designed to load and execute modules, which we commonly refer to as plugins. Plugins provide advanced functionality and extend the use of the Kong Gateway, allowing you to add more features to your implementation.

插件执行的几个阶段:

  • init_worker
    • nginx 启动时初始化工作进程
  • rewrite
    • 重写请求
  • access
    • 请求发送给上游之前
  • header_filter
    • 处理返回的头
  • body_filter
    • 处理返回内容
  • log
    • 请求完成

插件可以在上面的各个阶段执行额外的处理逻辑

插件的作用域

开源的 Kong 插件可以作用在 Consumers, Consumer groups, Services, Routes上;也可以是一个全局的插件(访问任何接口都会被执行) 在平台中,插件只作用在 Routes 上,还未支持作用在其它对象上

插件的执行顺序

一个对象上可以加多个不同的插件,比如,在门户的 Kong2 网关上注册的各个服务的接口上,会加上以下的插件

  • cors
  • authentication
  • authorize
  • micro-service-router-helper

当一个服务的接口被调用到时,上面四个插件会依次被执行 插件的执行顺序在插件开发时确定,每个插件都有一个 PRIORITY 的属性,它决定插件的执行顺序。PRIORITY 的值越小,越优先执行。 因为有全局插件的存在,当一个接口上的插件还是一个全局插件时,全局插件将被忽略。

平台对 Kong 的定制

增加了以下插件

  • 微服务路由相关
    • cross-domain-proxy, local-ide-router, micro-service-router, redirect, forward, micro-service-debug-router, micro-service-router-helper, local-ide-router, upstream-proxy
  • 登录、权限验证相关
    • twofactorlogin, authentication, authorize, user-swap, grafana-authorize, userinfo4eos
  • 安全相关
    • appscan, crypto-request, auth-limit, inner-token,
  • 日志相关
    • http-op-log, udp-op-log, access_log, operation-log,
  • 其它
    • aop-before, disable-api, cache, headers-cache, health-check, mini-server, write-headers, cost-time, get-ip, activator, skywalking, parent-path, metrics, api-expose, path-transformer, route-expose

增加了以下数据库的支持

开源的 Kong 支持 postgres、cassandra 两种数据库,用来存储网关中的各种对象的信息

平台增加了对 mysql、sqlite、kingbase8 的支持,其中 kingbase8 的支持是通过 DBProxy 来支持的。

results matching ""

    No results matching ""