Next-generation Cloud Native Gateway
English | 中文
Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀,以开源 Istio 与 Envoy 为核心构建的下一代云原生网关。Higress 实现了安全防护网关、流量网关、微服务网关三层网关合一,可以显著降低网关的部署和运维成本。
Summary
使用场景
-
Kubernetes Ingress 网关:
Higress 可以作为 K8s 集群的 Ingress 入口网关, 并且兼容了大量 K8s Nginx Ingress 的注解,可以从 K8s Nginx Ingress 快速平滑迁移到 Higress。
支持 Gateway API 标准,支持用户从 Ingress API 平滑迁移到 Gateway API。
-
微服务网关:
Higress 可以作为微服务网关, 能够对接多种类型的注册中心发现服务配置路由,例如 Nacos, ZooKeeper, Consul, Eureka 等。
并且深度集成了 Dubbo, Nacos, Sentinel 等微服务技术栈,基于 Envoy C++ 网关内核的出色性能,相比传统 Java 类微服务网关,可以显著降低资源使用率,减少成本。
-
安全防护网关:
Higress 可以作为安全防护网关, 提供 WAF 的能力,并且支持多种认证鉴权策略,例如 key-auth, hmac-auth, jwt-auth, basic-auth, oidc 等。
核心优势
-
生产等级
脱胎于阿里巴巴2年多生产验证的内部产品,支持每秒请求量达数十万级的大规模场景。
彻底摆脱 reload 引起的流量抖动,配置变更毫秒级生效且业务无感。
-
平滑演进
支持 Nacos/Zookeeper/Eureka 等多种注册中心,可以不依赖 K8s Service 进行服务发现,支持非容器架构平滑演进到云原生架构。
支持从 Nginx Ingress Controller 平滑迁移,支持平滑过渡到 Gateway API,支持业务架构平滑演进到 ServiceMesh。
-
兼收并蓄
兼容 Nginx Ingress Annotation 80%+ 的使用场景,且提供功能更丰富的 Higress Annotation 注解。
兼容 Ingress API/Gateway API/Istio API,可以组合多种 CRD 实现流量精细化管理。
-
便于扩展
提供 Wasm、Lua、进程外三种插件扩展机制,支持多语言编写插件,生效粒度支持全局级、域名级,路由级。
插件支持热更新,变更插件逻辑和配置都对流量无损。
Quick Start
本地环境
第一步、 安装 kubectl & kind
MacOS:
curl -Lo ./kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/darwin/amd64/kubectl
# for Intel Macs
[ $(uname -m) = x86_64 ]&& curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-amd64
# for M1 / ARM Macs
[ $(uname -m) = arm64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-arm64
chmod +x ./kind ./kubectl
mv ./kind ./kubectl /some-dir-in-your-PATH/
Windows 中使用 PowerShell:
curl.exe -Lo kubectl.exe https://storage.googleapis.com/kubernetes-release/release/$(curl.exe -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/windows/amd64/kubectl.exe
curl.exe -Lo kind-windows-amd64.exe https://kind.sigs.k8s.io/dl/v0.17.0/kind-windows-amd64
Move-Item .\kind-windows-amd64.exe c:\some-dir-in-your-PATH\kind.exe
Move-Item .\kubectl.exe c:\some-dir-in-your-PATH\kubectl.exe
Linux:
curl -Lo ./kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-linux-amd64
chmod +x ./kind ./kubectl
sudo mv ./kind ./kubectl /usr/local/bin/kind
第二步、 创建并启用 kind
首先创建一个集群配置文件: cluster.conf
# cluster.conf
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
Mac & Linux 系统执行:
kind create cluster --name higress --config=cluster.conf
kubectl config use-context kind-higress
Windows 系统执行:
kind.exe create cluster --name higress --config=cluster.conf
kubectl.exe config use-context kind-higress
第三步、 安装 istio & higress
kubectl create ns istio-system
helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio-local
kubectl create ns higress-system
helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local
第四步、 创建 Ingress 资源并测试
kubectl apply -f https://github.com/alibaba/higress/releases/download/v0.5.2/quickstart.yaml
测试 Ingress 生效:
# should output "foo"
curl localhost/foo
# should output "bar"
curl localhost/bar
卸载资源
kubectl delete -f https://github.com/alibaba/higress/releases/download/v0.5.2/quickstart.yaml
helm uninstall istio -n istio-system
helm uninstall higress -n higress-system
kubectl delete ns istio-system
kubectl delete ns higress-system
生产环境
第一步、 安装 istio
可以选择安装 higress 发行的 istio 版本:
kubectl create ns istio-system
helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio
或者选择安装官方 istio 版本 (将失去部分能力,例如通过 Ingress 注解实现限流的功能):
https://istio.io/latest/docs/setup/install
第二步、 安装 higress
kubectl create ns higress-system
helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress
第三步、 创建 Ingress 资源并测试
假设在 default 命名空间下已经部署了一个 test service,服务端口为 80 ,则创建下面这个 K8s Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: simple-example
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /foo
pathType: Prefix
backend:
service:
name: test
port:
number: 80
测试能访问到该服务:
curl "$(k get svc -n higress-system higress-gateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')"/foo -H 'host: foo.bar.com'
卸载资源
helm uninstall istio -n istio-system
helm uninstall higress -n higress-system
kubectl delete ns istio-system
kubectl delete ns higress-system
社区
感谢
如果没有 Envoy 和 Istio 的开源工作,Higress 就不可能实现,在这里向这两个项目献上最诚挚的敬意。
联系我们
- Mailing list: [email protected]
基于higress wasm sdk编写的插件无法被envoy加载
请问higress的wasm sdk和envoy的sdk是兼容的吗?
我尝试在本地用envoy加载这个教程中的wasm插件, 但是envoy似乎无法正确加载编译后的wasm. 用这个SDK https://github.com/tetratelabs/proxy-wasm-go-sdk 就没有问题, 请问你们有遇到过类似的问题吗? 有没有什么解决思路呢
Note the helm version for higress installation
Ⅰ. Describe what this PR did
标识了helm安装方式需要的helm版本要求
Ⅱ. Does this pull request fix one issue?
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
Ⅴ. Special notes for reviews
Support nacos discovery
Ⅰ. Describe what this PR did
Ⅱ. Does this pull request fix one issue?
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
Ⅴ. Special notes for reviews
feature: support third-party-jwt for istio access authentication
Ⅰ. Describe what this PR did
support third-party-jwt for istio access authentication
Ⅱ. Does this pull request fix one issue?
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
本次修改主要涉及 helm安装时,相关配置的修改。通过本地环境直接helm安装(helm install higress -n higress-system higress)验证。
Ⅴ. Special notes for reviews
add istio patch to fix xds push
Ⅰ. Describe what this PR did
The previous hack implementation caused LDS to be pushed empty
Ⅱ. Does this pull request fix one issue?
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
Ⅴ. Special notes for reviews
optimize higress installed notes
Signed-off-by: iutx [email protected]
Ⅰ. Describe what this PR did
higress installed notes doesn't contains namespace
will cause
Error: release: not foundⅡ. Does this pull request fix one issue?
none
Ⅲ. Why don't you add test cases (unit test/integration test)?
none
Ⅳ. Describe how to verify it
Install higress with helm, notes such as:
Ⅴ. Special notes for reviews
none
支持通过 helm 参数实现 Host 网络模式部署(Higress-gateway Pod Uses hostNetwork)
Ⅰ. Issue Description
Edit Deploy Of higress-gateway,adds hostNetwork: true ,but Pod's status is SysctlForbidden.
Ⅱ. Describe what happened
If there is an exception, please attach the exception trace:
Ⅲ. Describe what you expected to happen
Ⅳ. How to reproduce it (as minimally and precisely as possible)
Ⅴ. Anything else we need to know?
Ⅵ. Environment:
The import path is not existed in fact.
Ⅰ. Issue Description
https://github.com/alibaba/higress/blob/e01377f3ea3c4839365619be6b47aa554cdd77f4/registry/memory/cache.go#L11 The import path is not existed in fact.
Ⅱ. Describe what happened
If there is an exception, please attach the exception trace:
Update README.md
Ⅰ. Describe what this PR did
Ⅱ. Does this pull request fix one issue?
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
Ⅴ. Special notes for reviews
support xds auth
Ⅰ. Describe what this PR did
The higress console needs to access the /debug endpoint through xds auth.
Ⅱ. Does this pull request fix one issue?
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
Ⅴ. Special notes for reviews
Support sidecar inject
Ⅰ. Describe what this PR did
Ⅱ. Does this pull request fix one issue?
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
Ⅴ. Special notes for reviews
add plugin gw-error-format
Ⅰ. Describe what this PR did
Implement a plugin that can replace the response body according to the configuration
Ⅱ. Does this pull request fix one issue?
fixes #62
Ⅲ. Why don't you add test cases (unit test/integration test)?
No unit tests yet
Ⅳ. Describe how to verify it
If you deployed higress as a K8S cluster, you can use this yaml to test replace-responsebody.yaml
Ⅴ. Special notes for reviews
Check out README.md
Add plugin real-ip
Ⅰ. Describe what this PR did
Add a wasm plugin that the functional equivalent of nginx real_ip module
Ⅱ. Does this pull request fix one issue?
fixes #92
Ⅲ. Why don't you add test cases (unit test/integration test)?
No unit tests yet
Ⅳ. Describe how to verify it
The real IP can be obtained by configuring related attributes according to the README.md
Ⅴ. Special notes for reviews
Check README.md
m1电脑 使用kind 本地环境测试 -> 创建 Ingress 资源并测试
Ⅰ. Issue Description
本地使用kind测试
应用启动报错
Ⅱ. Describe what happened
If there is an exception, please attach the exception trace:
III. Environment:
unit-test: increase coverage, path: pkg/ingress/kube/secret
Signed-off-by: iutx [email protected]
Ⅰ. Describe what this PR did
increase coverage, path: pkg/ingress/kube/secret
0% -> 81.6%
Ⅱ. Does this pull request fix one issue?
fixes #87
Ⅲ. Why don't you add test cases (unit test/integration test)?
None
Ⅳ. Describe how to verify it
None
Ⅴ. Special notes for reviews
None
ut: add unit test for pkg/ingress/mcp
Signed-off-by: charlie [email protected]
Ⅰ. Describe what this PR did
ut: add unit test for pkg/ingress/mcp
Ⅱ. Does this pull request fix one issue?
fixes #91
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
Ⅴ. Special notes for reviews
opt: optimize redundant code
Signed-off-by: charlie [email protected]
Ⅰ. Describe what this PR did
opt: optimize redundant code
Ⅱ. Does this pull request fix one issue?
fixes #91
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
Ⅴ. Special notes for reviews