个人博客

kubernetes 安装Traefik2.3

04 03月
作者:西洪室|分类:技术
    Traefik2.3启动http和https两个端口作为反向代理入口,下图是http端口的请求访问示意图

image.png

image.png


一、资源配置清单
官网:https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/
1、创建Resource Definition(自定义资源)配置清单(官方原版)
crd.yaml
mkdir /data/k8s-yaml/traefik
vi /data/k8s-yaml/traefik/traefik-crd.yaml
# All resources definition must be declared
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressrouteudps.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteUDP
    plural: ingressrouteudps
    singular: ingressrouteudp
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsstores.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSStore
    plural: tlsstores
    singular: tlsstore
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced
2、权限配置清单(官方原版修改)
rbac.yaml
vi /data/k8s-yaml/traefik/rbac.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: kube-system
3、创建traefik参数配置文件(自定义)
在 Traefik 中的配置可以使用两种不同的方式:
* 动态配置:完全动态的路由配置
* 静态配置:启动配置
静态配置中的元素(这些元素不会经常更改)连接到 providers 并定义 Treafik 将要监听的 entrypoints。
在 Traefik 中有三种方式定义静态配置:在配置文件中、在命令行参数中、通过环境变量传递
动态配置包含定义系统如何处理请求的所有配置内容,这些配置是可以改变的,而且是无缝热更新的,没有任何请求中断或连接损耗。
我们这里将通用的基本配置放到静态配置里面,以configmap 形式实现
configmap.yaml
vi /data/k8s-yaml/traefik/configmap.yaml
kind: ConfigMap
apiVersion: v1
metadata:
  name: traefik-config
  namespace: kube-system
data:
  traefik.yaml: |-
    serversTransport:
      insecureSkipVerify: true
    api:
      insecure: true            
      dashboard: true           
      debug: false              
    metrics:
      prometheus: metrics       
    entryPoints:
      web:
        address: ":80"          
        forwardedheaders:
          insecure: "true"
      websecure:
        address: ":443"
        forwardedheaders:
          insecure: "true"
      traefik:
        address: ":8090"        
      metrics:
        address: ":8082"        
      tcpep:
        address: ":8000"        
      udpep:
        address: ":9000/udp"    
    providers:
      kubernetescrd:            
        ingressclass: ""
      kubernetesingress:        
        ingressclass: ""
    log:
      filePath: "/etc/traefik/logs/traefik.log"              
      level: error              
      format: ""                
    accessLog:
      filePath: "/etc/traefik/logs/access.log"              
      format: ""                
      bufferingSize: 0          
      filters:
        retryAttempts: true     
        minDuration: 20         
      fields:                   
        defaultMode: keep       
        names:                  
          ClientUsername: drop  
        headers:                
          defaultMode: keep     
          names:                
            User-Agent: redact
            Authorization: drop
            Content-Type: keep
configmap文件参数解释:
kind: ConfigMap
apiVersion: v1
metadata:
  name: traefik-config
  namespace: kube-system
data:
  traefik.yaml: |-              ## Traefik 参数文件名称
    serversTransport:
      insecureSkipVerify: true  ## Traefik 忽略验证代理服务的 TLS 证书
    api:
      insecure: true            ## 允许 HTTP 方式访问 API
      dashboard: true           ## 启用 Dashboard
      debug: false              ## 启用 Debug 调试模式
    metrics:
      prometheus: metrics       ## 配置 Prometheus 监控指标数据,并使用默认配置
    entryPoints:
      web:
        address: ":80"          ## 配置 80 端口,并设置入口名称为 web
        forwardedheaders:
          insecure: "true"      ## 信任所有转发的标头,传递客户端真实地址。(默认值:false)    
      websecure:
        address: ":443"         ## 配置 443 端口,并设置入口名称为 websecure
        forwardedheaders:
          insecure: "true"      ## 信任所有转发的标头,传递客户端真实地址。(默认值:false)
      traefik:
        address: ":8090"        ## 配置 8090 端口,并设置入口名称为 dashboard
      metrics:
        address: ":8082"        ## 配置 8082 端口,作为metrics收集入口
      tcpep:
        address: ":8000"        ## 配置 8000 端口,作为tcp入口
      udpep:
        address: ":9000/udp"    ## 配置 9000 端口,作为udp入口
    providers:
      kubernetescrd:            ## 启用 Kubernetes CRD 方式来配置路由规则
        ingressclass: ""
      kubernetesingress:        ## 启动 Kubernetes Ingress 方式来配置路由规则
        ingressclass: ""
    log:
      filePath: "/etc/traefik/logs/traefik.log"              ## 设置调试日志文件存储路径,如果为空则输出到控制台
      level: error              ## 设置调试日志级别
      format: ""                ## 设置调试日志格式
    accessLog:
      filePath: "/etc/traefik/logs/access.log"              ## 设置访问日志文件存储路径,如果为空则输出到控制台
      format: ""                ## 设置访问调试日志格式
      bufferingSize: 0          ## 设置访问日志缓存行数
      filters:
        #statusCodes: ["200"]   ## 设置只保留指定状态码范围内的访问日志
        retryAttempts: true     ## 设置代理访问重试失败时,保留访问日志
        minDuration: 20         ## 设置保留请求时间超过指定持续时间的访问日志
      fields:                   ## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
        defaultMode: keep       ## 设置默认保留访问日志字段
        names:                  ## 针对访问日志特别字段特别配置保留模式
          ClientUsername: drop  
        headers:                ## 设置 Header 中字段是否保留
          defaultMode: keep     ## 设置默认保留 Header 中字段
          names:                ## 针对 Header 中特别字段特别配置保留模式
            User-Agent: redact
            Authorization: drop
            Content-Type: keep


4、traefik daemoset和service配置(修改官方,加载configmap文件、设置主机日志存放到nfs,将容器端口80和443绑定到运行主机端口81和4443),不需要日志的,按照上面说明修改filepath值为空。

daemonset.yaml
vi /data/k8s-yaml/traefik/daemonset.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: traefik
  namespace: kube-system
  labels:
    app: traefik
spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: harbor.goodboy.com/public/traefik:v2.3
          args:
            - --configfile=/config/traefik.yaml
          ports:
            - name: web
              containerPort: 80
              hostPort: 81
            - name: websecure
              containerPort: 443
              hostPort: 4443
            - name: admin
              containerPort: 8090
            - name: tcpep
              containerPort: 8000
            - name: udpep
              containerPort: 9000
          volumeMounts:
          - mountPath: "/config"
            name: "config"
          - mountPath: /etc/traefik/logs
            name: logdir
          - mountPath: /etc/localtime
            name: timezone
            readOnly: true
      volumes:
        - name: config
          configMap:
            name: traefik-config
        - name: logdir
          hostPath:
            path: /data/nfs/traefik/logs
            type: "DirectoryOrCreate"
        - name: timezone
          hostPath:
            path: /etc/localtime
            type: File
---
apiVersion: v1
kind: Service
metadata:
  name: traefik
  namespace: kube-system
spec:
  type: LoadBalancer
  selector:
    app: traefik
  ports:
    - protocol: TCP
      port: 80
      name: web
      targetPort: 80
    - protocol: TCP
      port: 8090
      name: admin
      targetPort: 8090
    - protocol: TCP
      port: 8000
      name: tcpep
      targetPort: 8000
---
apiVersion: v1
kind: Service
metadata:
  name: traefikudp
  namespace: kube-system
spec:
  type: LoadBalancer
  selector:
    app: traefik
  ports:
    - protocol: UDP
      port: 9000
      name: udpep
      targetPort: 9000
启动时,Traefik在以下位置搜索名为traefik.toml(traefik.yml或traefik.yaml)的文件:
* /etc/traefik/
* $XDG_CONFIG_HOME/
* $HOME/.config/
* .(工作目录)。
您可以使用configFile参数来覆盖它。
traefik --configFile=foo/bar/myconfigfile.toml
args:

   - --configfile=/config/traefik.yaml 指定参数文件,通过下面的volumes载入到容器


5、部署dashboard,将traefik的web映射到域名traefik.goodboy.com
dashboard.yaml
vi /data/k8s-yaml/traefik/dashboard.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`traefik.goodboy.com`)
      kind: Rule
      services:
        - name: traefik
          port: 8090

二、在k8s上部署traefik
[root@m1-101 ~]# kubectl apply -f http://k8s-yaml.goodboy.com/traefik/crd.yaml
[root@m1-101 ~]# kubectl apply -f http://k8s-yaml.goodboy.com/traefik/rbac.yaml

[root@m1-101 ~]# kubectl apply -f http://k8s-yaml.goodboy.com/traefik/configmap.yaml
[root@m1-101 ~]# kubectl apply -f http://k8s-yaml.goodboy.com/traefik/daemonset.yaml
[root@m1-101 ~]# kubectl apply -f http://k8s-yaml.goodboy.com/traefik/dashboard.yaml


image.png


浏览537 评论0
返回
目录
返回
首页
公钥基础设施(PKI)/CFSSL证书生成工具的使用(转)

发表评论