API网关对比

calendar Jul 18, 2022 · 3 min read · linux apigateway 中文  ·
Share on: linkedin copy

Overview

kong、apisix是当前比较火的两款开源api网关,本文对比了二者的部署、使用方式;提供一个简单的参考; 对于kong,大家都比较熟悉,但是对于apisix可能熟悉的并不多,那么kong、apisix在使用方式,功能命名上是否有相似,还是理念不同,请看下文。

一、kong

1.1 安装

 1# 安装kong
 2$ helm repo add kong https://charts.konghq.com
 3$ helm repo update
 4$ helm fetch kong/kong
 5$ tar xf kong-2.5.0.tgz
 6$ cd kong
 7$ ls
 8CHANGELOG.md  Chart.yaml  FAQs.md  README.md  UPGRADE.md  charts  ci  crds  example-values  requirements.lock  requirements.yaml  templates  values.yaml
 9...需要配置
101. postgresql作为存储
112. 允许plain text调用admin API
12
13# 安装konga
14$ gc https://github.com/pantsel/konga.git
15$ ls konga
16Chart.yaml  templates  values.yaml
17...需要配置
181. 获取postgresql的secret写入连接信息
19
20# 部署
21$ helm install kong .
22$ helm install konga .
23$ kp
24NAME                         READY   STATUS    RESTARTS   AGE
25kong-kong-85d4dfd88b-hjkwt   2/2     Running   2          111s
26kong-postgresql-0            1/1     Running   0          15m
27konga-5b8c899c9-9zbd6        1/1     Running   0          14m
28vagrant@node1:~/kong/kong$ ks
29NAME                       TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
30kong-kong-admin            NodePort    172.30.46.68     <none>        8001:31055/TCP   15m
31kong-postgresql            ClusterIP   172.30.194.189   <none>        5432/TCP         15m
32kong-postgresql-headless   ClusterIP   None             <none>        5432/TCP         15m
33konga                      NodePort    172.30.111.78    <none>        80:32001/TCP     14m

访问konga UI:localhost:32001

image-20211025125252521

配置kong admin连接地址:http://kong-kong-admin.kong.svc.cluster.local:8001/

1.2 配置通过kong访问服务

配置service;service在kong中表示实际要访问的服务,这里配置协议、域名、端口、路径、重试等

image-20211029110527785

route必须在service创建,这里创建一个多path路由,并指定规定代理的Host

image-20211029110544449 

 1# 测试访问
 2$ curl -XGET http://172.16.166.149:8000/api/test/ -H "Host: www.kongtest.com" -H "name: siming" -I
 3HTTP/1.1 200 OK
 4Content-Type: text/html; charset=UTF-8
 5Content-Length: 2381
 6Connection: keep-alive
 7Accept-Ranges: bytes
 8Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
 9Date: Fri, 29 Oct 2021 03:05:59 GMT
10Etag: "588604c8-94d"
11Last-Modified: Mon, 23 Jan 2017 13:27:36 GMT
12Pragma: no-cache
13Server: bfe/1.0.8.18
14Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
15X-Kong-Upstream-Latency: 31
16X-Kong-Proxy-Latency: 109
17Via: kong/2.6.0

1.3 consumers and plugin

consumers抽象表示一组相同的请求,plugin可以实现认证、限流等多种控制功能,这里展示一个jwt认证插件

  1. 在route中的plugin里面enable jwt认证,配置获取jwt的token方式为从uri param "jwt"中获取,并且jwt的校验key为client_id

image-20211029144825581

  1. jwt可以再jwt官网(https://jwt.io/)生成,填写对应的加密方式和PAYLOAD(之前route里面约定的key)

image-20211029144905571

  1. 然后把上面的信息填入consumers的jwt plugin中(key的名字,加密算法,公钥)并保存

image-20211029144948828

  1. 测试访问
 1$ curl -XGET http://172.16.166.149:8000/api/test/?username=zhangsiming -H "Host: www.kongtest.com" -H "name: siming"
 2{"message":"Unauthorized"}
 3
 4$ curl -XGET http://172.16.166.149:8000/api/test/?jwt=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfaWQiOiJzaW1pbmcifQ.OciIJI2HRNa6CteoCn3D87q7pjJZ3u7vrXp0TaKWTuCgwyUJfCoC2c1RSKTz0Eg2GjOrP-u74hVMhBPZzCK1T9ChEOlFqmmS-CnKmh_jlC8RPeGJ2AhJDk7yOos176xgu11jt14nFVFAKzaTaKI4YkmXJ7eTx7TB3WYG0HpNDAgIl6q3UluHERMO-5DT4n3-ev5xHCe-H6InHmGzKkR2t02_lUbbR7EDz2M_YDWJu8enXgBeyHKIoE7ewE0rO66yIm-3UHqHfUJd4BQ5ii73xd8IuhcAgFgTuZ6ffXotxAHuBdoPCEN-qRxcI_dhEXxmiKCNg1QPX1FBpRcbG9uOaw -H "Host: www.kongtest.com" -H "name: siming" -I
 5HTTP/1.1 200 OK
 6Content-Type: text/html; charset=UTF-8
 7Content-Length: 2381
 8Connection: keep-alive
 9Accept-Ranges: bytes
10Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
11Date: Fri, 29 Oct 2021 06:51:27 GMT
12Etag: "588604c8-94d"
13Last-Modified: Mon, 23 Jan 2017 13:27:36 GMT
14Pragma: no-cache
15Server: bfe/1.0.8.18
16Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
17X-Kong-Upstream-Latency: 39
18X-Kong-Proxy-Latency: 1
19Via: kong/2.6.0

二、apisix

2.1 安装

区别于kong、apisix官方自带web UI

 1$ helm repo add apisix https://charts.apiseven.com
 2$ helm repo update
 3$ helm fetch apisix/apisix
 4$ helm fetch apisix/apisix-dashboard
 5
 6$ kp
 7NAME                                READY   STATUS    RESTARTS   AGE
 8apisix-5d5665c8f-sbjhr              1/1     Running   0          17m
 9apisix-dashboard-59fb575657-zt26r   1/1     Running   0          6m
10apisix-etcd-0                       0/1     Running   0          13s
11apisix-etcd-1                       1/1     Running   0          93s
12apisix-etcd-2                       1/1     Running   0          2m55s

部署好了访问dashboard,默认账号密码是admin/admin

image-20211029155003886

2.2 配置通过apisix访问服务

这里与kong的概念稍有不同:

  1. upstream:类似kong的sevice,表示由apisix代为调用的上游服务,支持配置负载均衡权重
  2. route:和kong概念相同,可以配置访问apisix的具体路径,方式等
  3. service:route的配置模板,在service中配置了可以直接在route中复用(不用也行)

这里配置一个service,配置要以"www.testapisix.com"域名访问apisix才认为路由匹配,且上游服务为test

image-20211101160336015

image-20211101160429558

这里配置上游服务为访问www.baidu.com,负载均衡机制为rr

image-20211101160539082

image-20211101160600539

这里配置route:

  1. 直接复用service配置,所以host部分不需要配置Host;
  2. 配置请求apisix的path,支持通配符
  3. URI Override类似kong的strip host,代理的时候变更uri部分
  4. 最后还可以附加自定义的Header要求

image-20211101160618974

image-20211101160654663

image-20211101160750405

测试访问

 1$ curl -XGET http://172.16.166.158:9080/api/test/ -H "Host: www.testapisix.com" -H "test: name" -I
 2HTTP/1.1 200 OK
 3Content-Type: text/html; charset=utf-8
 4Content-Length: 2381
 5Connection: keep-alive
 6Accept-Ranges: bytes
 7Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
 8Date: Mon, 01 Nov 2021 08:10:41 GMT
 9Etag: "588604c8-94d"
10Last-Modified: Mon, 23 Jan 2017 13:27:36 GMT
11Pragma: no-cache
12Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
13Server: APISIX/2.10.0

1.3 consumers and plugin

apisix支持自己生成jwt token,这里演示jwt token认证插件
consumer中添加plugin配置,编辑json协商"key": "唯一的值",然后公钥私钥,加密方式,之后保存

image-20211101160814217

image-20211101160923625

在service(或者route)开启jwt plugin

image-20211101161000725

测试访问

 1$ curl -XGET http://172.16.166.158:9080/api/test/more/ -H "Host: www.testapisix.com" -H "test: name" -I
 2HTTP/1.1 401 Unauthorized
 3Date: Mon, 01 Nov 2021 08:10:17 GMT
 4Content-Type: text/plain; charset=utf-8
 5Transfer-Encoding: chunked
 6Connection: keep-alive
 7Server: APISIX/2.10.0
 8
 9# 获取apisix生成的jwt token
10$ curl -XGET http://172.16.166.158:9080/apisix/plugin/jwt/sign?key=zhangsiming
11eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1YyI6WyItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1MVNVMUxmVkxQSENvek14SDJNb1xuNGxnT0VlUHpObTB0UmdlTGV6VjZmZkF0MGd1blZUTHc3b25MUm5ycTBcL0l6Vzd5V1I3UWtybUJMN2pUS0VuNXVcbitxS2hid0tmQnN0SXMrYk1ZMlprcDE4Z25UeEtMeG9TMnRGY3pHa1BMUGdpenNrdWVtTWdoUm5pV2FvTGN5ZWhcbmtkM3FxR0VsdldcL1ZETDVBYVdUZzBuTFZralJvOXorNDBSUXp1VmFFOEFrQUZteFp6b3czeCtWSllLZGp5a2tKXG4waVQ5d0NTMERSVFh1MjY5VjI2NFZmXC8zanZyZWRaaUtSa2d3bEw5eE5Bd3hYRmcweFwvWEZ3MDA1VVdWUklrZGdcbmNLV1RqcEJQMmRQd1ZaNFdXQys5YUdWZCtHeW4xbzBDTGVsZjRyRWpHb1hiQUFFZ0FxZUdVeHJjSWxialhmYmNcbm13SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiJdfQ.eyJleHAiOjE2MzU4NDA2MjksImtleSI6InpoYW5nc2ltaW5nIn0.UErqUg229bwy5ZgYwEibtawT1CpwVP_UKIm-C7-XtMYUjhM6-lE695zFP31s7hp3SsS2PvoZtAEhCgd_fmZXx92EGGL87XYI0xbJ5uWweKettmxkc0cLFWwEL6MNOmqyoaW9gNDtd28K_M1dpzAwZdzz2GNr2e_G1UTrxlQUNorJEg9THIrkLjvrs7NAuvRuSnGd93G4tcXy1G6m0pCAg-Z4oehJS4vMpicmwedQbob0GytBM9Ef_r2gSj8IVVW8MMLWkA-TkPWuMx2nWeK1DdB4-l5I2f4Iu1It17rZqn6VX2ARnN_AFyG5ahT22pIGtdw71Od320hUUDH3I1rmtQ
12
13# 通过jwt token访问
14$ curl -XGET http://172.16.166.158:9080/api/test/?jwt=eyJ0eXAiOiJKV1QiLCJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdTFTVTFMZlZMUEhDb3pNeEgyTW9cbjRsZ09FZVB6Tm0wdFJnZUxlelY2ZmZBdDBndW5WVEx3N29uTFJucnEwXC9Jelc3eVdSN1Frcm1CTDdqVEtFbjV1XG4rcUtoYndLZkJzdElzK2JNWTJaa3AxOGduVHhLTHhvUzJ0RmN6R2tQTFBnaXpza3VlbU1naFJuaVdhb0xjeWVoXG5rZDNxcUdFbHZXXC9WREw1QWFXVGcwbkxWa2pSbzl6KzQwUlF6dVZhRThBa0FGbXhaem93M3grVkpZS2RqeWtrSlxuMGlUOXdDUzBEUlRYdTI2OVYyNjRWZlwvM2p2cmVkWmlLUmtnd2xMOXhOQXd4WEZnMHhcL1hGdzAwNVVXVlJJa2RnXG5jS1dUanBCUDJkUHdWWjRXV0MrOWFHVmQrR3luMW8wQ0xlbGY0ckVqR29YYkFBRWdBcWVHVXhyY0lsYmpYZmJjXG5td0lEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iXSwiYWxnIjoiUlMyNTYifQ.eyJleHAiOjE2MzU4MzkwNjcsImtleSI6InpoYW5nc2ltaW5nIn0.UR6UnkdAuELK_YP3Kk6V4D4CxoPzTSw5lAx-64As_p68tyUQsp7cuR0MvCLEZ1LtSpF5VlJ1-4fUreAbNAzJQs_FBgDvkUcm4SkdqO_Ss4b0xDiXbF771oJeVybKQA-3fDd_4ieEjCyfsFkg1urgzc_tj96NBiW0YOV98RNJzf9adYZI2MLU_QbEqSEH-f9m0ArTlFLEBnVDOQls3JSc6dWobVbkZZ1kE12YeEq0zCdjEFoUEqy3f6rojobgBFmzvG7xQqn4Jd0o3d5iXBcGbMNn19X_Jo5z47zPI8tCN9ZfHWPtc8ts3HYx_2DmBPZAlEeY3Gs2izPdCHt38evEoA -H "Host: www.testapisix.com" -H "test: name" -I
15HTTP/1.1 200 OK
16Content-Type: text/html; charset=utf-8
17Content-Length: 2381
18Connection: keep-alive
19Accept-Ranges: bytes
20Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
21Date: Mon, 01 Nov 2021 08:10:41 GMT
22Etag: "588604c8-94d"
23Last-Modified: Mon, 23 Jan 2017 13:27:36 GMT
24Pragma: no-cache
25Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
26Server: APISIX/2.10.0

注意,apisix支持的两种jwt访问方式:

  1. uri param:?jwt=xxxxx
  2. Header: -H "Authorization: xxxx"

三、kong 对比 apisix

  1. apisix配置更新生效时间0.2毫秒,事件通知;kong需要定期轮询5s左右
  2. 单核QPS(开启限流和prometheus插件),apisix18000,kong1700
  3. 并且支持用户自定义负载均衡算法,自带维护dashboard,支持指定时间窗口的限速等

参考链接

GitHub - apache/apisix: The Cloud-Native API Gateway
插件 - 插件热加载 - 《Apache APISIX v1.4 使用教程》 - 书栈网 · BookStack