附021.Traefik-ingress部署及使用
一 Helm部署
1.1 获取资源
[root@master01 ~]# mkdir ingress
[root@master01 ~]# cd ingress/
[root@master01 ingress]# helm repo add traefik https://containous.github.io/traefik-helm-chart
[root@master01 ingress]# helm repo update
1.2 配置traefik
[root@master01 ingress]# helm show values traefik/traefik #查看可配置选项
[root@master01 ingress]# vi traefik-custom.yaml #创建helm配置
1 deployment:
2 enabled: true
3 # Number of pods of the deployment
4 replicas: 3
5 ports:
6 traefik:
7 port: 9000
8 expose: true
9 nodePort: 9000
10 web:
11 port: 8000
12 expose: true
13 nodePort: 80
14 websecure:
15 port: 8443
16 expose: true
17 nodePort: 443
18 service:
19 enabled: true
20 type: NodePort[root@master01 ingress]# helm install traefik traefik/traefik -f traefik-custom.yaml --namespace kube-system
[root@master01 ingress]# helm list -n kube-system
[root@master01 ingress]# helm -n kube-system status traefik
提示:部署参考:https://github.com/containous/traefik-helm-chart;
Helm traefik默认值参考:https://github.com/containous/traefik-helm-chart/blob/master/traefik/values.yaml。
[root@master01 ingress]# kubectl -n kube-system get pods | grep -E 'NAME|traefik'
[root@master01 ingress]# kubectl -n kube-system get svc | grep -E 'NAME|traefik'
二 手动部署
2.1 创建CRD资源
[root@master01 ~]# mkdir traefik/ && cd traefik/
[root@master01 traefik]# vi traefik-crd.yaml
1 ---
2 ## IngressRoute
3 apiVersion: apiextensions.k8s.io/v1beta1
4 kind: CustomResourceDefinition
5 metadata:
6 name: ingressroutes.traefik.containo.us
7
8 spec:
9 group: traefik.containo.us
10 version: v1alpha1
11 names:
12 kind: IngressRoute
13 plural: ingressroutes
14 singular: ingressroute
15 scope: Namespaced
16
17 ---
18 ## Middleware
19 apiVersion: apiextensions.k8s.io/v1beta1
20 kind: CustomResourceDefinition
21 metadata:
22 name: middlewares.traefik.containo.us
23
24 spec:
25 group: traefik.containo.us
26 version: v1alpha1
27 names:
28 kind: Middleware
29 plural: middlewares
30 singular: middleware
31 scope: Namespaced
32
33 ---
34 ## IngressRouteTCP
35 apiVersion: apiextensions.k8s.io/v1beta1
36 kind: CustomResourceDefinition
37 metadata:
38 name: ingressroutetcps.traefik.containo.us
39
40 spec:
41 group: traefik.containo.us
42 version: v1alpha1
43 names:
44 kind: IngressRouteTCP
45 plural: ingressroutetcps
46 singular: ingressroutetcp
47 scope: Namespaced
48
49 ---
50 ## IngressRouteUDP
51 apiVersion: apiextensions.k8s.io/v1beta1
52 kind: CustomResourceDefinition
53 metadata:
54 name: ingressrouteudps.traefik.containo.us
55
56 spec:
57 group: traefik.containo.us
58 version: v1alpha1
59 names:
60 kind: IngressRouteUDP
61 plural: ingressrouteudps
62 singular: ingressrouteudp
63 scope: Namespaced
64
65 ---
66 ## TLSOption
67 apiVersion: apiextensions.k8s.io/v1beta1
68 kind: CustomResourceDefinition
69 metadata:
70 name: tlsoptions.traefik.containo.us
71
72 spec:
73 group: traefik.containo.us
74 version: v1alpha1
75 names:
76 kind: TLSOption
77 plural: tlsoptions
78 singular: tlsoption
79 scope: Namespaced
80
81 ---
82 ## TLSStore
83 apiVersion: apiextensions.k8s.io/v1beta1
84 kind: CustomResourceDefinition
85 metadata:
86 name: tlsstores.traefik.containo.us
87
88 spec:
89 group: traefik.containo.us
90 version: v1alpha1
91 names:
92 kind: TLSStore
93 plural: tlsstores
94 singular: tlsstore
95 scope: Namespaced
96
97 ---
98 ## TraefikService
99 apiVersion: apiextensions.k8s.io/v1beta1
100 kind: CustomResourceDefinition
101 metadata:
102 name: traefikservices.traefik.containo.us
103
104 spec:
105 group: traefik.containo.us
106 version: v1alpha1
107 names:
108 kind: TraefikService
109 plural: traefikservices
110 singular: traefikservice
111 scope: Namespaced[root@master01 traefik]# kubectl apply -f traefik-crd.yaml
2.2 创建账户RBAC
[root@master01 traefik]# vi traefik-rbac.yaml
1 ---
2 ## ServiceAccount
3 apiVersion: v1
4 kind: ServiceAccount
5 metadata:
6 namespace: kube-system
7 name: traefik-ingress-controller
8 ---
9 ## ClusterRole
10 kind: ClusterRole
11 apiVersion: rbac.authorization.k8s.io/v1beta1
12 metadata:
13 name: traefik-ingress-controller
14
15 rules:
16 - apiGroups:
17 - ""
18 resources:
19 - services
20 - endpoints
21 - secrets
22 verbs:
23 - get
24 - list
25 - watch
26 - apiGroups:
27 - extensions
28 resources:
29 - ingresses
30 verbs:
31 - get
32 - list
33 - watch
34 - apiGroups:
35 - extensions
36 resources:
37 - ingresses/status
38 verbs:
39 - update
40 - apiGroups:
41 - traefik.containo.us
42 resources:
43 - middlewares
44 - ingressroutes
45 - traefikservices
46 - ingressroutetcps
47 - ingressrouteudps
48 - tlsoptions
49 - tlsstores
50 verbs:
51 - get
52 - list
53 - watch
54 ---
55 ## ClusterRoleBinding
56 kind: ClusterRoleBinding
57 apiVersion: rbac.authorization.k8s.io/v1beta1
58 metadata:
59 name: traefik-ingress-controller
60
61 roleRef:
62 apiGroup: rbac.authorization.k8s.io
63 kind: ClusterRole
64 name: traefik-ingress-controller
65 subjects:
66 - kind: ServiceAccount
67 name: traefik-ingress-controller
68 namespace: kube-system[root@master01 traefik]# kubectl apply -f traefik-rbac.yaml -n kube-system
2.3 创建Service
[root@master01 traefik]# vi traefik-service.yaml
1 ---
2 apiVersion: v1
3 kind: Service
4 metadata:
5 name: traefik
6 namespace: kube-system
7
8 spec:
9 type: NodePort
10 ports:
11 - protocol: TCP
12 name: web
13 port: 8000
14 targetPort: 8000
15 nodePort: 80
16 - protocol: TCP
17 name: admin
18 port: 8080
19 targetPort: 8080
20 nodePort: 8080
21 - protocol: TCP
22 name: websecure
23 port: 4443
24 targetPort: 4443
25 nodePort: 443
26 selector:
27 app: traefik[root@master01 traefik]# kubectl apply -f traefik-service.yaml
2.4 部署traefik
[root@master01 traefik]# mkdir ssl && cd ssl
[root@master01 ssl]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=traefik.odocker.com"
[root@master01 ssl]# kubectl create secret generic traefik-tls --from-file=tls.crt --from-file=tls.key -n kube-system
[root@master01 ssl]# cd ..
[root@master01 traefik]# vi traefik-cust.yaml #创建配置文件
1 ## Static configuration
2 entryPoints:
3 web:
4 address: ":8000"
5
6 websecure:
7 address: ":4443"
8
9 certificatesResolvers:
10 myresolver:
11 acme:
12 tlschallenge: {}
13 email: xhy@itzgr.com
14 storage: acme.json
15 caserver: https://acme-staging-v02.api.letsencrypt.org/directory
16 tls:
17 certificates:
18 - certFile: /ssl/tls.crt
19 keyFile: /ssl/tls.key
20
21 api:
22 dashboard: true
23 insecure: true
24 ping: {}
25 metrics:
26 prometheus: {}
27 # Writing Logs to a File, in JSON
28 log:
29 filePath: "/var/traefik.log"
30 format: json
31 level: DEBUG
32 # Configuring a buffer of 100 lines
33 accessLog: {}
34 accessLog:
35 filePath: "/var/access.log"
36 format: json
37 providers:
38 kubernetesIngress: {}
39 kubernetescrd: {}
40 ## Static configuration
41 serversTransport:
42 insecureSkipVerify: true[root@master01 traefik]# kubectl create configmap traefik-config --from-file=traefik-cust.yaml -n kube-system #将配置文件创建为ConfigMap
[root@master01 traefik]# kubectl describe configmaps traefik-config -n kube-system
[root@master01 traefik]# vi traefik-deploy.yaml
1 ---
2 #kind: Deployment
3 kind: DaemonSet
4 apiVersion: apps/v1
5 metadata:
6 namespace: kube-system
7 name: traefik-ingress-controller
8 labels:
9 app: traefik
10
11 spec:
12 # replicas: 1
13 selector:
14 matchLabels:
15 app: traefik
16 template:
17 metadata:
18 labels:
19 app: traefik
20 spec:
21 serviceAccountName: traefik-ingress-controller
22 volumes:
23 - name: ssl
24 secret:
25 secretName: traefik-tls
26 - name: config
27 configMap:
28 name: traefik-config
29 containers:
30 - name: traefik
31 image: traefik:v2.2
32 volumeMounts:
33 - mountPath: "/ssl"
34 name: ssl
35 - mountPath: "/config"
36 name: config
37 args:
38 - --configfile=/config/traefik-cust.yaml
39 ports:
40 - name: web
41 containerPort: 8000
42 hostPort: 80
43 - name: websecure
44 containerPort: 4443
45 hostPort: 443
46 - name: admin
47 containerPort: 8080
48 hostPort: 8080
49 readinessProbe:
50 httpGet:
51 path: /ping
52 port: 8080
53 failureThreshold: 3
54 initialDelaySeconds: 10
55 periodSeconds: 10
56 successThreshold: 1
57 timeoutSeconds: 5
58 livenessProbe:
59 httpGet:
60 path: /ping
61 port: 8080
62 failureThreshold: 3
63 initialDelaySeconds: 10
64 periodSeconds: 10
65 successThreshold: 1
66 timeoutSeconds: 5[root@master01 traefik]# kubectl apply -f traefik-deploy.yaml
[root@master01 ingress]# kubectl -n kube-system get pods | grep -E 'NAME|traefik'
[root@master01 ingress]# kubectl -n kube-system get svc | grep -E 'NAME|traefik'
2.5 创建dashboard
Traefik 部署完成,默认v2版本没有对外暴露dashboard,需要手动暴露该dashboard,参考步骤3.1或
三 traefik使用示例
3.1 route方式
- route暴露http:以暴露traefik自身的UI为例
[root@master01 traefik]# vi traefik-dashboard-route-http.yaml #traefik route策略
1 apiVersion: traefik.containo.us/v1alpha1
2 kind: IngressRoute
3 metadata:
4 name: traefik-dashboard-route-http
5 namespace: kube-system
6 spec:
7 entryPoints:
8 - web
9 routes:
10 - match: Host(`traefik.odocker.com`)
11 kind: Rule
12 services:
13 - name: traefik
14 port: 8080[root@master01 traefik]# kubectl apply -f traefik-dashboard-route-http.yaml
浏览器访问:traefik.odocker.com
- route暴露https:以暴露Kubernetes的dashboard为例
[root@master01 ~]# openssl req -new -out dashboard.csr -key dashboard.key -subj "/CN=dashboard.odocker.com"
[root@master01 ~]# openssl x509 -req -sha256 -in dashboard.csr -out dashboard.crt -signkey dashboard.key -days 3650
[root@master01 ~]# kubectl create secret generic kubernetes-dashboard-certs --from-file="/etc/kubernetes/pki/dashboard.crt,/etc/kubernetes/pki/dashboard.key" -n kubernetes-dashboard
提示:使用此证书部署Kubernetes的dashboard,Kubernetes dashboard部署参考《附004.Kubernetes Dashboard简介及使用》。
[root@master01 traefik]# kubectl -n kubernetes-dashboard get secrets | grep certs
[root@master01 traefik]# kubectl -n kubernetes-dashboard get svc
[root@master01 traefik]# mkdir examples && cd examples
[root@master01 examples]# vi k8s-dashboard-route-https.yaml #traefik route策略
1 apiVersion: traefik.containo.us/v1alpha1
2 kind: IngressRoute
3 metadata:
4 name: kubernetes-dashboard-route-https
5 namespace: kubernetes-dashboard
6 spec:
7 entryPoints:
8 - websecure
9 tls:
10 secretName: kubernetes-dashboard-certs
11 routes:
12 - match: Host(`dashboard.odocker.com`)
13 kind: Rule
14 services:
15 - name: kubernetes-dashboard
16 port: 443[root@master01 examples]# kubectl apply -f k8s-dashboard-route-https.yaml
浏览器访问:https://dashboard.odocker.com
提示:dashboard访问需要导入证书及建议使用config方式,具体参考《附004.Kubernetes Dashboard简介及使用》。
3.2 ingress方式
- ingress暴露http:创建一个用于测试的demo示例
[root@master01 examples]# vi traefik-demo01.yaml #创建第一个用于测试的svc和pod
1 apiVersion: v1
2 kind: Service
3 metadata:
4 name: traefikdemo01svc
5 namespace: default
6 spec:
7 selector:
8 app: traefikdemo01
9 ports:
10 - name: http
11 port: 80
12 targetPort: 80
13 ---
14 apiVersion: apps/v1
15 kind: Deployment
16 metadata:
17 name: traefikdemo01pod
18 spec:
19 replicas: 3
20 selector:
21 matchLabels:
22 app: traefikdemo01
23 template:
24 metadata:
25 labels:
26 app: traefikdemo01
27 spec:
28 containers:
29 - name: myapp
30 image: ikubernetes/myapp:v2
31 ports:
32 - name: httpd
33 containerPort: 80[root@master01 examples]# kubectl apply -f traefik-demo01.yaml
[root@master01 examples]# vi traefik-demo01-ingress-http.yaml #traefik ingress策略
1 ---
2 apiVersion: extensions/v1beta1
3 kind: Ingress
4 metadata:
5 name: traefik-ingress-demo01
6 namespace: default
7 annotations:
8 kubernetes.io/ingress.class: "traefik"
9 spec:
10 rules:
11 - host: demo01.odocker.com
12 http:
13 paths:
14 - path:
15 backend:
16 serviceName: traefikdemo01svc
17 servicePort: 80[root@master01 examples]# kubectl apply -f traefik-demo01-ingress-http.yaml
浏览器访问:demo01.odocker.com
- ingress暴露https:以暴露traefik的dashboard为例
本实验部署2.4已创建traefik.odocker.com的证书,此处直接采用ingress暴露https方式。
[root@master01 traefik]# kubectl -n kube-system get secrets | grep -E 'traefik-tls|NAME'
NAME TYPE DATA AGE
traefik-tls Opaque 2 80m
[root@master01 traefik]# vi traefik-dashboard-ingress-https.yaml
1 apiVersion: extensions/v1beta1
2 kind: Ingress
3 metadata:
4 name: traefik-dashboard-ingress-https
5 namespace: kube-system
6 annotations:
7 kubernetes.io/ingress.class: "traefik"
8 spec:
9 tls:
10 - secretName: traefik-tls
11
12 rules:
13 - host: traefik.odocker.com
14 http:
15 paths:
16 - path:
17 backend:
18 serviceName: traefik
19 servicePort: 8080[root@master01 traefik]# kubectl apply -f traefik-dashboard-ingress-https.yaml
[root@master01 traefik]# kubectl get ingress -o wide -n kube-system | grep -E 'NAME|https'
NAME CLASS HOSTS ADDRESS PORTS AGE
traefik-dashboard-ingress-https <none> traefik.odocker.com 80, 443 17m
浏览器访问:https://traefik.odocker.com。
3.3 自动跳转
可通过配置自动跳转,使http自动跳转至https,本示例采用route方式实现,以暴露traefik dashboard为例。
[root@master01 traefik]# kubectl delete -f kubectl delete -f traefik-dashboard-ingress-https.yaml #删除3.1的route方式暴露的traefik dashboard
[root@master01 traefik]# vi traefik-cust.yaml
1 ……
2 entryPoints:
3 web:
4 address: ":80"
5 http:
6 redirections:
7 entryPoint:
8 to: websecure
9 scheme: https #追加重写至https配置
10 ……[root@master01 traefik]# kubectl delete -n kube-system configmaps traefik-config
[root@master01 traefik]# kubectl create configmap traefik-config --from-file=traefik-cust.yaml -n kube-system
[root@master01 traefik]# kubectl apply -f traefik-deploy.yaml
[root@master01 traefik]# vi traefik-dashboard-route-http.yaml
1 apiVersion: traefik.containo.us/v1alpha1
2 kind: IngressRoute
3 metadata:
4 name: traefik-dashboard-route-http
5 namespace: kube-system
6 spec:
7 entryPoints:
8 - web
9 routes:
10 - match: Host(`traefik.odocker.com`)
11 kind: Rule
12 services:
13 - name: traefik
14 port: 8080[root@master01 traefik]# vi traefik-dashboard-route-https.yaml
1 apiVersion: traefik.containo.us/v1alpha1
2 kind: IngressRoute
3 metadata:
4 name: traefik-dashboard-route-https
5 namespace: kube-system
6 spec:
7 entryPoints:
8 - websecure
9 tls:
10 secretName: traefik-tls
11 routes:
12 - match: Host(`traefik.odocker.com`)
13 kind: Rule
14 services:
15 - name: traefik
16 port: 8080[root@master01 traefik]# kubectl apply -f traefik-dashboard-route-http.yaml
[root@master01 traefik]# kubectl apply -f traefik-dashboard-route-https.yaml
浏览器访问:http://traefik.odocker.com。
参考:https://docs.traefik.io/user-guides/crd-acme/。
http://www.mydlq.club/article/72/。