官網 https://docs.traefik.io/
Traefik簡介
ingress相當於從kubernetes複製到外部訪問可訪問的入口,將用戶的URL請求轉發到不同的服務上。Ingress相當於nginx,apache等負載均衡反向代理服務器,其中還包括規則定義,即URL的路由信息。
Traefik是一種開源的反向的代理與負載均衡工具。它最大的優點是能夠與常見的微服務系統直接整合,實現自動化動態配置。Trafik通過不斷地跟kubernetes API打交道,實時的感知定位服務, pod等變化,例如pod,服務增加與減少等;當得到這些變化信息後,Ingress自動更新配置並熱重載,達到服務發現的作用。
traefik整體架構如下所示。
建置環境minikube
mkdir traefik
vi traefik-system.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- "traefik.containo.us"
resources:
- middlewares
- ingressroutes
- ingressroutetcps
- tlsoptions
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik
subjects:
- kind: ServiceAccount
name: traefik
namespace: traefik-system
---
apiVersion: v1
kind: Namespace
metadata:
name: traefik-system
---
apiVersion: v1
data:
config.yaml: |
serversTransport:
insecureSkipVerify: true
api:
insecure: true
dashboard: true
debug: true
metrics:
prometheus: ""
entryPoints:
web:
address: ":80"
forwardedHeaders:
insecure: true
websecure:
address: ":443"
forwardedHeaders:
insecure: true
providers:
kubernetesCRD: ""
log:
filePath: ""
level: error
format: json
accessLog:
filePath: ""
format: json
bufferingSize: 0
filters:
retryAttempts: true
minDuration: 20
fields:
defaultMode: keep
names:
ClientUsername: drop
headers:
defaultMode: keep
names:
User-Agent: redact
Authorization: drop
Content-Type: keep
kind: ConfigMap
metadata:
name: traefik
namespace: traefik-system
---
apiVersion: apps/v1
kind: DaemonSet
#kind: Deployment
metadata:
labels:
app: traefik
name: traefik
namespace: traefik-system
spec:
#replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
containers:
- args:
- --configFile=/etc/traefik/config.yaml
image: traefik:latest
name: traefik
ports:
- containerPort: 8080
name: admin
protocol: TCP
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
volumeMounts:
- name: config
mountPath: /etc/traefik
volumes:
- name: config
configMap:
name: traefik
serviceAccount: traefik
---
apiVersion: v1
kind: Service
metadata:
name: traefik-ingress
namespace: traefik-system
labels:
app: traefik
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: 443
- name: http
protocol: TCP
port: 80
targetPort: 80
type: LoadBalancer
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: traefik-admin
namespace: traefik-system
labels:
app: traefik
spec:
ports:
- name: admin
protocol: TCP
port: 8080
targetPort: 8080
type: ClusterIP
selector:
app: traefik
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik
namespace: traefik-system
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: traefik-system
spec:
entryPoints:
- web
routes:
- match: Host(`traefik-dashboard.itnotetk.com`)
kind: Rule
services:
- name: traefik-admin
port: 8080
middlewares:
- name: ip-ipwhitelist
---
vi traefik-nginx.yaml
---
# declare Traefik deployment
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: nginx-demo
namespace: traefik-system
labels:
app: nginx-demo
spec:
replicas: 1
selector:
matchLabels:
app: nginx-demo
template:
metadata:
labels:
app: nginx-demo
spec:
containers:
- name: nginx
image: "nginx"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx-http-route
namespace: traefik-system
spec:
entryPoints:
- web
routes:
- match: Host(`nginx.itnotetk.com`)
kind: Rule
services:
- name: nginx-demo
port: 80
middlewares:
- name: redirect
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx-https-route
namespace: traefik-system
spec:
entryPoints:
- websecure
routes:
- match: Host(`nginx.itnotetk.com`)
kind: Rule
services:
- name: nginx-demo
port: 80
- match: Host(`nginx.itnotetk.com`) && Path(`/v2`)
kind: Rule
services:
- name: nginx-demo
port: 80
tls:
secretName: web-ssl
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect
namespace: traefik-system
spec:
redirectScheme:
scheme: https
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
protocol: TCP
targetPort: 443
- name: http
tls.key: |
yoursslkey-start...........................................................................................................................yoursslkey-end
---
vi traefik-ipwhitelist.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: ip-ipwhitelist
namespace: traefik-system
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.30
kubectl apply -f traefik-system.yaml
kubectl apply -f traefik-nginx.yaml
ubectl apply -f traefik-ipwhitelist.yaml
查看資源
kubectl get all -n traefik-system
kubectl -n monitoring get po,svc,cm
kubectl get crd --all-namespaces
kubectl describe secrets/prometheus-kube-prometheus -n monitoring
開啟dashboard監控
kubectl port-forward -n traefik-system svc/traefik-admin --address='0.0.0.0' 8080:8080
開啟prometheus監控
kubectl port-forward -n monitoring svc/kube-prometheus-grafana --address='0.0.0.0' 3000:80
開啟Prometheus Operator後台
kubectl port-forward -n monitoring service/prometheus-operated --address='0.0.0.0' 9090:9090
