• k8s 部署 traefik1.7


    1.  创建 traefik  secret tls 证书, 注意不是 secret  generic, 每一个namespace都要创建

    kubectl create secret tls traefik-cert --key /tmp/traefik/cinyi.com.key --cert /tmp/traefik/cinyi.com.cer -n kube-system

    2. 创建traefik.toml文件,并且引入到configmap中

    [root@master1 traefik]# cat traefik.toml 
    insecureSkipVerify = true
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
        [entryPoints.http.redirect]
        entryPoint = "https"
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          # 默认路径,勿修改
          certFile = "/ssl/tls.crt"
          keyFile = "/ssl/tls.key

    创建 configmap

    kubectl create configmap traefik-conf --from-file=/tmp/traefik/traefik.toml -n kube-system

    3. rbac授权

    [root@master1 traefik]# cat traefik-rbac.yaml 
    ---
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: traefik-ingress-controller
    rules:
      - apiGroups:
          - ""
        resources:
          - services
          - endpoints
          - secrets
        verbs:
          - get
          - list
          - watch
      - apiGroups:
          - extensions
        resources:
          - ingresses
        verbs:
          - get
          - list
          - watch
      - apiGroups:
        - extensions
        resources:
        - ingresses/status
        verbs:
        - update
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: traefik-ingress-controller
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: traefik-ingress-controller
    subjects:
    - kind: ServiceAccount
      name: traefik-ingress-controller
      namespace: kube-system

    4. traefik 采用deaemonset 模式部署, 挂载secret 和 configmap资源,添加了https 端口,args 添加了 --configfile=/config/traefik.toml 参数

    [root@master1 traefik]# cat traefik-rbac.yaml 
    ---
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: traefik-ingress-controller
    rules:
      - apiGroups:
          - ""
        resources:
          - services
          - endpoints
          - secrets
        verbs:
          - get
          - list
          - watch
      - apiGroups:
          - extensions
        resources:
          - ingresses
        verbs:
          - get
          - list
          - watch
      - apiGroups:
        - extensions
        resources:
        - ingresses/status
        verbs:
        - update
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: traefik-ingress-controller
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: traefik-ingress-controller
    subjects:
    - kind: ServiceAccount
      name: traefik-ingress-controller
      namespace: kube-system
    [root@master1 traefik]# cat traefik-ds.yaml 
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: traefik-ingress-controller
      namespace: kube-system
    ---
    kind: DaemonSet
    apiVersion: apps/v1
    metadata:
      name: traefik-ingress-controller
      namespace: kube-system
      labels:
        k8s-app: traefik-ingress-lb
    spec:
      selector:
        matchLabels:
          k8s-app: traefik-ingress-lb
          name: traefik-ingress-lb
      template:
        metadata:
          labels:
            k8s-app: traefik-ingress-lb
            name: traefik-ingress-lb
        spec:
          serviceAccountName: traefik-ingress-controller
          terminationGracePeriodSeconds: 60
          volumes:
          - name: ssl
            secret:
              secretName: traefik-cert
          - name: config
            configMap:
              name: traefik-conf
          containers:
          - image: 172.16.230.84/source/traefik:v1.7
            name: traefik-ingress-lb
            volumeMounts:
            - mountPath: "/ssl"
              name: "ssl"
            - mountPath: "/config"
              name: "config"
            ports:
            - name: http
              containerPort: 80
              hostPort: 80
            - name: admin
              containerPort: 8080
              hostPort: 18080
            - name: https
              containerPort: 443
              hostPort: 443
            securityContext:
              capabilities:
                drop:
                - ALL
                add:
                - NET_BIND_SERVICE
            args:
            - --configfile=/config/traefik.toml
            - --api
            - --kubernetes
            - --logLevel=INFO
    ---
    kind: Service
    apiVersion: v1
    metadata:
      name: traefik-ingress-service
      namespace: kube-system
    spec:
      selector:
        k8s-app: traefik-ingress-lb
      ports:
        - protocol: TCP
          port: 80
          name: web
        - protocol: TCP
          port: 8080
          name: admin
        - protocol: TCP
          port: 443
          name: https

    5. Ingress without TLS

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: hipempifefrontend80
      namespace: senyint
    spec:
      rules:
      - host: hip.cinyi.com
        http:
          paths:
          - path: /
            backend:
              serviceName: hipempifefrontend
              servicePort: 80

    6. Ingress TLS

    [root@master1 traefik]# cat hipempifefrontend_443.yaml 
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: hipempifefrontend-web
      namespace: senyint
      annotations:
        kubernetes.io/ingress.class: traefik
    spec:
      tls:
      - secretName: traefik-cert
      rules:
      - host: fengjian.cinyi.com
        http:
          paths:
          - backend:
              serviceName: hipempifefrontend
              servicePort: 80

    参考

    https://www.cnblogs.com/netonline/archive/2019/06/20/10968046.html

    https://docs.traefik.io/v1.7/user-guide/kubernetes/#add-a-tls-certificate-to-the-ingress?tdsourcetag=s_pctim_aiomsg

  • 相关阅读:
    前端下载图片到本地
    小程序复制文本
    小程序的分享
    vue简单的父子组件之间传值
    git新的远程分支同步到本地
    C#使用RabbitMq队列(Sample,Work,Fanout,Direct等模式的简单使用)
    别再眼高手低了! 这些Linq方法都清楚地掌握了吗?
    Asp.NetCore 3.1 使用AutoMapper自动映射转换实体 DTO,Data2ViewModel
    .NetCore使用Redis,StackExchange.Redis队列,发布与订阅,分布式锁的简单使用
    core的 Linq基本使用,简单模拟数据库多表的左右内连接的测试
  • 原文地址:https://www.cnblogs.com/fengjian2016/p/13361847.html
Copyright © 2020-2023  润新知