traefik2.4.3部署到k8s集群
traefik官网虽然比较凌乱,但是很多配置信息还是可以找到;我也是看了很久才习惯
具体可以通过搜索查找指定资源来看,不然太乱
如果按照下面配置错误,或哪里不太清楚,还请留言共同探讨进步
crd资源
traefik自定义资源,看不懂直接复制官网提供的
# All resources definition must be declared apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutes.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRoute plural: ingressroutes singular: ingressroute scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: middlewares.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: Middleware plural: middlewares singular: middleware scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutetcps.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteTCP plural: ingressroutetcps singular: ingressroutetcp scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressrouteudps.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteUDP plural: ingressrouteudps singular: ingressrouteudp scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsoptions.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TLSOption plural: tlsoptions singular: tlsoption scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsstores.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TLSStore plural: tlsstores singular: tlsstore scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: traefikservices.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TraefikService plural: traefikservices singular: traefikservice scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: serverstransports.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: ServersTransport plural: serverstransports singular: serverstransport scope: Namespaced
rbac资源
授权相关配置
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us resources: - middlewares - ingressroutes - traefikservices - ingressroutetcps - ingressrouteudps - tlsoptions - tlsstores - serverstransports verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: default
deployment资源
--- kind: Deployment apiVersion: apps/v1 metadata: name: traefik namespace: default labels: app: traefik-ingress-lb spec: replicas: 2 selector: matchLabels: app: traefik-ingress-lb template: metadata: labels: app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller dnsPolicy: ClusterFirstWithHostNet containers: - image: harbor.devops.com/public/traefik:v2.4.3 name: traefik-ingress-lb ports: - name: web containerPort: 80 hostPort: 80 - name: websecure containerPort: 443 hostPort: 443 - name: admin containerPort: 8080 args: # 启用traefik dashboard - --api - --api.dashboard=true - --global.checknewversion=false # - --api.insecure=true # 配置traefik入口 web websecure - --entrypoints.web.Address=:80 - --entrypoints.websecure.Address=:443 # http自动跳转https # - --entrypoints.web.http.redirections.entrypoint.scheme=https # web自动转到websecure # - --entrypoints.web.http.redirections.entrypoint.to=websecure # 开启tls; k8s ingress资源启用tls,如果不配置,需要手动配置注解:traefik.ingress.kubernetes.io/router.tls: "true" # https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#on-ingress # - --entryPoints.websecure.http.tls=true #如果后端服务是https协议时不验证其证书; https://blog.csdn.net/bbwangj/article/details/82832831 - --serverstransport.insecureskipverify # 配置自动发现kubernetescrd,kubernetesingress资源服务 - --providers.kubernetescrd - --providers.kubernetesingress - --log.level=DEBUG nodeSelector: traefik: 'true'
svc资源
--- kind: Service apiVersion: v1 metadata: name: traefik namespace: default spec: selector: app: traefik-ingress-lb ports: - protocol: TCP port: 8080 name: admin
Middleware资源
用于traefik dashboard访问验证和http重定向https
访问验证用户和密码使用htpasswd生成后,然后使用base64加密
# 生成用户密码 root@opstack21-55:/data/files/traefik/2.x# htpasswd -n admin New password: Re-type new password: admin:$apr1$4yPg3Vhl$PWglxPqeKSZ3RwCB5f1jp0 # base64加密 root@opstack21-55:/data/files/traefik/2.x# echo 'admin:$apr1$4yPg3Vhl$PWglxPqeKSZ3RwCB5f1jp0' | base64 YWRtaW46JGFwcjEkNHlQZzNWaGwkUFdnbHhQcWVLU1ozUndDQjVmMWpwMAo=
# 定义traefik dashboard访问验证 --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: traefik-auth namespace: kube-system spec: basicAuth: secret: authsecret --- apiVersion: v1 kind: Secret metadata: name: authsecret namespace: kube-system data: user: | YWRtaW46JGFwcjEkUWZnd21hc28kOENlWTVOekk0aS5UZ3plblY3eDRQMQo= --- # http重定向https apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: redirect-https namespace: kube-system spec: redirectScheme: scheme: https permanent: true
traefik IngressRoute 资源
其实也可以通过k8s ingress方式部署,此处不作配置,大家可以网上查询下
--- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-web-http namespace: kube-system spec: entryPoints: - web routes: - match: "Host(`traefik.devops.com`)" kind: Rule middlewares: - name: redirect-https namespace: kube-system services: - name: api@internal kind: TraefikService --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-web-https namespace: kube-system spec: entryPoints: - websecure routes: - match: "Host(`traefik.devops.com`)" kind: Rule middlewares: - name: traefik-auth namespace: kube-system services: - name: api@internal kind: TraefikService tls: secretName: traefik-cert