Kong API Gateway 部署

说明

  • 仅记录安装部署过程
  • 操作系统使用的CentOS-7.6.1810 x86_64
  • kong版本为1.1.2
  • 官方文档在这里

环境准备

PostgreSQL

安装过程

参考PostgreSQL10安装部署和初始化

创建kong所需的数据库和用户

登录PostgreSQL数据库

1
psql -U postgres

创建用户

1
create user kong with password 'kong_password';

创建数据库

1
create database kong owner kong;

授权用户拥有数据库所有权限

1
grant all privileges on database kong to kong;

Kong安装

配置YUM源

1
2
3
4
5
6
7
8
cat > /etc/yum.repos.d/kong.repo <<EOF
[bintray--kong-kong-rpm]
name=bintray--kong-kong-rpm
baseurl=https://kong.bintray.com/kong-rpm/centos/7
gpgcheck=0
repo_gpgcheck=0
enabled=1
EOF

安装kong

1
yum install -y kong-1.1.2-1

配置kong

1
/etc/kong/kong.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# -----------------------
# Kong configuration file
# -----------------------
#------------------------------------------------------------------------------
# GENERAL
#------------------------------------------------------------------------------

# 没啥好调的
prefix = /usr/local/kong/
log_level = notice
proxy_access_log = /var/log/kong/access.log
proxy_error_log = /var/log/kong/error.log
admin_access_log = /var/log/kong/admin_access.log
admin_error_log = /var/log/kong/admin_error.log
#plugins = bundled
anonymous_reports = off

#------------------------------------------------------------------------------
# NGINX
#------------------------------------------------------------------------------
# proxy端口为对外提供服务的端口
proxy_listen = 0.0.0.0:80, 0.0.0.0:443 http2 ssl
#stream_listen = off
# 管理端口,注意安全!
# 此API接口是无权限认证的!
admin_listen = 127.0.0.1:8001, 127.0.0.1:8444 ssl
nginx_user = nobody nobody
nginx_worker_processes = auto
nginx_daemon = on
mem_cache_size = 128m
# SSL/TLS套件的说明可以看这里
# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_cipher_suite = modern
#ssl_ciphers = ""
# 配置proxy端口的https证书
#ssl_cert = /path/to/cert
#ssl_cert_key = /path/to/key
# 客户端证书认证,一般情况不用设置
#client_ssl = off
#client_ssl_cert =
#client_ssl_cert_key =
# 配置Admin API端口的https证书
#admin_ssl_cert =
#admin_ssl_cert_key =
# 与upstream保持TCP连接,减少频繁建立TCP连接带来的性能损耗
upstream_keepalive = 60
#headers = server_tokens, latency_tokens
#trusted_ips =
# 经过CDN或者多级HTTP服务反向代理时,添加X-Real-IP请求头可以追溯到客户端真实IP
real_ip_header = X-Real-IP
#real_ip_recursive = off
# 客户端请求的body过大时会出现payload too large
# 设置为0时,不限制
client_max_body_size = 0
client_body_buffer_size = 16k
error_default_type = text/plain

#------------------------------------------------------------------------------
# DATASTORE
#------------------------------------------------------------------------------
database = postgres
pg_host = 127.0.0.1
pg_port = 5432
pg_timeout = 5000
pg_user = kong
pg_password = kong_password
pg_database = uat_kong
pg_schema = public
pg_ssl = off
#pg_ssl_verify = off

#------------------------------------------------------------------------------
# DATASTORE CACHE
#------------------------------------------------------------------------------
# 使用数据存储更新缓存的频率(秒),默认值5
db_update_frequency = 5
# 数据库节点的更新时间,对于最终一致性模型的数据库,需要配置各数据库节点之间数据同步的延迟
# 整个kong同步配置的延迟时间 等于 db_update_frequency + db_update_propagation
#db_update_propagation = 0
# 缓存过期时间
#db_cache_ttl = 0
# 缓存刷新时间
#db_resurrect_ttl = 30

#------------------------------------------------------------------------------
# DNS RESOLVER
#------------------------------------------------------------------------------
# 配置DNS服务器列表,仅提供给Kong使用,不会覆盖系统配置
#dns_resolver =
# 配置Kong的hosts文件,必须要重启Kong才能生效,仅提供给Kong使用,不会覆盖系统配置
#dns_hostsfile = /etc/hosts
# 解析不同记录类型的顺序。“LAST”类型表示最后一次成功查找的类型
#dns_order = LAST,SRV,A,CNAME
#dns_valid_ttl =
# 配置DNS记录缓存过期时间
#dns_stale_ttl = 4
#dns_not_found_ttl = 30
#dns_error_ttl = 1
#dns_no_sync = off

#------------------------------------------------------------------------------
# DEVELOPMENT & MISCELLANEOUS
#------------------------------------------------------------------------------
# 这个地方没啥好改的,默认值就好了
#lua_ssl_trusted_certificate =
#lua_ssl_verify_depth = 1
#lua_package_path = ./?.lua;./?/init.lua;
#lua_package_cpath =
#lua_socket_pool_size = 30

创建日志目录

1
mkdir -p /var/log/kong

初始化kong数据库

1
/usr/local/bin/kong migrations bootstrap -c /etc/kong/kong.conf

数据库初始化时输出示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
bootstrapping database...
migrating core on database 'kong'...
core migrated up to: 000_base (executed)
core migrated up to: 001_14_to_15 (executed)
core migrated up to: 002_15_to_1 (executed)
core migrated up to: 003_100_to_110 (executed)
migrating oauth2 on database 'kong'...
oauth2 migrated up to: 000_base_oauth2 (executed)
oauth2 migrated up to: 001_14_to_15 (executed)
oauth2 migrated up to: 002_15_to_10 (executed)
migrating acl on database 'kong'...
acl migrated up to: 000_base_acl (executed)
acl migrated up to: 001_14_to_15 (executed)
migrating jwt on database 'kong'...
jwt migrated up to: 000_base_jwt (executed)
jwt migrated up to: 001_14_to_15 (executed)
migrating basic-auth on database 'kong'...
basic-auth migrated up to: 000_base_basic_auth (executed)
basic-auth migrated up to: 001_14_to_15 (executed)
migrating key-auth on database 'kong'...
key-auth migrated up to: 000_base_key_auth (executed)
key-auth migrated up to: 001_14_to_15 (executed)
migrating rate-limiting on database 'kong'...
rate-limiting migrated up to: 000_base_rate_limiting (executed)
rate-limiting migrated up to: 001_14_to_15 (executed)
rate-limiting migrated up to: 002_15_to_10 (executed)
rate-limiting migrated up to: 003_10_to_112 (executed)
migrating hmac-auth on database 'kong'...
hmac-auth migrated up to: 000_base_hmac_auth (executed)
hmac-auth migrated up to: 001_14_to_15 (executed)
migrating response-ratelimiting on database 'kong'...
response-ratelimiting migrated up to: 000_base_response_rate_limiting (executed)
response-ratelimiting migrated up to: 001_14_to_15 (executed)
response-ratelimiting migrated up to: 002_15_to_10 (executed)
24 migrations processed
24 executed
database is up-to-date

启动kong

1
/usr/local/bin/kong start -c /etc/kong/kong.conf

查看监听端口

80和443端口是业务端口

8001和8444是Admin API端口

1
2
3
4
5
6
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 17493/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 17493/nginx: master
tcp 0 0 127.0.0.1:8444 0.0.0.0:* LISTEN 17493/nginx: master
tcp 0 0 127.0.0.1:8001 0.0.0.0:* LISTEN 17493/nginx: master

Kong访问测试

访问本机的8001端口

1
curl -i http://localhost:8001/

输出示例

1
2
3
4
5
6
7
HTTP/1.1 200 OK
Date: Wed, 29 May 2019 06:38:35 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/1.1.2
Content-Length: 5777

查看Nginx日志

在本文中已经定义了日志路径为/var/log/kong/

可以看到有四个日志文件

1
2
ls /usr/local/kong/logs/
access.log admin_access.log admin_error.log error.log

查看Nginx的PID文件

kong的配置文件没法定义PID文件的路径

默认在/usr/local/kong/pids/nginx.pid

创建kong的systemd服务脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/usr/lib/systemd/system/kong.service
[Unit]
Description=Kong API Gateway
After=network.target

[Service]
User=root
Group=root
ExecStart=/usr/local/bin/kong start -c /etc/kong/kong.conf
ExecStop=/usr/local/bin/kong stop
ExecReload=/usr/local/bin/kong reload -c /etc/kong/kong.conf
Type=forking
PIDFile=/usr/local/kong/pids/nginx.pid
RestartSec=60
Restart=on-failure

[Install]
WantedBy=default.target

Kong集群

单节点集群

只有一个kong节点连接到数据库(cassandra或者PostgreSQL)时,通过kong的Admin API提交的变更都会立刻生效。

kong的配置信息是缓存在内存中。

多节点集群

在多个kong节点组成的集群中,这些kong节点都连接到同一个数据库(cassandra或者PostgreSQL),即可组成集群。

当其中一个节点提交了修改,那么其他节点是不会立刻感知到已经提交的变更。

因此所有kong节点会在后台定期执行任务,从数据库中读取其他节点提交的变更。

  • db_update_frequency 默认值5

每5秒,集群中所有的kong节点都会从数据库中获取最新的配置信息,并缓存到内存中

  • db_update_propagation默认值0

如果使用了Cassandra数据库集群,那么如果数据库有更新,最多需要db_update_propagation时间来同步所有的数据库副本。

如果使用PostgreSQL或者单数据库,这个值可以被设置为0

缓存

以下数据会被缓存在内存中,并通过后台任务的机制查询后端数据库进行更新

  • Services
  • Routes
  • Plugins
  • Consumers
  • Credentials

Konga安装

konga是kong的web可视化管理工具

这里在kong服务器上运行konga

安装Docker-CE

安装过程见官方文档

启动Docker

1
2
systemctl enable docker.service
systemctl start docker.service

创建konga数据库

登录PostgreSQL

1
psql -U postgres

创建konga数据库

1
create database konga owner kong;

授权kong用户拥有konga数据库所有权限

1
grant all privileges on database konga to kong;

初始化konga数据库

1
2
3
4
5
6
docker run --rm \
--net=host \
pantsel/konga:latest \
-c prepare \
-a postgres \
-u postgresql://kong:kong_password@127.0.0.1:5432/konga

输出示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
debug: Preparing database...
Using postgres DB Adapter.
Database exists. Continue...
debug: Hook:api_health_checks:process() called
debug: Hook:health_checks:process() called
debug: Hook:start-scheduled-snapshots:process() called
debug: Hook:upstream_health_checks:process() called
debug: Hook:user_events_hook:process() called
debug: Seeding User...
debug: User seed planted
debug: Seeding Kongnode...
debug: Kongnode seed planted
debug: Seeding Emailtransport...
debug: Emailtransport seed planted
debug: Database migrations completed!

运行konga

共享宿主机网络命名空间

1
2
3
4
5
6
7
8
9
10
docker run -d \
--net=host \
--name konga \
--restart=always \
-e "PORT=1337" \
-e "NODE_ENV=production" \
-e "KONGA_LOG_LEVEL=info" \
-e "DB_ADAPTER=postgres" \
-e "DB_URI=postgresql://kong:kong_password@127.0.0.1:5432/konga" \
pantsel/konga:latest

查看监听端口

1
2
3
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::1337 :::* LISTEN 19341/node

查看konga日志

1
docker logs konga

输出示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Hook:api_health_checks:process() called
Hook:health_checks:process() called
Hook:start-scheduled-snapshots:process() called
Hook:upstream_health_checks:process() called
Hook:user_events_hook:process() called
User had models, so no seed needed
Kongnode had models, so no seed needed
Emailtransport seeds updated

.-..-.

Sails <| .-..-.
v0.12.14 |\
/|.\
/ || \
,' |' \
.-'.-==|/_--'
`--'-------'
__---___--___---___--___---___--___
____---___--___---___--___---___--___-__

Server lifted in `/app`
To see your app, visit http://localhost:1337
To shut down Sails, press <CTRL> + C at any time.

-------------------------------------------------------
:: Weekday Month Day Years HH:mm:ss GMT+0000 (UTC)

Environment : production
Port : 1337
-------------------------------------------------------

访问konga

  • 使用浏览器访问http://konga服务器IP:1337

  • 第一次打开konga需要注册管理员用户,请保证密码强度足够高

  • 在弹出的

    1
    New Connection

    窗口

    • 选择Default
    • Name填写kong的名字
    • kong Admin URL填写http://127.0.0.1:8001

Kong维护

检查kong配置文件

在更改配置文件之后,可以通过命令检查配置文件

1
kong check -v /etc/kong/kong.conf

输出示例

1
2
3
4
YYYY/MM/DD HH:mm:ss [verbose] Kong: 1.1.2
YYYY/MM/DD HH:mm:ss [verbose] reading config file at /etc/kong/kong.conf
YYYY/MM/DD HH:mm:ss [verbose] prefix in use: /usr/local/kong
YYYY/MM/DD HH:mm:ss [info] configuration at /etc/kong/kong.conf is valid

Kong健康检查

1
kong health --v

输出示例

1
2
3
4
5
6
YYYY/MM/DD HH:mm:ss [verbose] Kong: 1.1.2
YYYY/MM/DD HH:mm:ss [verbose] reading config file at /usr/local/kong/.kong_env
YYYY/MM/DD HH:mm:ss [verbose] prefix in use: /usr/local/kong
YYYY/MM/DD HH:mm:ss [info] nginx.......running
YYYY/MM/DD HH:mm:ss [info]
YYYY/MM/DD HH:mm:ss [info] Kong is healthy at /usr/local/kong

Kong启动

1
kong start -c /etc/kong/kong.conf --v

输出示例

1
2
3
4
5
6
7
8
9
10
11
YYYY/MM/DD HH:mm:ss [verbose] Kong: 1.1.2
YYYY/MM/DD HH:mm:ss [verbose] reading config file at /etc/kong/kong.conf
YYYY/MM/DD HH:mm:ss [verbose] prefix in use: /usr/local/kong
YYYY/MM/DD HH:mm:ss [verbose] retrieving database schema state...
YYYY/MM/DD HH:mm:ss [verbose] schema state retrieved
YYYY/MM/DD HH:mm:ss [verbose] preparing nginx prefix directory at /usr/local/kong
YYYY/MM/DD HH:mm:ss [verbose] SSL enabled, no custom certificate set: using default certificate
YYYY/MM/DD HH:mm:ss [verbose] default SSL certificate found at /usr/local/kong/ssl/kong-default.crt
YYYY/MM/DD HH:mm:ss [verbose] Admin SSL enabled, no custom certificate set: using default certificate
YYYY/MM/DD HH:mm:ss [verbose] admin SSL certificate found at /usr/local/kong/ssl/admin-kong-default.crt
YYYY/MM/DD HH:mm:ss [info] Kong started

Kong关闭

1
kong stop --v

输出示例

1
2
3
4
5
YYYY/MM/DD HH:mm:ss [verbose] Kong: 1.1.2
YYYY/MM/DD HH:mm:ss [verbose] reading config file at /usr/local/kong/.kong_env
YYYY/MM/DD HH:mm:ss [verbose] prefix in use: /usr/local/kong
YYYY/MM/DD HH:mm:ss [verbose] sending TERM signal to nginx running at /usr/local/kong/pids/nginx.pid
YYYY/MM/DD HH:mm:ss [info] Kong stopped

Kong重启

1
kong restart -c /etc/kong/kong.conf --v

输出示例

1
2
3
4
5
6
7
8
9
10
11
12
YYYY/MM/DD HH:mm:ss [verbose] Kong: 1.1.2
YYYY/MM/DD HH:mm:ss [info] Kong stopped
YYYY/MM/DD HH:mm:ss [verbose] reading config file at /etc/kong/kong.conf
YYYY/MM/DD HH:mm:ss [verbose] prefix in use: /usr/local/kong
YYYY/MM/DD HH:mm:ss [verbose] retrieving database schema state...
YYYY/MM/DD HH:mm:ss [verbose] schema state retrieved
YYYY/MM/DD HH:mm:ss [verbose] preparing nginx prefix directory at /usr/local/kong
YYYY/MM/DD HH:mm:ss [verbose] SSL enabled, no custom certificate set: using default certificate
YYYY/MM/DD HH:mm:ss [verbose] default SSL certificate found at /usr/local/kong/ssl/kong-default.crt
YYYY/MM/DD HH:mm:ss [verbose] Admin SSL enabled, no custom certificate set: using default certificate
YYYY/MM/DD HH:mm:ss [verbose] admin SSL certificate found at /usr/local/kong/ssl/admin-kong-default.crt
YYYY/MM/DD HH:mm:ss [info] Kong started

Kong重载配置

1
kong reload -c /etc/kong/kong.conf --v

输出示例

1
2
3
4
5
YYYY/MM/DD HH:mm:ss [verbose] Kong: 1.1.2
YYYY/MM/DD HH:mm:ss [verbose] reading config file at /usr/local/kong/.kong_env
YYYY/MM/DD HH:mm:ss [verbose] prefix in use: /usr/local/kong
YYYY/MM/DD HH:mm:ss [verbose] preparing nginx prefix directory at /usr/local/kong
YYYY/MM/DD HH:mm:ss [info] Kong reloaded

日志轮转

底层是Nginx,因此可以借助logrotate工具做日志轮转

安装logrotate

1
yum install -y logrotate

配置logrotate

每天切割日志

保留30天的日志记录

被切割的日志会压缩打包

1
2
3
4
5
6
7
8
9
10
11
12
13
/etc/logrotate.d/kong
/var/log/kong/*.log {
daily
rotate 30
missingok
dateext
compress
delaycompress
notifempty
postrotate
[ -e /usr/local/kong/pids/nginx.pid ] && kill -USR1 `cat /usr/local/kong/pids/nginx.pid`
endscript
}

测试logrotate配置

1
logrotate -d /etc/logrotate.d/kong

输出示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
reading config file /etc/logrotate.d/kong
Allocating hash table for state file, size 15360 B

Handling 1 logs

rotating pattern: /var/log/kong/*.log after 1 days (30 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/kong/access.log
log does not need rotating (log has been already rotated)
considering log /var/log/kong/admin_access.log
log does not need rotating (log has been already rotated)
considering log /var/log/kong/admin_error.log
log does not need rotating (log has been already rotated)
considering log /var/log/kong/error.log
log does not need rotating (log has been already rotated)

kong监控

kong内置了prometheus标准的metrics,默认只有Nginx的信息

开启了prometheus插件之后,可以为每个services都做监控

注意!metrics数据默认只能从Admin端口获取,不能走Proxy端口

因此想让Prometheus获取到kong的metric数据,需要修改kong.conf配置文件中admin_listen的值

具体的可以看官方说明

开启插件

1
curl -X POST http://localhost:8001/plugins --data "name=prometheus"

访问metric数据

1
curl -X GET http://localhost:8001/metrics

输出示例

这里kong是没配置任何服务,因此输出内容很少

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# HELP kong_datastore_reachable Datastore reachable from Kong, 0 is unreachable
# TYPE kong_datastore_reachable gauge
kong_datastore_reachable 1
# HELP kong_nginx_http_current_connections Number of HTTP connections
# TYPE kong_nginx_http_current_connections gauge
kong_nginx_http_current_connections{state="accepted"} 15
kong_nginx_http_current_connections{state="active"} 1
kong_nginx_http_current_connections{state="handled"} 15
kong_nginx_http_current_connections{state="reading"} 0
kong_nginx_http_current_connections{state="total"} 15
kong_nginx_http_current_connections{state="waiting"} 0
kong_nginx_http_current_connections{state="writing"} 1
# HELP kong_nginx_metric_errors_total Number of nginx-lua-prometheus errors
# TYPE kong_nginx_metric_errors_total counter
kong_nginx_metric_errors_total 0

监控数据可视化

官方已经制作了grafana dashboard来展示Prometheus的数据

Grafana Dashboard