一、原文链接:https://www.dqzboy.comTraefik介绍
Traefik 是一款开源的边缘路由器,它可以让发布服务变得轻松有趣。它代表您的系统接收请求,并找出负责处理这些请求的组件。与众不同之处在于,除了它的许多特性之外,它还可以自动为您的服务发现正确的配置。当 Traefik 检查您的基础设施时,它会发现相关信息,并发现哪个服务为哪个请求提供服务。
Traefik 与每个主要的集群技术都是原生兼容的,比如 Kubernetes、Docker、Docker Swarm、AWS、Mesos、Marathon 等等;并且可以同时处理多个。(它甚至适用于运行在裸机上的遗留软件。) 使用 Traefik,不需要维护和同步单独的配置文件:所有事情都是实时自动发生的(没有重启,没有连接中断)。使用 Traefik,只需要花费时间开发和部署新功能到您的系统,而不是配置和维护其工作状态。
二、部署Traefik
2.1:创建名称空间
|
|
[root@k8s-master1 ~]# cd /opt/k8s/work/
|
|
|
[root@k8s-master1 work]# mkdir traefik
|
|
|
|
|
|
|
|
|
[root@k8s-master1 traefik]# kubectl create ns ingress-traefik
|
2.2:创建CRD资源
在 traefik v2.0 版本后,开始使用 CRD(Custom Resource Definition)来完成路由配置等,所以需要提前创建 CRD 资源。
|
|
traefik]# vim traefik-crd.yaml
|
|
|
## IngressRoute
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
kind: CustomResourceDefinition
|
|
|
metadata:
|
|
|
name: ingressroutes.traefik.containo.us
|
|
|
spec:
|
|
|
scope: Namespaced
|
|
|
group: traefik.containo.us
|
|
|
version: v1alpha1
|
|
|
names:
|
|
|
kind: IngressRoute
|
|
|
plural: ingressroutes
|
|
|
singular: ingressroute
|
|
|
---
|
|
|
## IngressRouteTCP
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
kind: CustomResourceDefinition
|
|
|
metadata:
|
|
|
name: ingressroutetcps.traefik.containo.us
|
|
|
spec:
|
|
|
scope: Namespaced
|
|
|
group: traefik.containo.us
|
|
|
version: v1alpha1
|
|
|
names:
|
|
|
kind: IngressRouteTCP
|
|
|
plural: ingressroutetcps
|
|
|
singular: ingressroutetcp
|
|
|
---
|
|
|
## Middleware
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
kind: CustomResourceDefinition
|
|
|
metadata:
|
|
|
name: middlewares.traefik.containo.us
|
|
|
spec:
|
|
|
scope: Namespaced
|
|
|
group: traefik.containo.us
|
|
|
version: v1alpha1
|
|
|
names:
|
|
|
kind: Middleware
|
|
|
plural: middlewares
|
|
|
singular: middleware
|
|
|
---
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
kind: CustomResourceDefinition
|
|
|
metadata:
|
|
|
name: tlsoptions.traefik.containo.us
|
|
|
spec:
|
|
|
scope: Namespaced
|
|
|
group: traefik.containo.us
|
|
|
version: v1alpha1
|
|
|
names:
|
|
|
kind: TLSOption
|
|
|
plural: tlsoptions
|
|
|
singular: tlsoption
|
|
|
---
|
|
|
## TraefikService
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
kind: CustomResourceDefinition
|
|
|
metadata:
|
|
|
name: traefikservices.traefik.containo.us
|
|
|
spec:
|
|
|
scope: Namespaced
|
|
|
group: traefik.containo.us
|
|
|
version: v1alpha1
|
|
|
names:
|
|
|
kind: TraefikService
|
|
|
plural: traefikservices
|
|
|
singular: traefikservice
|
|
|
|
|
|
---
|
|
|
## TraefikTLSStore
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
kind: CustomResourceDefinition
|
|
|
metadata:
|
|
|
name: tlsstores.traefik.containo.us
|
|
|
spec:
|
|
|
scope: Namespaced
|
|
|
group: traefik.containo.us
|
|
|
version: v1alpha1
|
|
|
names:
|
|
|
kind: TLSStore
|
|
|
plural: tlsstores
|
|
|
singular: tlsstore
|
|
|
|
|
|
---
|
|
|
## IngressRouteUDP
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
kind: CustomResourceDefinition
|
|
|
metadata:
|
|
|
name: ingressrouteudps.traefik.containo.us
|
|
|
spec:
|
|
|
scope: Namespaced
|
|
|
group: traefik.containo.us
|
|
|
version: v1alpha1
|
|
|
names:
|
|
|
kind: IngressRouteUDP
|
|
|
plural: ingressrouteudps
|
|
|
singular: ingressrouteudp
|
|
|
|
|
|
|
|
|
#创建资源
|
|
|
traefik]# kubectl apply -f traefik-crd.yaml
|
|
|
|
|
|
#查看crd资源
|
|
|
traefik]# kubectl get crd | grep traefik
|
2.3:创建RBAC权限
Traefik 需要一定的权限,所以这里提前创建好 Traefik ServiceAccount 并分配一定的权限。
|
|
[root@k8s-master1 traefik]# vim traefik-rbac.yaml
|
|
|
apiVersion: v1
|
|
|
kind: ServiceAccount
|
|
|
metadata:
|
|
|
namespace: ingress-traefik
|
|
|
name: traefik-ingress-controller
|
|
|
---
|
|
|
kind: ClusterRole
|
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
|
metadata:
|
|
|
name: traefik-ingress-controller
|
|
|
rules:
|
|
|
- apiGroups: [""]
|
|
|
resources: ["services","endpoints","secrets"]
|
|
|
verbs: ["get","list","watch"]
|
|
|
- apiGroups: ["extensions"]
|
|
|
resources: ["ingresses"]
|
|
|
verbs: ["get","list","watch"]
|
|
|
- apiGroups: ["extensions"]
|
|
|
resources: ["ingresses/status"]
|
|
|
verbs: ["update"]
|
|
|
- apiGroups: ["traefik.containo.us"]
|
|
|
resources: ["middlewares"]
|
|
|
verbs: ["get","list","watch"]
|
|
|
- apiGroups: ["traefik.containo.us"]
|
|
|
resources: ["ingressroutes","traefikservices"]
|
|
|
verbs: ["get","list","watch"]
|
|
|
- apiGroups: ["traefik.containo.us"]
|
|
|
resources: ["ingressroutetcps","ingressrouteudps"]
|
|
|
verbs: ["get","list","watch"]
|
|
|
- apiGroups: ["traefik.containo.us"]
|
|
|
resources: ["tlsoptions","tlsstores"]
|
|
|
verbs: ["get","list","watch"]
|
|
|
---
|
|
|
kind: ClusterRoleBinding
|
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
|
metadata:
|
|
|
name: traefik-ingress-controller
|
|
|
roleRef:
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
kind: ClusterRole
|
|
|
name: traefik-ingress-controller
|
|
|
subjects:
|
|
|
- kind: ServiceAccount
|
|
|
name: traefik-ingress-controller
|
|
|
namespace: ingress-traefik
|
|
|
|
|
|
#创建资源
|
|
|
[root@k8s-master1 traefik]# kubectl apply -f traefik-rbac.yaml
|
|
|
|
|
|
#检查资源
|
|
|
[root@k8s-master1 traefik]# kubectl get secrets -n ingress-traefik|grep traefik
|
|
|
|
|
|
[root@k8s-master1 traefik]# kubectl get clusterrole -n ingress-traefik|grep traefik
|
2.4:创建配置文件
|
|
[root@k8s-master1 traefik]# vim traefik-config.yaml
|
|
|
kind: ConfigMap
|
|
|
apiVersion: v1
|
|
|
metadata:
|
|
|
name: traefik-config
|
|
|
namespace: ingress-traefik
|
|
|
data:
|
|
|
traefik.yaml: |-
|
|
|
ping: "" ## 启用 Ping
|
|
|
serversTransport:
|
|
|
insecureSkipVerify: true ## Traefik 忽略验证代理服务的 TLS 证书
|
|
|
api:
|
|
|
insecure: true ## 允许 HTTP 方式访问 API
|
|
|
dashboard: true ## 启用 Dashboard
|
|
|
debug: false ## 启用 Debug 调试模式
|
|
|
metrics:
|
|
|
prometheus: "" ## 配置 Prometheus 监控指标数据,并使用默认配置
|
|
|
entryPoints:
|
|
|
web:
|
|
|
address: ":80" ## 配置 80 端口,并设置入口名称为 web
|
|
|
websecure:
|
|
|
address: ":443" ## 配置 443 端口,并设置入口名称为 websecure
|
|
|
providers:
|
|
|
kubernetesCRD: "" ## 启用 Kubernetes CRD 方式来配置路由规则
|
|
|
kubernetesIngress: "" ## 启动 Kubernetes Ingress 方式来配置路由规则
|
|
|
log:
|
|
|
filePath: "" ## 设置调试日志文件存储路径,如果为空则输出到控制台
|
|
|
level: error ## 设置调试日志级别
|
|
|
format: json ## 设置调试日志格式
|
|
|
accessLog:
|
|
|
filePath: "" ## 设置访问日志文件存储路径,如果为空则输出到控制台
|
|
|
format: json ## 设置访问调试日志格式
|
|
|
bufferingSize: 0 ## 设置访问日志缓存行数
|
|
|
filters:
|
|
|
#statusCodes: ["200"] ## 设置只保留指定状态码范围内的访问日志
|
|
|
retryAttempts: true ## 设置代理访问重试失败时,保留访问日志
|
|
|
minDuration: 20 ## 设置保留请求时间超过指定持续时间的访问日志
|
|
|
fields: ## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
|
|
|
defaultMode: keep ## 设置默认保留访问日志字段
|
|
|
names: ## 针对访问日志特别字段特别配置保留模式
|
|
|
ClientUsername: drop
|
|
|
headers: ## 设置 Header 中字段是否保留
|
|
|
defaultMode: keep ## 设置默认保留 Header 中字段
|
|
|
names: ## 针对 Header 中特别字段特别配置保留模式
|
|
|
User-Agent: redact
|
|
|
Authorization: drop
|
|
|
Content-Type: keep
|
|
|
|
|
|
|
|
|
#创建资源
|
|
|
[root@k8s-master1 traefik]# kubectl apply -f traefik-config.yaml
|
|
|
configmap/traefik-config created
|
|
|
#查看资源
|
|
|
[root@k8s-master1 traefik]# kubectl get cm -n ingress-traefik
|
|
|
NAME DATA AGE
|
|
|
traefik-config 1 13s
|
2.5:节点添加标签
因为我们这里是通过k8s Daemonset控制器去创建pod,所以需要提前给需要调度到指定节原文链接:https://www.dqzboy.com点设置标签,这样当程序部署时 Pod 会自动调度到设置了对应Label 的节点上
|
|
[root@k8s-master1 traefik]# kubectl get nodes
|
|
|
|
|
|
|
|
|
#添加标签
|
|
|
[root@k8s-master1 traefik]# kubectl label nodes k8s-node1 IngressProxy=true
|
|
|
|
|
|
[root@k8s-master1 traefik]# kubectl label nodes k8s-node2 IngressProxy=true
|
|
|
|
|
|
[root@k8s-master1 traefik]# kubectl label nodes k8s-node3 IngressProxy=true
|
|
|
|
|
|
#查看标签
|
|
|
[root@k8s-master1 traefik]# kubectl get nodes --show-labels
|
2.6:部署Traefik
2.6.1:创建Service
|
|
traefik]# vim traefik-service.yaml
|
|
|
apiVersion: v1
|
|
|
kind: Service
|
|
|
metadata:
|
|
|
name: traefik
|
|
|
namespace: ingress-traefik
|
|
|
spec:
|
|
|
type: NodePort
|
|
|
ports:
|
|
|
name: web
|
|
|
port: 80
|
|
|
name: websecure
|
|
|
port: 443
|
|
|
name: admin
|
|
|
port: 8080
|
|
|
selector:
|
|
|
app: traefik
|
2.6.2:创建DaemonSet
|
|
traefik]# vim traefik-deploy.yaml
|
|
|
apiVersion: apps/v1
|
|
|
kind: DaemonSet
|
|
|
metadata:
|
|
|
name: traefik-ingress-controller
|
|
|
namespace: ingress-traefik
|
|
|
labels:
|
|
|
app: traefik
|
|
|
spec:
|
|
|
selector:
|
|
|
matchLabels:
|
|
|
app: traefik
|
|
|
template:
|
|
|
metadata:
|
|
|
name: traefik
|
|
|
labels:
|
|
|
app: traefik
|
|
|
spec:
|
|
|
serviceAccountName: traefik-ingress-controller
|
|
|
terminationGracePeriodSeconds: 1
|
|
|
containers:
|
|
|
image: traefik:v2.3.5
|
|
|
name: traefik-ingress-lb
|
|
|
ports:
|
|
|
name: web
|
|
|
containerPort: 80
|
|
|
hostPort: 80 ## 将容器端口绑定所在服务器的 80 端口
|
|
|
name: websecure
|
|
|
containerPort: 443
|
|
|
hostPort: 443 ## 将容器端口绑定所在服务器的 443 端口
|
|
|
name: admin
|
|
|
containerPort: 8080 ## Traefik Dashboard 端口
|
|
|
resources:
|
|
|
limits:
|
|
|
cpu: 2000m
|
|
|
memory: 1024Mi
|
|
|
requests:
|
|
|
cpu: 1000m
|
|
|
memory: 1024Mi
|
|
|
securityContext:
|
|
|
capabilities:
|
|
|
drop:
|
|
|
ALL
|
|
|
add:
|
|
|
NET_BIND_SERVICE
|
|
|
args:
|
|
|
--configfile=/config/traefik.yaml
|
|
|
volumeMounts:
|
|
|
mountPath: "/config"
|
|
|
name: "config"
|
|
|
volumes:
|
|
|
name: config
|
|
|
configMap:
|
|
|
name: traefik-config
|
|
|
tolerations: ## 设置容忍所有污点,防止节点被设置污点
|
|
|
operator: "Exists"
|
|
|
nodeSelector: ## 设置node筛选器,在特定label的节点上启动
|
|
|
IngressProxy: "true"
|
|
|
|
|
|
#创建资源
|
|
|
traefik]# kubectl apply -f traefik-deploy.yaml
|
|
|
|
|
|
#检查资源
|
|
|
traefik]# kubectl get po -n ingress-traefik
|
2.7:创建路由规则
- 我这里以traefik的面板和K8S Dashboard面板进行演示
方式1:通过CRD配置路由规则
- 这里以traefik的看板进行演示
|
|
traefik]# vim traefik-dashboard-route.yaml
|
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
|
kind: IngressRoute
|
|
|
metadata:
|
|
|
name: traefik-dashboard-route
|
|
|
namespace: ingress-traefik
|
|
|
spec:
|
|
|
entryPoints:
|
|
|
web
|
|
|
routes:
|
|
|
match: Host(`traefik.dqzboy.com`)
|
|
|
kind: Rule
|
|
|
services:
|
|
|
name: traefik #绑定至上面创建的service资源的名称
|
|
|
port: 8080
|
- 在PC机上将DaemonSet调度的节点物理IP与CRD资源中挂载的Host域名进行绑定,然后浏览器中输入traefik.dqzboy.com即可访问traefik的看板了
- 这里以K8S的官方面板进行样式
|
|
#首先我们需要先生成证书文件
|
|
|
[root@k8s-master1 traefik]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik.key -out traefik.crt -subj "/CN=dqzboy"
|
|
|
#将证书存储到 Kubernetes Secret 中
|
|
|
traefik]# kubectl create secret generic k8s-dashboard-tls --from-file=traefik.crt --from-file=traefik.key -n kubernetes-dashboard
|
|
|
|
|
|
#创建HTTPS的官方面板访问路由规则
|
|
|
traefik]# vim k8s-dashboard-router.yaml
|
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
|
kind: IngressRoute
|
|
|
metadata:
|
|
|
name: kubernetes-dashboard-route
|
|
|
namespace: kubernetes-dashboard #dashboard所属的名称空间
|
|
|
spec:
|
|
|
entryPoints:
|
|
|
websecure
|
|
|
tls:
|
|
|
secretName: k8s-dashboard-tls #上面导入的secret资源名称
|
|
|
routes:
|
|
|
match: Host(`k8sboard.dqzboy.com`)
|
|
|
kind: Rule
|
|
|
services:
|
|
|
name: kubernetes-dashboard #注意此名必须与之前部署k8s面板时的yaml文件中Service上下文中metadata段中的name段名称保持一致(也就是svc服务)
|
|
|
port: 443
|
|
|
|
|
|
#创建路由规则
|
|
|
traefik]# kubectl apply -f k8s-dashboard-router.yaml
|
- 同样我们需要在自己的PC机上进行解析域名
方式2:通过Ingress配置路由规则
|
|
traefik]# vim traefik-dashboard-ingress.yaml
|
|
|
apiVersion: extensions/v1beta1
|
|
|
kind: Ingress
|
|
|
metadata:
|
|
|
name: traefik-dashboard-ingress
|
|
|
namespace: ingress-traefik #traefik服务所属的名称空间
|
|
|
annotations:
|
|
|
: traefik
|
|
|
: web
|
|
|
spec:
|
|
|
rules:
|
|
|
host: traefik01.dqzboy.com
|
|
|
http:
|
|
|
paths:
|
|
|
path: /
|
|
|
backend:
|
|
|
serviceName: traefik
|
|
|
servicePort: 8080
|
|
|
|
|
|
#创建路由
|
|
|
traefik]# kubectl apply -f traefik-dashboard-ingress.yaml
|
|
|
|
|
|
#检查服务
|
|
|
traefik]# kubectl get ing -n ingress-traefik
|
|
|
NAME CLASS HOSTS ADDRESS PORTS AGE
|
|
|
<none> traefik01.dqzboy.com 80 26s
|
- 自己的PC的
hosts文件中进行域名解析,然后通过浏览器进行访问
|
|
#首先我们需要先生成证书文件
|
|
|
traefik]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik.key -out traefik.crt -subj "/CN=dqzboy"
|
|
|
|
|
|
#将证书存储到 Kubernetes Secret 中
|
|
|
traefik]# kubectl create secret generic k8s-dashboard-tls --from-file=traefik.crt --from-file=traefik.key -n kubernetes-dashboard
|
|
|
|
|
|
#创建资源
|
|
|
traefik]#
|
|
|
apiVersion: extensions/v1beta1
|
|
|
kind: Ingress
|
|
|
metadata:
|
|
|
name: kubernetes-dashboard-ingress
|
|
|
namespace: kubernetes-dashboard #dashboard服务所属名称空间
|
|
|
annotations:
|
|
|
: traefik
|
|
|
: "true"
|
|
|
: websecure
|
|
|
spec:
|
|
|
tls:
|
|
|
secretName: k8s-dashboard-tls
|
|
|
rules:
|
|
|
host: k8sboard01.dqzboy.com
|
|
|
http:
|
|
|
paths:
|
|
|
path: /
|
|
|
backend:
|
|
|
serviceName: kubernetes-dashboard #dashboard对应的service服务
|
|
|
servicePort: 443
|
|
|
|
|
|
traefik]# kubectl apply -f k8s-dashboard-ing.yaml
|
|
|
|
|
|
|
|
|
#检查服务
|
|
|
traefik]# kubectl get ing -n ingress-traefik
|
- 本机PC进行域名解析,然后浏览器中进行访问
评论(0)