官網  https://docs.traefik.io/

Traefik簡介
ingress相當於從kubernetes複製到外部訪問可訪問的入口,將用戶的URL請求轉發到不同的服務上。Ingress相當於nginx,apache等負載均衡反向代理服務器,其中還包括規則定義,即URL的路由信息。
 
Traefik是一種開源的反向的代理與負載均衡工具。它最大的優點是能夠與常見的微服務系統直接整合,實現自動化動態配置。Trafik通過不斷地跟kubernetes API打交道,實時的感知定位服務, pod等變化,例如pod,服務增加與減少等;當得到這些變化信息後,Ingress自動更新配置並熱重載,達到服務發現的作用。
 
traefik整體架構如下所示。

 

Architecture

建置環境minikube
 
mkdir traefik
vi traefik-system.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: traefik
rules:
- apiGroups:
  - ""
  resources:
  - services
  - endpoints
  - secrets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "extensions"
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - "traefik.containo.us"
  resources:
  - middlewares
  - ingressroutes
  - ingressroutetcps
  - tlsoptions
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: traefik
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik
subjects:
- kind: ServiceAccount
  name: traefik
  namespace: traefik-system
---
apiVersion: v1
kind: Namespace
metadata:
  name: traefik-system
---
apiVersion: v1
data:

  config.yaml: |
    serversTransport:
      insecureSkipVerify: true
    api:
      insecure: true
      dashboard: true
      debug: true
    metrics:
      prometheus: ""
    entryPoints:
      web:
        address: ":80"
        forwardedHeaders:
          insecure: true
      websecure:
        address: ":443"
        forwardedHeaders:
          insecure: true
    providers:
      kubernetesCRD: ""
    log:
      filePath: ""
      level: error
      format: json
    accessLog:
      filePath: ""
      format: json
      bufferingSize: 0
      filters:
        retryAttempts: true
        minDuration: 20
      fields:
        defaultMode: keep
        names:
          ClientUsername: drop
        headers:
          defaultMode: keep
          names:
            User-Agent: redact
            Authorization: drop
            Content-Type: keep
kind: ConfigMap
metadata:
  name: traefik
  namespace: traefik-system

---
apiVersion: apps/v1
kind: DaemonSet
#kind: Deployment
metadata:
  labels:
    app: traefik
  name: traefik
  namespace: traefik-system
spec:
  #replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      containers:
      - args:
        - --configFile=/etc/traefik/config.yaml
        image: traefik:latest
        name: traefik
        ports:
        - containerPort: 8080
          name: admin
          protocol: TCP
        - containerPort: 80
          name: http
          protocol: TCP
        - containerPort: 443
          name: https
          protocol: TCP
        volumeMounts:
        - name: config
          mountPath: /etc/traefik
      volumes:
      - name: config
        configMap:
          name: traefik
      serviceAccount: traefik
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-ingress
  namespace: traefik-system
  labels:
    app: traefik
spec:
  ports:
  - name: https
    protocol: TCP
    port: 443
    targetPort: 443
  - name: http
    protocol: TCP
    port: 80
    targetPort: 80
  type: LoadBalancer
  selector:
    app: traefik
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-admin
  namespace: traefik-system
  labels:
    app: traefik
spec:
  ports:
  - name: admin
    protocol: TCP
    port: 8080
    targetPort: 8080
  type: ClusterIP
  selector:
    app: traefik
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik
  namespace: traefik-system
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik-system
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`traefik-dashboard.itnotetk.com`)
    kind: Rule
    services:
    - name: traefik-admin
      port: 8080
    middlewares:
    - name: ip-ipwhitelist
---

vi traefik-nginx.yaml

---
# declare Traefik deployment
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: nginx-demo
  namespace: traefik-system
  labels:
    app: nginx-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-demo
  template:
    metadata:
      labels:
        app: nginx-demo
    spec:
      containers:
      - name: nginx
        image: "nginx"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nginx-http-route
  namespace: traefik-system
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`nginx.itnotetk.com`)
      kind: Rule
      services:
        - name: nginx-demo
          port: 80
      middlewares:
        - name: redirect

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nginx-https-route
  namespace: traefik-system
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`nginx.itnotetk.com`)
      kind: Rule
      services:
        - name: nginx-demo
          port: 80
    - match: Host(`nginx.itnotetk.com`) && Path(`/v2`)
      kind: Rule
      services:
        - name: nginx-demo
          port: 80
  tls:
    secretName: web-ssl

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect
  namespace: traefik-system
spec:
  redirectScheme:
    scheme: https
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
      protocol: TCP
      targetPort: 443
    - name: http


  tls.key: |
   yoursslkey-start...........................................................................................................................yoursslkey-end
---

vi traefik-ipwhitelist.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: ip-ipwhitelist
  namespace: traefik-system
spec:
  ipWhiteList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.30
kubectl apply -f traefik-system.yaml
kubectl apply -f traefik-nginx.yaml
ubectl apply -f traefik-ipwhitelist.yaml
 
查看資源
kubectl get all -n traefik-system
kubectl -n monitoring get po,svc,cm
kubectl get crd --all-namespaces
kubectl describe secrets/prometheus-kube-prometheus -n monitoring
 
 
開啟dashboard監控
kubectl port-forward -n traefik-system svc/traefik-admin --address='0.0.0.0' 8080:8080

開啟prometheus監控
kubectl port-forward -n monitoring svc/kube-prometheus-grafana --address='0.0.0.0' 3000:80

開啟Prometheus Operator後台
kubectl port-forward -n monitoring service/prometheus-operated --address='0.0.0.0' 9090:9090

 

點閱: 102

By tony

自由軟體愛好者~喜歡不斷的思考各種問題,有新的事物都會想去學習嘗試 做實驗並熱衷研究 沒有所謂頂天的技術 只有謙虛及不斷的學習 精進專業,本站主要以分享系統及網路相關知識、資源而建立。 Github http://stnet253.github.io

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料