Apache Apisix Installation on Openshift
Introduction
In the rapidly evolving landscape of microservices and distributed architectures, effective API management is crucial. Apache APISIX emerges as a powerful and flexible API gateway solution, offering a range of features to facilitate the development, deployment, and management of APIs. In this article, we will delve into the key aspects of Apache APISIX, exploring its architecture, features, and advantages.
What is Apache APISIX?
Apache APISIX is an open-source API gateway designed to handle the complexities of modern API management. Developed by the Apache Software Foundation, APISIX is built to be highly extensible, scalable, and adaptable to various use cases. It provides a unified entry point for managing, securing, and optimizing API traffic in a microservices environment.
Key Features
1. Dynamic Routing
One of APISIX’s standout features is its dynamic routing capabilities. It allows developers to define and update routing rules in real-time without the need for service restarts. This flexibility is particularly valuable in scenarios where APIs and microservices are constantly evolving.
2. Load Balancing
APISIX incorporates advanced load balancing algorithms to distribute incoming API requests across multiple backend servers. This ensures optimal resource utilization and high availability, contributing to improved system reliability.
3. Rate Limiting and Quotas
To prevent abuse and ensure fair usage of resources, APISIX supports rate limiting and quotas. Administrators can set limits on the number of requests a client can make within a specific time frame, helping to maintain system stability.
4. Security Features
Security is a top priority for APISIX. It includes features such as access control, SSL/TLS termination, and request validation, safeguarding APIs from unauthorized access and potential security threats.
5. Plugin System
APISIX’s modular architecture is enhanced by a robust plugin system, allowing users to extend its functionality. Whether it’s authentication, logging, or custom transformations, the plugin system provides a mechanism for tailoring APISIX to specific requirements.
Architecture
APISIX follows a decentralized architecture, leveraging the Nginx web server as its core. Nginx serves as the proxy layer, handling incoming requests and responses, while the APISIX control plane manages configuration and dynamic updates. This separation of concerns contributes to the scalability and performance of APISIX.
Use Cases
APISIX finds applications in various scenarios, including:
- Microservices Architecture: APISIX simplifies the complexities of microservices communication by acting as a unified entry point for API requests.
- API Management: Organizations can use APISIX to manage the lifecycle of their APIs, from creation and deployment to monitoring and optimization.
- Cloud-Native Environments: With support for container orchestration platforms like Kubernetes, APISIX is well-suited for cloud-native deployments.
Conclusion
Apache APISIX stands out as a versatile and powerful solution for API management in modern, distributed architectures. Its dynamic routing, load balancing, and extensible plugin system make it a compelling choice for organizations seeking an open-source, scalable, and feature-rich API gateway.
For those embarking on the journey of microservices and API-driven development, Apache APISIX offers a reliable and flexible gateway to streamline the complexities of managing API traffic. As the open-source community continues to contribute and enhance APISIX, its capabilities are likely to evolve, making it an even more indispensable tool in the realm of API management.
Installation
- Apache Apisix
Install Apache Apisix with the below command.
oc new-project apisix
helm repo update
helm install apisix apisix/apisix
oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:apisix-acc:default
oc adm policy add-scc-to-user restricted-v2 -z default- Apache Apisix Dashboard
If you want to use Apache Apisix Dashboard, You can use the below command for installation.
helm install apisix-dashboard apisix/apisix-dashboardApache Apisix MTLs on Openshift Environment (Optional)
Should create pvc for MTLs certificates. For example
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: apisix-certs
namespace: apisix
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Mi
storageClassName: #SCNAME#
volumeMode: FilesystemAdd the new PVC to Apache Apisix Deployment yaml. For Example;
Update securityContext in deployment.
Reload deployment. And create ssl-extensions-x509.cnf cnf file. For example;
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS:*.anonimiseren-cb9944187767ee02d576aa815e2c50c2-0000.eu-de.containers.appdomain.cloudCreate CA, Server and Client certificate.
# For ROOT CA
openssl genrsa -out ca.key 2048
openssl req -new -sha256 -key ca.key -out ca.csr -subj "/CN=ROOTCA"
openssl x509 -req -days 36500 -sha256 -extensions v3_ca -signkey ca.key -in ca.csr -out ca.cer
# For server certificate
openssl genrsa -out server.key 2048
# Note: The `test.com` in the CN value is the domain name/hostname we want to test
openssl req -new -sha256 -key server.key -out server.csr -subj "/CN=*.eu-de.containers.appdomain.cloud" -addext "subjectAltName = DNS:*.xxxxxxx-44187767ee0-0000.eu-de.containers.yyyy.cloud"
openssl x509 -req -days 36500 -sha256 -extensions v3_req -extfile ./ssl-extensions-x509.cnf -CA ca.cer -CAkey ca.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.cer
# For client certificate
openssl genrsa -out client.key 2048
openssl req -new -sha256 -key client.key -out client.csr -subj "/CN=CLIENT"
openssl x509 -req -days 36500 -sha256 -extensions v3_req -CA ca.cer -CAkey ca.key -CAserial ca.srl -CAcreateserial -in client.csr -out client.cer
# Convert client certificate to pkcs12 for Windows usage (optional)
openssl pkcs12 -export -clcerts -in client.cer -inkey client.key -out client.p12Copy all certificate to the pod. For exapmle;
oc cp * apisix-7886f56c95-zs667:/certsUpdate Apisix config.
admin_listen:
ip: 127.0.0.1
port: 9180
https_admin: true
admin_api_mtls:
admin_ssl_ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed ca cert.
admin_ssl_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side cert.
admin_ssl_cert_key: "/data/certs/mtls_server.key" # Path of your self-signed server side key.
ssl:
enable: trueAnd reload deployment. Create a test route with the below command.
curl --cacert ca.cer --key client.key --cert client.cer -X PUT 'https://YOURADMINURL/apisix/admin/routes/1' \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' \
--data-raw '{
"uri": "/anything",
"plugins": {
"proxy-rewrite": {
"headers": {
"X-Ssl-Client-Fingerprint": "$ssl_client_fingerprint",
"X-Ssl-Client-Serial": "$ssl_client_serial",
"X-Ssl-Client-S-DN": "$ssl_client_s_dn"
}
}
},
"upstream": {
"nodes": {
"httpbin.org":1
},
"type":"roundrobin"
}
}'curl -i -X GET "https://YOURGATEWAYURL/anything" -k --cert ./client.cer --key ./client.key
Apache Apisix body-transformer plugin Installation (Optional)
enable_control: true
control:
ip: "127.0.0.1"
port: 9090Open the Apisix pod, run the command, and copy the schema.json file to the local machine
curl 127.0.0.1:9090/v1/schema > schema.json
oc cp apisix-5c89b55545-qzhcr:/tmp/schema.json schema.jsonCreate config map by using schema.json
oc create configmap schema.json --from-file=schema.jsonAdd the config map to Apisix dashboard deployment. For example;
