• Kubernetes环境Traefik部署与应用


    本作品Galen Suen采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可。由原作者转载自个人站点

    Traefik Dashboard

    更新记录

    • 2021-09-17

      1. 部署Traefik时禁用默认Dashboard入口规则;
    • 2021-09-30

      1. Traefik版本由v2.5.1更新至v2.5.3
      2. Traefik Helm Chart版本由v10.3.2更新至v10.3.6
      3. 修复一些配置文件中的字符转义错误;

    概述

    本文用于整理基于Kubernetes环境的Traefik部署与应用,实现Ingress Controller、七层/四层反向代理等功能。

    本次演练环境为Kubernetes集群环境,环境配置可参考笔者另一篇笔记《Kubernetes集群部署笔记》。

    组件版本

    配置过程

    安装Traefik

    • 配置Helm Repo

      helm repo add traefik https://helm.traefik.io/traefik
      helm repo update
      
    • 安装Traefik

      本次演练中将traefik安装至kube-system命名空间,可根据需要替换。

      # deployment.replicas=3                设置Traefik部署副本数
      # pilot.dashboard=false                禁用Dashboard中Pilot链接
      # ingressRoute.dashboard.enabled=false 禁用默认Dashboard入口规则(将在后续步骤中手动创建)
      helm upgrade --install --namespace kube-system 
        --set deployment.replicas=3 
        --set pilot.dashboard=false 
        --set ingressRoute.dashboard.enabled=false 
        traefik traefik/traefik
      
    • 其他准备工作

      获取traefik服务的负载均衡器地址。执行该命令,记录返回的EXTERNAL-IP地址备用。本次演练环境中,已将local.choral.io*.local.choral.io指向该地址。

      kubectl get svc traefik -n kube-system
      

      创建一个用于部署演练用对象的命名空间。本次演练中使用apps-choral命名空间,可根据需要替换。

      kubectl create namespace apps-choral
      

    部署Dashboard

    • 创建IngressRoute

      创建一个IngressRoute,用于配置apidashboard的入口规则。

      本次演练中,使用traefik.local.choral.io域名访问Dashboard,可根据需要替换。

      cat <<EOF | kubectl apply -f -
      apiVersion: traefik.containo.us/v1alpha1
      kind: IngressRoute
      metadata:
        name: traefik-dashboard
        namespace: apps-choral
      spec:
        entryPoints:
          - web
        routes:
          - match: Host(\`traefik.local.choral.io\`) && (PathPrefix(\`/dashboard\`) || PathPrefix(\`/api\`))
            kind: Rule
            services:
              - name: api@internal
                kind: TraefikService
      EOF
      
    • 启用BasicAuth认证

      首先,创建一个用于保存用户名和密码的Secret,其中的users字段内容可使用htpassword工具生成。本次演练中,认证usernamepassword都是admin

      cat <<EOF | kubectl apply -f -
      apiVersion: v1
      kind: Secret
      metadata:
        name: traefik-basicauth-secret
        namespace: apps-choral
      data:
        users: |2 # htpasswd -nb admin admin | openssl base64
          YWRtaW46e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9Cg==
      EOF
      

      创建一个Traefik中间件,用于对请求启用BasicAuth认证。

      cat <<EOF | kubectl apply -f -
      apiVersion: traefik.containo.us/v1alpha1
      kind: Middleware
      metadata:
        name: traefik-basicauth
        namespace: apps-choral
      spec:
        basicAuth:
          realm: traefik.local.choral.io
          secret: traefik-basicauth-secret
      EOF
      

      更新DashboardIngressRoute,启用BasicAuth中间件。

      cat <<EOF | kubectl apply -f -
      apiVersion: traefik.containo.us/v1alpha1
      kind: IngressRoute
      metadata:
        name: traefik-dashboard
        namespace: apps-choral
      spec:
        entryPoints:
          - web
        routes:
          - match: Host(\`traefik.local.choral.io\`) && (PathPrefix(\`/dashboard\`) || PathPrefix(\`/api\`))
            kind: Rule
            services:
              - name: api@internal
                kind: TraefikService
            middlewares:
              - name: traefik-basicauth
      EOF
      

    七层反向代理

    HTTP应用示例

    • 部署whoami应用

      创建Deployment,部署whoami应用。

      cat <<EOF | kubectl apply -f -
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: whoami
        namespace: apps-choral
      spec:
        replicas: 3
        selector:
          matchLabels:
            app: whoami
        template:
          metadata:
            labels:
              app: whoami
          spec:
            containers:
              - name: whoami
                image: traefik/whoami:latest
                imagePullPolicy: IfNotPresent
                ports:
                  - containerPort: 80
      EOF
      

      创建一个用于访问whoami应用的服务。

      cat <<EOF | kubectl apply -f -
      apiVersion: v1
      kind: Service
      metadata:
        name: whoami
        namespace: apps-choral
      spec:
        type: ClusterIP
        ports:
          - protocol: TCP
            port: 80
        selector:
          app: whoami
      EOF
      

      创建一个Ingress,用于配置whoami应用的入口规则。

      cat <<EOF | kubectl apply -f -
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: whoami
        namespace: apps-choral
        annotations:
          traefik.ingress.kubernetes.io/router.entrypoints: web
      spec:
        rules:
          - host: local.choral.io
            http:
              paths:
                - path: /
                  pathType: Prefix
                  backend:
                    service:
                      name: whoami
                      port:
                        number: 80
      EOF
      

    启用TLS(HTTPS)

    本次演练使用静态证书配置TLS,该证书被手动创建,应用于local.choral.io*.local.choral.io域名。

    有关自动证书管理,可参考Cert Manager项目文档。

    • 更新Traefik运行参数

      # ports.web.redirectTo=websecure                          启用Web跳转至WebSecure
      # additionalArguments[0]=--entrypoints.websecure.http.tls Ingress默认启用TLS
      helm upgrade --install --namespace kube-system 
        --set deployment.replicas=3 
        --set pilot.dashboard=false 
        --set ingressRoute.dashboard.enabled=false 
        --set ports.web.redirectTo=websecure 
        --set additionalArguments[0]=--entrypoints.websecure.http.tls 
        traefik traefik/traefik
      
    • 创建TLS证书Secret

      从已准备好的证书key文件和crt文件创建Secret

      kubectl create secret tls local-choral-io-tls -n kube-system --key=local.choral.io.key --cert=local.choral.io.crt
      
    • 更新DashboardIngressRoute

      更新DashboardIngressRoute,启用TLS配置。

      cat <<EOF | kubectl apply -f -
      apiVersion: traefik.containo.us/v1alpha1
      kind: IngressRoute
      metadata:
        name: traefik-dashboard
        namespace: apps-choral
      spec:
        entryPoints:
          - websecure
        routes:
          - match: Host(\`traefik.local.choral.io\`) && (PathPrefix(\`/dashboard\`) || PathPrefix(\`/api\`))
            kind: Rule
            services:
              - name: api@internal
                kind: TraefikService
            middlewares:
              - name: traefik-basicauth
        tls:
          secretName: local-choral-io-tls
      EOF
      
    • 更新whoamiIngress

      更新whoamiIngress,启用TLS配置。

      cat <<EOF | kubectl apply -f -
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: whoami
        namespace: apps-choral
        annotations:
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
      spec:
        tls:
          - secretName: local-choral-io-tls
        rules:
          - host: local.choral.io
            http:
              paths:
                - path: /
                  pathType: Prefix
                  backend:
                    service:
                      name: whoami
                      port:
                        number: 80
      EOF
      

    四层反向代理

    TCP应用示例

    • 更新Traefik运行参数

      更新Traefik运行参数,创建新的EntryPoint

      # ports.whoamitcp.protocol=TCP     网络协议
      # ports.whoamitcp.port=8081        监听端口
      # ports.whoamitcp.exposedPort=8081 服务公开端口
      # ports.whoamitcp.expose=true      是否暴露端口
      helm upgrade --install --namespace kube-system 
        --set deployment.replicas=3 
        --set pilot.dashboard=false 
        --set ingressRoute.dashboard.enabled=false 
        --set ports.web.redirectTo=websecure 
        --set additionalArguments[0]=--entrypoints.websecure.http.tls 
        --set ports.whoamitcp.protocol=TCP 
        --set ports.whoamitcp.port=8081 
        --set ports.whoamitcp.exposedPort=8081 
        --set ports.whoamitcp.expose=true 
        traefik traefik/traefik
      
    • 部署whoamitcp应用

      创建Deployment,部署whoamitcp应用。

      cat <<EOF | kubectl apply -f -
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: whoamitcp
        namespace: apps-choral
      spec:
        replicas: 3
        selector:
          matchLabels:
            app: whoamitcp
        template:
          metadata:
            labels:
              app: whoamitcp
          spec:
            containers:
              - name: whoamitcp
                image: traefik/whoamitcp:latest
                imagePullPolicy: IfNotPresent
                ports:
                  - protocol: TCP
                    containerPort: 8080
      EOF
      

      创建一个用于访问whoamitcp应用的服务。

      cat <<EOF | kubectl apply -f -
      apiVersion: v1
      kind: Service
      metadata:
        name: whoamitcp
        namespace: apps-choral
      spec:
        type: ClusterIP
        ports:
          - protocol: TCP
            port: 8080
        selector:
          app: whoamitcp
      EOF
      

      创建一个IngressRouteTCP,用于配置whoamitcp应用的入口规则。

      cat <<EOF | kubectl apply -f -
      apiVersion: traefik.containo.us/v1alpha1
      kind: IngressRouteTCP
      metadata:
        name: whoamitcp
        namespace: apps-choral
      spec:
        entryPoints:
          - whoamitcp
        routes:
          - match: HostSNI(\`*\`)
            services:
              - name: whoamitcp
                port: 8080
      EOF
      

      验证反向代理和服务运行状态。

      # `10.0.0.201`是`traefik`服务的负载均衡器地址(kubectl get svc traefik -n kube-system)
      echo "Hello" | socat - tcp4:10.0.0.201:8081
      # 终端回显如下内容
      Received: Hello
      

    UDP应用示例

    • 更新Traefik运行参数

      更新Traefik运行参数,创建新的EntryPoint

      # ports.whoamiudp.protocol=UDP     网络协议
      # ports.whoamiudp.port=8082        监听端口
      # ports.whoamiudp.exposedPort=8082 服务公开端口
      # ports.whoamiudp.expose=true      是否暴露端口
      helm upgrade --install --namespace kube-system 
        --set deployment.replicas=3 
        --set pilot.dashboard=false 
        --set ingressRoute.dashboard.enabled=false 
        --set ports.web.redirectTo=websecure 
        --set additionalArguments[0]=--entrypoints.websecure.http.tls 
        --set ports.whoamitcp.protocol=TCP 
        --set ports.whoamitcp.port=8081 
        --set ports.whoamitcp.exposedPort=8081 
        --set ports.whoamitcp.expose=true 
        --set ports.whoamiudp.protocol=UDP 
        --set ports.whoamiudp.port=8082 
        --set ports.whoamiudp.exposedPort=8082 
        --set ports.whoamiudp.expose=true 
        traefik traefik/traefik
      
    • 部署whoamiudp应用

      创建Deployment,部署whoamiudp应用。

      cat <<EOF | kubectl apply -f -
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: whoamiudp
        namespace: apps-choral
      spec:
        replicas: 3
        selector:
          matchLabels:
            app: whoamiudp
        template:
          metadata:
            labels:
              app: whoamiudp
          spec:
            containers:
              - name: whoamiudp
                image: traefik/whoamiudp:latest
                imagePullPolicy: IfNotPresent
                ports:
                  - protocol: UDP
                    containerPort: 8080
      EOF
      

      创建一个用于访问whoamiudp应用的服务。

      cat <<EOF | kubectl apply -f -
      apiVersion: v1
      kind: Service
      metadata:
        name: whoamiudp
        namespace: apps-choral
      spec:
        type: ClusterIP
        ports:
          - protocol: UDP
            port: 8080
        selector:
          app: whoamiudp
      EOF
      

      创建一个IngressRouteUDP,用于配置whoamiudp应用的入口规则。

      cat <<EOF | kubectl apply -f -
      apiVersion: traefik.containo.us/v1alpha1
      kind: IngressRouteUDP
      metadata:
        name: whoamiudp
        namespace: apps-choral
      spec:
        entryPoints:
          - whoamiudp
        routes:
          - services:
              - name: whoamiudp
                port: 8080
      EOF
      

      验证反向代理和服务运行状态。

      # `10.0.0.202`是`traefik-udp`服务的负载均衡器地址(kubectl get svc traefik-udp -n kube-system)
      echo "Hello" | socat - udp4:10.0.0.202:8082
      # 终端回显如下内容
      Received: Hello
      

    参考资料

  • 相关阅读:
    Flex布局新写法兼容写法详解
    一个CSS值转REM的Sublime Text插件
    Oracle SQL函数之转换函数To_char汇总
    Oracle SQL函数之日期函数
    Oracle SQL函数之数学函数
    Oracle SQL函数之字符串函数
    Sybase isql常用命令
    sybase用户管理(创建、授权、删除)
    使用isql连接Sybase ASE数据库的常见错误及处理方式
    Sybase配置中文语言支持及字符集
  • 原文地址:https://www.cnblogs.com/tiscs/p/notes-k8s-traefik.html
Copyright © 2020-2023  润新知