本作品由Galen Suen采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可。由原作者转载自个人站点。
更新记录
-
2021-09-17- 部署
Traefik时禁用默认Dashboard入口规则;
- 部署
-
2021-09-30Traefik版本由v2.5.1更新至v2.5.3;Traefik Helm Chart版本由v10.3.2更新至v10.3.6;- 修复一些配置文件中的字符转义错误;
概述
本文用于整理基于Kubernetes环境的Traefik部署与应用,实现Ingress Controller、七层/四层反向代理等功能。
本次演练环境为Kubernetes集群环境,环境配置可参考笔者另一篇笔记《Kubernetes集群部署笔记》。
组件版本
-
Traefik v2.5.3
-
Traefik Helm Chart v10.3.6
配置过程
安装Traefik
-
helm repo add traefik https://helm.traefik.io/traefik helm repo update -
安装Traefik
本次演练中将
traefik安装至kube-system命名空间,可根据需要替换。# deployment.replicas=3 设置Traefik部署副本数 # pilot.dashboard=false 禁用Dashboard中Pilot链接 # ingressRoute.dashboard.enabled=false 禁用默认Dashboard入口规则(将在后续步骤中手动创建) helm upgrade --install --namespace kube-system --set deployment.replicas=3 --set pilot.dashboard=false --set ingressRoute.dashboard.enabled=false traefik traefik/traefik -
其他准备工作
获取
traefik服务的负载均衡器地址。执行该命令,记录返回的EXTERNAL-IP地址备用。本次演练环境中,已将local.choral.io和*.local.choral.io指向该地址。kubectl get svc traefik -n kube-system创建一个用于部署演练用对象的命名空间。本次演练中使用
apps-choral命名空间,可根据需要替换。kubectl create namespace apps-choral
部署Dashboard
-
创建一个
IngressRoute,用于配置api和dashboard的入口规则。本次演练中,使用
traefik.local.choral.io域名访问Dashboard,可根据需要替换。cat <<EOF | kubectl apply -f - apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard namespace: apps-choral spec: entryPoints: - web routes: - match: Host(\`traefik.local.choral.io\`) && (PathPrefix(\`/dashboard\`) || PathPrefix(\`/api\`)) kind: Rule services: - name: api@internal kind: TraefikService EOF -
启用BasicAuth认证
首先,创建一个用于保存用户名和密码的
Secret,其中的users字段内容可使用htpassword工具生成。本次演练中,认证username和password都是admin。cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Secret metadata: name: traefik-basicauth-secret namespace: apps-choral data: users: |2 # htpasswd -nb admin admin | openssl base64 YWRtaW46e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9Cg== EOF创建一个
Traefik中间件,用于对请求启用BasicAuth认证。cat <<EOF | kubectl apply -f - apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: traefik-basicauth namespace: apps-choral spec: basicAuth: realm: traefik.local.choral.io secret: traefik-basicauth-secret EOF更新
Dashboard的IngressRoute,启用BasicAuth中间件。cat <<EOF | kubectl apply -f - apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard namespace: apps-choral spec: entryPoints: - web routes: - match: Host(\`traefik.local.choral.io\`) && (PathPrefix(\`/dashboard\`) || PathPrefix(\`/api\`)) kind: Rule services: - name: api@internal kind: TraefikService middlewares: - name: traefik-basicauth EOF
七层反向代理
HTTP应用示例
-
部署
whoami应用创建
Deployment,部署whoami应用。cat <<EOF | kubectl apply -f - apiVersion: apps/v1 kind: Deployment metadata: name: whoami namespace: apps-choral spec: replicas: 3 selector: matchLabels: app: whoami template: metadata: labels: app: whoami spec: containers: - name: whoami image: traefik/whoami:latest imagePullPolicy: IfNotPresent ports: - containerPort: 80 EOF创建一个用于访问
whoami应用的服务。cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Service metadata: name: whoami namespace: apps-choral spec: type: ClusterIP ports: - protocol: TCP port: 80 selector: app: whoami EOF创建一个
Ingress,用于配置whoami应用的入口规则。cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: whoami namespace: apps-choral annotations: traefik.ingress.kubernetes.io/router.entrypoints: web spec: rules: - host: local.choral.io http: paths: - path: / pathType: Prefix backend: service: name: whoami port: number: 80 EOF
启用TLS(HTTPS)
本次演练使用静态证书配置TLS,该证书被手动创建,应用于local.choral.io和*.local.choral.io域名。
有关自动证书管理,可参考Cert Manager项目文档。
-
更新Traefik运行参数
# ports.web.redirectTo=websecure 启用Web跳转至WebSecure # additionalArguments[0]=--entrypoints.websecure.http.tls Ingress默认启用TLS helm upgrade --install --namespace kube-system --set deployment.replicas=3 --set pilot.dashboard=false --set ingressRoute.dashboard.enabled=false --set ports.web.redirectTo=websecure --set additionalArguments[0]=--entrypoints.websecure.http.tls traefik traefik/traefik -
创建TLS证书Secret
从已准备好的证书
key文件和crt文件创建Secret。kubectl create secret tls local-choral-io-tls -n kube-system --key=local.choral.io.key --cert=local.choral.io.crt -
更新
Dashboard的IngressRoute更新
Dashboard的IngressRoute,启用TLS配置。cat <<EOF | kubectl apply -f - apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard namespace: apps-choral spec: entryPoints: - websecure routes: - match: Host(\`traefik.local.choral.io\`) && (PathPrefix(\`/dashboard\`) || PathPrefix(\`/api\`)) kind: Rule services: - name: api@internal kind: TraefikService middlewares: - name: traefik-basicauth tls: secretName: local-choral-io-tls EOF -
更新
whoami的Ingress更新
whoami的Ingress,启用TLS配置。cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: whoami namespace: apps-choral annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure spec: tls: - secretName: local-choral-io-tls rules: - host: local.choral.io http: paths: - path: / pathType: Prefix backend: service: name: whoami port: number: 80 EOF
四层反向代理
TCP应用示例
-
更新Traefik运行参数
更新Traefik运行参数,创建新的
EntryPoint。# ports.whoamitcp.protocol=TCP 网络协议 # ports.whoamitcp.port=8081 监听端口 # ports.whoamitcp.exposedPort=8081 服务公开端口 # ports.whoamitcp.expose=true 是否暴露端口 helm upgrade --install --namespace kube-system --set deployment.replicas=3 --set pilot.dashboard=false --set ingressRoute.dashboard.enabled=false --set ports.web.redirectTo=websecure --set additionalArguments[0]=--entrypoints.websecure.http.tls --set ports.whoamitcp.protocol=TCP --set ports.whoamitcp.port=8081 --set ports.whoamitcp.exposedPort=8081 --set ports.whoamitcp.expose=true traefik traefik/traefik -
部署
whoamitcp应用创建
Deployment,部署whoamitcp应用。cat <<EOF | kubectl apply -f - apiVersion: apps/v1 kind: Deployment metadata: name: whoamitcp namespace: apps-choral spec: replicas: 3 selector: matchLabels: app: whoamitcp template: metadata: labels: app: whoamitcp spec: containers: - name: whoamitcp image: traefik/whoamitcp:latest imagePullPolicy: IfNotPresent ports: - protocol: TCP containerPort: 8080 EOF创建一个用于访问
whoamitcp应用的服务。cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Service metadata: name: whoamitcp namespace: apps-choral spec: type: ClusterIP ports: - protocol: TCP port: 8080 selector: app: whoamitcp EOF创建一个
IngressRouteTCP,用于配置whoamitcp应用的入口规则。cat <<EOF | kubectl apply -f - apiVersion: traefik.containo.us/v1alpha1 kind: IngressRouteTCP metadata: name: whoamitcp namespace: apps-choral spec: entryPoints: - whoamitcp routes: - match: HostSNI(\`*\`) services: - name: whoamitcp port: 8080 EOF验证反向代理和服务运行状态。
# `10.0.0.201`是`traefik`服务的负载均衡器地址(kubectl get svc traefik -n kube-system) echo "Hello" | socat - tcp4:10.0.0.201:8081 # 终端回显如下内容 Received: Hello
UDP应用示例
-
更新Traefik运行参数
更新Traefik运行参数,创建新的
EntryPoint。# ports.whoamiudp.protocol=UDP 网络协议 # ports.whoamiudp.port=8082 监听端口 # ports.whoamiudp.exposedPort=8082 服务公开端口 # ports.whoamiudp.expose=true 是否暴露端口 helm upgrade --install --namespace kube-system --set deployment.replicas=3 --set pilot.dashboard=false --set ingressRoute.dashboard.enabled=false --set ports.web.redirectTo=websecure --set additionalArguments[0]=--entrypoints.websecure.http.tls --set ports.whoamitcp.protocol=TCP --set ports.whoamitcp.port=8081 --set ports.whoamitcp.exposedPort=8081 --set ports.whoamitcp.expose=true --set ports.whoamiudp.protocol=UDP --set ports.whoamiudp.port=8082 --set ports.whoamiudp.exposedPort=8082 --set ports.whoamiudp.expose=true traefik traefik/traefik -
部署
whoamiudp应用创建
Deployment,部署whoamiudp应用。cat <<EOF | kubectl apply -f - apiVersion: apps/v1 kind: Deployment metadata: name: whoamiudp namespace: apps-choral spec: replicas: 3 selector: matchLabels: app: whoamiudp template: metadata: labels: app: whoamiudp spec: containers: - name: whoamiudp image: traefik/whoamiudp:latest imagePullPolicy: IfNotPresent ports: - protocol: UDP containerPort: 8080 EOF创建一个用于访问
whoamiudp应用的服务。cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Service metadata: name: whoamiudp namespace: apps-choral spec: type: ClusterIP ports: - protocol: UDP port: 8080 selector: app: whoamiudp EOF创建一个
IngressRouteUDP,用于配置whoamiudp应用的入口规则。cat <<EOF | kubectl apply -f - apiVersion: traefik.containo.us/v1alpha1 kind: IngressRouteUDP metadata: name: whoamiudp namespace: apps-choral spec: entryPoints: - whoamiudp routes: - services: - name: whoamiudp port: 8080 EOF验证反向代理和服务运行状态。
# `10.0.0.202`是`traefik-udp`服务的负载均衡器地址(kubectl get svc traefik-udp -n kube-system) echo "Hello" | socat - udp4:10.0.0.202:8082 # 终端回显如下内容 Received: Hello