hi: The APISIX user is easier to know how to deploy APISIX the right way.
One more point: we'll implement it in APISIX 3.0, all LGTM. ^_^ On Mon, Jun 6, 2022 at 3:07 PM Zexuan Luo <spacewan...@apache.org> wrote: > 1. Background > > 1.1 Problem to be solved > > For APISIX 1.* and 2.* versions, the DP (DataPlane) plane and the CP > (ControlPlane) plane reuse the same port (9080) by default. Although > we clearly distinguish the different responsibilities of DP and CP in > the deployment architecture diagram of APISIX, due to the lack of API > gateway architecture understanding and security experience for open > source users, they are not changed to separate deployment methods in > production environments, it makes the user's CP insecure and > vulnerable to attack. > > For example, APISIX fixed one security issue, the API caller use the > batch-request plugin to bypass local IP restrictions and directly > access Admin API. Because DP and CP are not deployed separately, the > security of APISIX is greatly reduced. > > 1.2 The benefits of solving this problem > > 1. The DP and CP use different listening port(same port is not > allowed), improving security. > 2. Make it easier for users to choose the correct deployment way. > 3. Reduce the difficulty for users to deploy APISIX DP/CP separately > 4. The communication protocol between DP and CP, the communication > protocol between CP and configuration center, the two protocols are no > longer unified. If the communication protocol between the CP and the > configuration center is updated, there is no need to do any update > between the DP and the CP. > > 2. How to solve the problem > > Add new deployment, the users can use it to specify the deployment > role, here is a full example: > > ``` > deployment: > role: traditional # traditional or data_plane > or control_plane > role_traditional: > config_provider: etcd # only supports etcd now > role_control_plan: > config_provider: etcd # only supports etcd now > config_listen: 0.0.0.0:9280 # data plane will connect to > this service for fetching > # config data, eg: route, > service and so on. > role_data_plane: > config_provider: control_plane # control_plane or yaml > control_plane: > host: > - xxxx:9280 > - xxxx:9280 > timeout: 30 # second > certs: # if the role is data_plane > or control_plane, you need > # to set it. The connection > between the DP and CP is > # via mTLS, this > configuration is used to specify the > # dependent certificates. > # cert: /path/to/ca-cert > # cert_key: /path/to/ca-cert > # ca_cert: /path/to/ca-cert > etcd: # if the role is traditional > or control_plane, you need > # to set it > host: > - http://xxxx > - https://xxxx > prefix: /apisix > timeout: 30 > ... ... > ``` > > When starting the APISIX service, if APISIX found that some > configurations are not related to the current deployment role (such as > starting in Control plane mode, but configuring Admin API ),an alarm > message will be output during startup, indicating that these > configurations are invalid, and the information will also be recorded > in the error log file. > For role , the user has three options: traditional, data_plane, > control_plane. The different deployment options for users to use > APISIX are summarized here, mainly including these three typical use > cases. > > Different users (developers, production users) use APISIX in different > deployment ways. > > 1. all-in-one:DP + CP were deployed together, all of the services were > run in one instance. > > NOTE: > In this mode, when the service starts, a prompt is printed in the > screen output and in the error log: > “The APISIX you started, which enables both the data plane and the > control plane.This deployment mode is not recommended for production > environments." > > Demo Configuration: > > ``` > deployment: > role: traditional > role_traditional: > config_provider: etcd > etcd: > host: > - http://xxxx > - http://xxxx > prefix: /apisix > timeout: 30 > ... ... > ``` > > NOTE: > • We will use same deployment way, only the DP and CP run in one instance. > • Between DP and CP, APISIX will use HTTP protocol, and it uses HTTP > protocol between Admin API and conf server. > • The conf server will listen on `unix: conf/config_listen`. > > 2. decoupled: DP and CP are deployed independently > > data_plane > a. Fetch route data from the control plane, the default port is 9280 > b. Before the DP service starts, it will perform a health check on all > CP addresses > ▪ If all CP addresses are unavailable, the startup fails and an > exception message is output to the screen. > ▪ If at least one CP address is available (eg /status can get a > normal response from the interface), print the unhealthy CP check > result log, and then start the APISIX service. > ▪ If all CP addresses are normal, start the APISIX service normally. > c. Handling user requests. > > Demo Configuration(DP): > > ``` > deployment: > role: data_plane > role_data_plane: > config_provider: control_plane # control_plane or yaml > control_plane: > host: > - xxxx:9280 > - xxxx:9280 > timeout: 30 > certs: > cert: /path/to/ca-cert > cert_key: /path/to/ca-cert > ca_cert: /path/to/ca-cert > ``` > > control_plane > a. Provide Admin API for Admin user, listening on 9180(default) > b. Provide conf server for data plane and control plane, listening on > 9280(default) > > Demo Configuration(CP): > > ``` > deployment: > role: control_plane # traditional or > data_plane or control_plane > role_control_plan: > config_provider: etcd > config_listen: 0.0.0.0:9280 > etcd: > host: > - https://xxxx > - https://xxxx > prefix: /apisix > timeout: 30 > ... ... > certs: > cert: /path/to/ca-cert > cert_key: /path/to/ca-cert > ca_cert: /path/to/ca-cert > ``` > > > 3. standalone: only for data plane, load the route data from local yaml > file > > Demo Configuration: > > ``` > deployment: > role: data_plane > role_data_plane: > config_provider: yaml # control_plane or yaml > ``` > > There are no changes other than specifying the service as standalone > using role, no more change, same as before. > -- *MembPhis* My GitHub: https://github.com/membphis Apache APISIX: https://github.com/apache/apisix
