Sent from my iPhone
> On Jun 7, 2022, at 08:19, YuanSheng Wang <membp...@apache.org> wrote:
>
> hi:
>
> The APISIX user is easier to know how to deploy APISIX the right way.
>
> One more point: we'll implement it in APISIX 3.0, all LGTM.
>
> ^_^
>
>
>> On Mon, Jun 6, 2022 at 3:07 PM Zexuan Luo <spacewan...@apache.org> wrote:
>>
>> 1. Background
>>
>> 1.1 Problem to be solved
>>
>> For APISIX 1.* and 2.* versions, the DP (DataPlane) plane and the CP
>> (ControlPlane) plane reuse the same port (9080) by default. Although
>> we clearly distinguish the different responsibilities of DP and CP in
>> the deployment architecture diagram of APISIX, due to the lack of API
>> gateway architecture understanding and security experience for open
>> source users, they are not changed to separate deployment methods in
>> production environments, it makes the user's CP insecure and
>> vulnerable to attack.
>>
>> For example, APISIX fixed one security issue, the API caller use the
>> batch-request plugin to bypass local IP restrictions and directly
>> access Admin API. Because DP and CP are not deployed separately, the
>> security of APISIX is greatly reduced.
>>
>> 1.2 The benefits of solving this problem
>>
>> 1. The DP and CP use different listening port(same port is not
>> allowed), improving security.
>> 2. Make it easier for users to choose the correct deployment way.
>> 3. Reduce the difficulty for users to deploy APISIX DP/CP separately
>> 4. The communication protocol between DP and CP, the communication
>> protocol between CP and configuration center, the two protocols are no
>> longer unified. If the communication protocol between the CP and the
>> configuration center is updated, there is no need to do any update
>> between the DP and the CP.
>>
>> 2. How to solve the problem
>>
>> Add new deployment, the users can use it to specify the deployment
>> role, here is a full example:
>>
>> ```
>> deployment:
>> role: traditional # traditional or data_plane
>> or control_plane
>> role_traditional:
>> config_provider: etcd # only supports etcd now
>> role_control_plan:
>> config_provider: etcd # only supports etcd now
>> config_listen: 0.0.0.0:9280 # data plane will connect to
>> this service for fetching
>> # config data, eg: route,
>> service and so on.
>> role_data_plane:
>> config_provider: control_plane # control_plane or yaml
>> control_plane:
>> host:
>> - xxxx:9280
>> - xxxx:9280
>> timeout: 30 # second
>> certs: # if the role is data_plane
>> or control_plane, you need
>> # to set it. The connection
>> between the DP and CP is
>> # via mTLS, this
>> configuration is used to specify the
>> # dependent certificates.
>> # cert: /path/to/ca-cert
>> # cert_key: /path/to/ca-cert
>> # ca_cert: /path/to/ca-cert
>> etcd: # if the role is traditional
>> or control_plane, you need
>> # to set it
>> host:
>> - http://xxxx
>> - https://xxxx
>> prefix: /apisix
>> timeout: 30
>> ... ...
>> ```
>>
>> When starting the APISIX service, if APISIX found that some
>> configurations are not related to the current deployment role (such as
>> starting in Control plane mode, but configuring Admin API ),an alarm
>> message will be output during startup, indicating that these
>> configurations are invalid, and the information will also be recorded
>> in the error log file.
>> For role , the user has three options: traditional, data_plane,
>> control_plane. The different deployment options for users to use
>> APISIX are summarized here, mainly including these three typical use
>> cases.
>>
>> Different users (developers, production users) use APISIX in different
>> deployment ways.
>>
>> 1. all-in-one:DP + CP were deployed together, all of the services were
>> run in one instance.
>>
>> NOTE:
>> In this mode, when the service starts, a prompt is printed in the
>> screen output and in the error log:
>> “The APISIX you started, which enables both the data plane and the
>> control plane.This deployment mode is not recommended for production
>> environments."
>>
>> Demo Configuration:
>>
>> ```
>> deployment:
>> role: traditional
>> role_traditional:
>> config_provider: etcd
>> etcd:
>> host:
>> - http://xxxx
>> - http://xxxx
>> prefix: /apisix
>> timeout: 30
>> ... ...
>> ```
>>
>> NOTE:
>> • We will use same deployment way, only the DP and CP run in one instance.
>> • Between DP and CP, APISIX will use HTTP protocol, and it uses HTTP
>> protocol between Admin API and conf server.
>> • The conf server will listen on `unix: conf/config_listen`.
>>
>> 2. decoupled: DP and CP are deployed independently
>>
>> data_plane
>> a. Fetch route data from the control plane, the default port is 9280
>> b. Before the DP service starts, it will perform a health check on all
>> CP addresses
>> ▪ If all CP addresses are unavailable, the startup fails and an
>> exception message is output to the screen.
>> ▪ If at least one CP address is available (eg /status can get a
>> normal response from the interface), print the unhealthy CP check
>> result log, and then start the APISIX service.
>> ▪ If all CP addresses are normal, start the APISIX service normally.
>> c. Handling user requests.
>>
>> Demo Configuration(DP):
>>
>> ```
>> deployment:
>> role: data_plane
>> role_data_plane:
>> config_provider: control_plane # control_plane or yaml
>> control_plane:
>> host:
>> - xxxx:9280
>> - xxxx:9280
>> timeout: 30
>> certs:
>> cert: /path/to/ca-cert
>> cert_key: /path/to/ca-cert
>> ca_cert: /path/to/ca-cert
>> ```
>>
>> control_plane
>> a. Provide Admin API for Admin user, listening on 9180(default)
>> b. Provide conf server for data plane and control plane, listening on
>> 9280(default)
>>
>> Demo Configuration(CP):
>>
>> ```
>> deployment:
>> role: control_plane # traditional or
>> data_plane or control_plane
>> role_control_plan:
>> config_provider: etcd
>> config_listen: 0.0.0.0:9280
>> etcd:
>> host:
>> - https://xxxx
>> - https://xxxx
>> prefix: /apisix
>> timeout: 30
>> ... ...
>> certs:
>> cert: /path/to/ca-cert
>> cert_key: /path/to/ca-cert
>> ca_cert: /path/to/ca-cert
>> ```
>>
>>
>> 3. standalone: only for data plane, load the route data from local yaml
>> file
>>
>> Demo Configuration:
>>
>> ```
>> deployment:
>> role: data_plane
>> role_data_plane:
>> config_provider: yaml # control_plane or yaml
>> ```
>>
>> There are no changes other than specifying the service as standalone
>> using role, no more change, same as before.
>>
>
>
> --
>
> *MembPhis*
> My GitHub: https://github.com/membphis
> Apache APISIX: https://github.com/apache/apisix
