Traefik 2.0 Now GA! Traefik V2真正来了！

用户3013098

发布于 2022-05-31 20:54:34

5090

发布于 2022-05-31 20:54:34

文章被收录于专栏：devops运维先行者

没错，Traefik V2已经GA了，代表着Traefik v2已经在生产环境使用。进入官网https://traefik.io/ ，可以看到醒目的Traefik 2.0 Now GA。

相较于Traefik v1，v2版本已经更新了很多特性，增加了许多新功能，特别是令人期待的TCP和k8s CRD功能。接下来我们就来探索下 Traefik 2.0 中有哪些新增的功能呢？

01 Frontends && Backends are dead

Frontends and Backends Are Dead... ... Long Live Routers, Middlewares, and Services

没错，Frontends 与 Backends 已经被去掉，无法使用，取代它们的将是Routers,Middlewares和Services：routers替代frontends，services替代backends，routers使用middlewares。来看下v1与v2 k8s ingress的前后使用区别：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/rule-type: PathPrefix
spec:
  rules:
  - host: test.locahost
    http:
      paths:
      - path: /test
        backend:
          serviceName: server0
          servicePort: 80
      - path: /test
        backend:
          serviceName: server1
          servicePort: 80

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: basicauth
  namespace: foo

spec:
  basicAuth:
    users:
      - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
      - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - http
  routes:
  - match: Host(`test.localhost`) && PathPrefix(`/test`)
    kind: Rule
    services:
    - name: server0
      port: 80
    - name: server1
      port: 80
    middlewares:
    - name: basicauth
      namespace: foo

可以看到，通过kubernetesCRD，traefik可以使用IngressRoute功能，并且v2跟v1的使用有很大的差异，说之为完全不一样的两个也不为过。

02 TLS

TLS configuration is now dynamic, per router.

TLS不再固定，从而将变成可以被routers引用的动态配置。

# static configuration
[entryPoints]
  [entryPoints.web-secure]
    address = ":443"

    [entryPoints.web-secure.tls]
      minVersion = "VersionTLS12"
      cipherSuites = [
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_RSA_WITH_AES_256_GCM_SHA384"
       ]
      [[entryPoints.web-secure.tls.certificates]]
        certFile = "path/to/my.cert"
        keyFile = "path/to/my.key"

# The definitions below require the definitions for the TLSOption and IngressRoute kinds.  
# https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: mytlsoption
  namespace: default

spec:
  minVersion: VersionTLS13
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
    - match: Host(`bar.com`)
      kind: Rule
      services:
        - name: whoami
          port: 80
  tls:
    options: 
      name: mytlsoption
      namespace: default

03 HTTP && HTTPS

HTTP to HTTPS Redirection is now configured on Routers

HTTPS现在已经可以在routers里面使用middlewares配置HTTP跳转了。

# static configuration
defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
    address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"

  [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
        certFile = "examples/traefik.crt"
        keyFile = "examples/traefik.key"

##K8S IngressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: http-redirect-ingressRoute

spec:
  entryPoints:
    - web
  routes:
    - match: Host(`foo.com`)
      kind: Rule
      services:
        - name: whoami
          port: 80
      middlewares:
        - name: redirect

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: https-ingressRoute

spec:
  entryPoints:
    - web-secure
  routes:
    - match: Host(`foo`)
      kind: Rule
      services:
        - name: whoami
          port: 80
  tls: {}

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect
spec:
  redirectScheme:
    scheme: https

04 TCP

Traefik v2不再单单仅支持7层负载，现在已经可以支持4层负载，支持TCP。

tcp:
  services:
    app:
      weighted:
        services:
        - name: appv1
          weight: 3
        - name: appv2
          weight: 1

    appv1:
      loadBalancer:
        servers:
        - address: "xxx.xxx.xxx.xxx:8080"

    appv2:
      loadBalancer:
        servers:
        - address: "xxx.xxx.xxx.xxx:8080"

TCP与HTTP同时使用：

tcp:
  routers:
    to-db-1:
      entrypoints:
      - web-secure
      rule: "HostSNI(`db1.domain`)"
      service: "db-1"
      tls: {}
http:
  routers:
    to-db1-dashboard:
      entrypoints:
      - web-secure
      rule: "Host(`dashboard.db1.domain`)"
      service: "db1-dashboard"
      tls: {}

上面这个示例中， dashboard.db1.domain 上的 HTTP 请求将路由到数据库的 Dashboard 服务上，而上面的 db1.domain 上的 TCP 请求将路由到数据库上面去。So cool!