前提
承接上一篇文章:https://www.cnblogs.com/sanduzxcvbnm/p/15740596.html
traefik-ingress-controller和nginx-ingress-controller不能共存,因为都要占用主机的80和443端口,因此需要先卸载nginx-ingress-controller:kubectl delete -f nginx-ingress-controller.yaml
安装
使用设计到俩文件,分别是crds.yaml和traefik-ingress-controller.yaml
# cat crds.yaml
# ref: https://docs.traefik.io/providers/kubernetes-crd/
# All resources definition must be declared
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressrouteudps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteUDP
plural: ingressrouteudps
singular: ingressrouteudp
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsstores.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSStore
plural: tlsstores
singular: tlsstore
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: traefikservices.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TraefikService
plural: traefikservices
singular: traefikservice
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: serverstransports.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: ServersTransport
plural: serverstransports
singular: serverstransport
scope: Namespaced
# cat traefik-ingress-controller.yaml
kind: ServiceAccount
apiVersion: v1
metadata:
namespace: kube-system
name: traefik
labels:
app.kubernetes.io/name: traefik
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik
labels:
app.kubernetes.io/name: traefik
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- tlsoptions
- tlsstores
- traefikservices
- serverstransports
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik
labels:
app.kubernetes.io/name: traefik
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik
subjects:
- kind: ServiceAccount
name: traefik
namespace: kube-system
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
namespace: kube-system
name: traefik
labels:
app.kubernetes.io/name: traefik
spec:
selector:
matchLabels:
app.kubernetes.io/name: traefik
template:
metadata:
labels:
app.kubernetes.io/name: traefik
spec:
serviceAccountName: traefik
terminationGracePeriodSeconds: 60
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
nodeSelector:
kubernetes.io/os: linux
node-role.kubernetes.io/worker: ""
containers:
- image: registry.kubeoperator.io:8082/traefik:v2.4.8
imagePullPolicy: IfNotPresent
name: traefik
resources:
readinessProbe:
httpGet:
path: /ping
port: 18443
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
httpGet:
path: /ping
port: 18443
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
ports:
- name: "traefik"
containerPort: 18443
protocol: "TCP"
- name: "web"
containerPort: 80
protocol: "TCP"
- name: "websecure"
containerPort: 443
protocol: "TCP"
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
volumeMounts:
- name: data
mountPath: /data
- name: tmp
mountPath: /tmp
args:
- "--global.checknewversion"
- "--global.sendanonymoususage"
- "--entryPoints.traefik.address=:18443/tcp"
- "--entryPoints.web.address=:80/tcp"
- "--entryPoints.websecure.address=:443/tcp"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--ping=true"
- "--providers.kubernetescrd"
- "--providers.kubernetesingress"
volumes:
- name: data
emptyDir: {}
- name: tmp
emptyDir: {}
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-system
name: traefik-dashboard
labels:
app.kubernetes.io/name: traefik
spec:
entryPoints:
- traefik
routes:
- match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
访问dashboard
通过查看traefik-ingress-controller.yaml文件内容,可以知道使用的端口号是18443
使用k8s集群中任一主机ip加上18443端口即可访问traefik对应的dashboard
不带端口号访问dashboard
通过查看traefik-ingress-controller.yaml文件,可以知道提供的除了traefik(18443)外,还有web(80)和websecure(443)。
另外当前通过18443端口访问dashboard是依据名为traefik-dashboard的IngressRoute,这里修改其中的entryPoints,把traefik修改为web,然后访问,会报错404。
参考这篇文章:https://www.cnblogs.com/sanduzxcvbnm/p/14986597.html ,使用的是配置文件
但是在这里使用的是命令行参数形式
因此还需要在annotations 要里加上kubernetes.io/ingress.class: traefik,最终文件内容如下(部分内容):
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-system
name: traefik-dashboard
labels:
app.kubernetes.io/name: traefik
kubernetes.io/ingress.class: traefik # 新增
spec:
entryPoints:
- web # 把traefik修改成web
routes:
- match: Host(`www.daniel.com`) && PathPrefix(`/dashboard`) || PathPrefix(`/api`) # 新加上Host(`www.daniel.com`) &&
kind: Rule
services:
- name: api@internal
kind: TraefikService
在自己主机hosts文件中手动添加一条解析
此时使用网址http://www.daniel.com/dashboard/访问就会出现dashboard界面了 (最后的/一定要带,否则访问404)。
本身存在的18443对应的有关内容不能去掉,否则会造成traefik服务启动不起来
另外,注意到最后的内容:
- name: api@internal
kind: TraefikService
对应的是api接口,而不是dashboard的dashboard@internal。
这是因为默认使用了中间件,从而实现一条match匹配多个。
如果后面跟的是dashboard,那么访问的是dashboard的内容,中间件这儿会自动进行跳转,如果后面跟的是api,则默认使用的就是api的api@internal。
访问对应的接口数据:http://www.daniel.com/api/rawdata
官方文档描述如下
当 Traefik 检测到新服务时,它会创建相应的路由,然后我们可以访问相应的路由
查看 http://localhost:18443/api/rawdata 接口的数据,正常就可以看到 Traefik 已自动检测到新容器并更新了相应的配置。
配置ingress规则
卸载nginx-ingress-controller后,直接安装traefik-ingress-controller.yaml,原先的规则还能继续使用,但是不显示具体的IngressClass了
dashboard使用的这条IngressRoute要在自定义资源中查看
