traefik2.4.3部署到k8s集群
traefik官網雖然比較凌亂,但是很多配置信息還是可以找到;我也是看了很久才習慣
具體可以通過搜索查找指定資源來看,不然太亂
如果按照下面配置錯誤,或哪里不太清楚,還請留言共同探討進步
crd資源
traefik自定義資源,看不懂直接復制官網提供的
# All resources definition must be declared apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutes.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRoute plural: ingressroutes singular: ingressroute scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: middlewares.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: Middleware plural: middlewares singular: middleware scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutetcps.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteTCP plural: ingressroutetcps singular: ingressroutetcp scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressrouteudps.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteUDP plural: ingressrouteudps singular: ingressrouteudp scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsoptions.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TLSOption plural: tlsoptions singular: tlsoption scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsstores.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TLSStore plural: tlsstores singular: tlsstore scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: traefikservices.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TraefikService plural: traefikservices singular: traefikservice scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: serverstransports.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: ServersTransport plural: serverstransports singular: serverstransport scope: Namespaced
rbac資源
授權相關配置
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us resources: - middlewares - ingressroutes - traefikservices - ingressroutetcps - ingressrouteudps - tlsoptions - tlsstores - serverstransports verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: default
deployment資源
--- kind: Deployment apiVersion: apps/v1 metadata: name: traefik namespace: default labels: app: traefik-ingress-lb spec: replicas: 2 selector: matchLabels: app: traefik-ingress-lb template: metadata: labels: app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller dnsPolicy: ClusterFirstWithHostNet containers: - image: harbor.devops.com/public/traefik:v2.4.3 name: traefik-ingress-lb ports: - name: web containerPort: 80 hostPort: 80 - name: websecure containerPort: 443 hostPort: 443 - name: admin containerPort: 8080 args: # 啟用traefik dashboard - --api - --api.dashboard=true - --global.checknewversion=false # - --api.insecure=true # 配置traefik入口 web websecure - --entrypoints.web.Address=:80 - --entrypoints.websecure.Address=:443 # http自動跳轉https # - --entrypoints.web.http.redirections.entrypoint.scheme=https # web自動轉到websecure # - --entrypoints.web.http.redirections.entrypoint.to=websecure # 開啟tls; k8s ingress資源啟用tls,如果不配置,需要手動配置注解:traefik.ingress.kubernetes.io/router.tls: "true" # https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#on-ingress # - --entryPoints.websecure.http.tls=true #如果后端服務是https協議時不驗證其證書; https://blog.csdn.net/bbwangj/article/details/82832831 - --serverstransport.insecureskipverify # 配置自動發現kubernetescrd,kubernetesingress資源服務 - --providers.kubernetescrd - --providers.kubernetesingress - --log.level=DEBUG nodeSelector: traefik: 'true'
svc資源
--- kind: Service apiVersion: v1 metadata: name: traefik namespace: default spec: selector: app: traefik-ingress-lb ports: - protocol: TCP port: 8080 name: admin
Middleware資源
用於traefik dashboard訪問驗證和http重定向https
訪問驗證用戶和密碼使用htpasswd生成后,然后使用base64加密
# 生成用戶密碼 root@opstack21-55:/data/files/traefik/2.x# htpasswd -n admin New password: Re-type new password: admin:$apr1$4yPg3Vhl$PWglxPqeKSZ3RwCB5f1jp0 # base64加密 root@opstack21-55:/data/files/traefik/2.x# echo 'admin:$apr1$4yPg3Vhl$PWglxPqeKSZ3RwCB5f1jp0' | base64 YWRtaW46JGFwcjEkNHlQZzNWaGwkUFdnbHhQcWVLU1ozUndDQjVmMWpwMAo=
# 定義traefik dashboard訪問驗證 --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: traefik-auth namespace: kube-system spec: basicAuth: secret: authsecret --- apiVersion: v1 kind: Secret metadata: name: authsecret namespace: kube-system data: user: | YWRtaW46JGFwcjEkUWZnd21hc28kOENlWTVOekk0aS5UZ3plblY3eDRQMQo= --- # http重定向https apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: redirect-https namespace: kube-system spec: redirectScheme: scheme: https permanent: true
traefik IngressRoute 資源
其實也可以通過k8s ingress方式部署,此處不作配置,大家可以網上查詢下
--- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-web-http namespace: kube-system spec: entryPoints: - web routes: - match: "Host(`traefik.devops.com`)" kind: Rule middlewares: - name: redirect-https namespace: kube-system services: - name: api@internal kind: TraefikService --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-web-https namespace: kube-system spec: entryPoints: - websecure routes: - match: "Host(`traefik.devops.com`)" kind: Rule middlewares: - name: traefik-auth namespace: kube-system services: - name: api@internal kind: TraefikService tls: secretName: traefik-cert