Kubernetes环境Traefik部署与应用

本作品Galen Suen采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可。由原作者转载自个人站点

Kubernetes环境Traefik部署与应用

概述

本文用于整理基于Kubernetes环境的Traefik部署与应用,实现Ingress Controller、七层/四层反向代理等功能。

本次演练环境为Kubernetes集群环境,环境配置可参考笔者另一篇笔记《Kubernetes集群部署笔记》。

组件版本

配置过程

安装Traefik

  • 配置Helm Repo

    helm repo add traefik https://helm.traefik.io/traefik
    helm repo update
    
  • 安装Traefik

    本次演练中将traefik安装至kube-system命名空间,可根据需要替换。

    # deployment.replicas=3 设置Traefik部署副本数
    # pilot.dashboard=false 禁用Dashboard中Pilot链接。
    helm upgrade --install --namespace kube-system   --set deployment.replicas=3   --set pilot.dashboard=false   traefik traefik/traefik
    
  • 其他准备工作

    获取traefik服务的负载均衡器地址。执行该命令,记录返回的EXTERNAL-IP地址备用。本次演练环境中,已将local.choral.io*.local.choral.io指向该地址。

    kubectl get svc traefik -n kube-system
    

    创建一个用于部署演练用对象的命名空间。本次演练中使用apps-choral命名空间,可根据需要替换。

    kubectl create namespace apps-choral
    

部署Dashboard

  • 创建IngressRoute

    创建一个IngressRoute,用于配置apidashboard的入口规则。

    本次演练中,使用traefik.local.choral.io域名访问Dashboard,可根据需要替换。

    cat <<EOF | kubectl apply -f -
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: traefik-dashboard
      namespace: apps-choral
    spec:
      entryPoints:
        - web
      routes:
        - match: Host(`traefik.local.choral.io`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
          kind: Rule
          services:
            - name: api@internal
              kind: TraefikService
    EOF
    
  • 启用BasicAuth认证

    首先,创建一个用于保存用户名和密码的Secret,其中的users字段内容可使用htpassword工具生成。本次演练中,认证usernamepassword都是admin

    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: traefik-basicauth-secret
      namespace: apps-choral
    data:
      users: |2 # htpasswd -nb admin admin | openssl base64
        YWRtaW46e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9Cg==
    EOF
    

    创建一个Traefik中间件,用于对请求启用BasicAuth认证。

    cat <<EOF | kubectl apply -f -
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
      name: traefik-basicauth
      namespace: apps-choral
    spec:
      basicAuth:
        realm: traefik.local.choral.io
        secret: traefik-basicauth-secret
    EOF
    

    更新DashboardIngressRoute,启用BasicAuth中间件。

    cat <<EOF | kubectl apply -f -
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: traefik-dashboard
      namespace: apps-choral
    spec:
      entryPoints:
        - web
      routes:
        - match: Host(`traefik.local.choral.io`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
          kind: Rule
          services:
            - name: api@internal
              kind: TraefikService
          middlewares:
            - name: traefik-basicauth
    EOF
    

七层反向代理

HTTP应用示例

  • 部署whoami应用

    创建Deployment,部署whoami应用。

    cat <<EOF | kubectl apply -f -
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: whoami
      namespace: apps-choral
    spec:
      replicas: 3
      selector:
        matchLabels:
          app: whoami
      template:
        metadata:
          labels:
            app: whoami
        spec:
          containers:
            - name: whoami
              image: traefik/whoami:latest
              imagePullPolicy: IfNotPresent
              ports:
                - containerPort: 80
    EOF
    

    创建一个用于访问whoami应用的服务。

    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Service
    metadata:
      name: whoami
      namespace: apps-choral
    spec:
      type: ClusterIP
      ports:
        - protocol: TCP
          port: 80
      selector:
        app: whoami
    EOF
    

    创建一个Ingress,用于配置whoami应用的入口规则。

    cat <<EOF | kubectl apply -f -
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: whoami
      namespace: apps-choral
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: web
    spec:
      rules:
        - host: local.choral.io
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: whoami
                    port:
                      number: 80
    EOF
    

启用TLS(HTTPS)

本次演练使用静态证书配置TLS,该证书被手动创建,应用于local.choral.io*.local.choral.io域名。

有关自动证书管理,可参考Cert Manager项目文档。

  • 更新Traefik运行参数

    # ports.web.redirectTo=websecure                          启用Web跳转至WebSecure
    # additionalArguments[0]=--entrypoints.websecure.http.tls Ingress默认启用TLS
    helm upgrade --install --namespace kube-system   --set deployment.replicas=3   --set pilot.dashboard=false   --set ports.web.redirectTo=websecure   --set additionalArguments[0]=--entrypoints.websecure.http.tls   traefik traefik/traefik
    
  • 创建TLS证书Secret

    从已准备好的证书key文件和crt文件创建Secret

    kubectl create secret tls local-choral-io-tls -n kube-system --key=local.choral.io.key --cert=local.choral.io.crt
    
  • 更新DashboardIngressRoute

    更新DashboardIngressRoute,启用TLS配置。

    cat <<EOF | kubectl apply -f -
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: traefik-dashboard
      namespace: apps-choral
    spec:
      entryPoints:
        - websecure
      routes:
        - match: Host(`traefik.local.choral.io`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
          kind: Rule
          services:
            - name: api@internal
              kind: TraefikService
          middlewares:
            - name: traefik-basicauth
      tls:
        secretName: local-choral-io-tls
    EOF
    
  • 更新whoamiIngress

    更新whoamiIngress,启用TLS配置。

    cat <<EOF | kubectl apply -f -
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: whoami
      namespace: apps-choral
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
    spec:
      tls:
        - secretName: local-choral-io-tls
      rules:
        - host: local.choral.io
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: whoami
                    port:
                      number: 80
    EOF
    

四层反向代理

TCP应用示例

  • 更新Traefik运行参数

    更新Traefik运行参数,创建新的EntryPoint

    # ports.whoamitcp.protocol=TCP     网络协议
    # ports.whoamitcp.port=8081        监听端口
    # ports.whoamitcp.exposedPort=8081 服务公开端口
    # ports.whoamitcp.expose=true      是否暴露端口
    helm upgrade --install --namespace kube-system   --set deployment.replicas=3   --set pilot.dashboard=false   --set ports.web.redirectTo=websecure   --set additionalArguments[0]=--entrypoints.websecure.http.tls   --set ports.whoamitcp.protocol=TCP   --set ports.whoamitcp.port=8081   --set ports.whoamitcp.exposedPort=8081   --set ports.whoamitcp.expose=true   traefik traefik/traefik
    
  • 部署whoamitcp应用

    创建Deployment,部署whoamitcp应用。

    cat <<EOF | kubectl apply -f -
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: whoamitcp
      namespace: apps-choral
    spec:
      replicas: 3
      selector:
        matchLabels:
          app: whoamitcp
      template:
        metadata:
          labels:
            app: whoamitcp
        spec:
          containers:
            - name: whoamitcp
              image: traefik/whoamitcp:latest
              imagePullPolicy: IfNotPresent
              ports:
                - protocol: TCP
                  containerPort: 8080
    EOF
    

    创建一个用于访问whoamitcp应用的服务。

    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Service
    metadata:
      name: whoamitcp
      namespace: apps-choral
    spec:
      type: ClusterIP
      ports:
        - protocol: TCP
          port: 8080
      selector:
        app: whoamitcp
    EOF
    

    创建一个IngressRouteTCP,用于配置whoamitcp应用的入口规则。

    cat <<EOF | kubectl apply -f -
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRouteTCP
    metadata:
      name: whoamitcp
      namespace: apps-choral
    spec:
      entryPoints:
        - whoamitcp
      routes:
        - match: HostSNI(\`*\`)
          services:
            - name: whoamitcp
              port: 8080
    EOF
    

    验证反向代理和服务运行状态。

    # `10.0.0.201`是`traefik`服务的负载均衡器地址(kubectl get svc traefik -n kube-system)
    echo "Hello" | socat - tcp4:10.0.0.201:8081
    # 终端回显如下内容
    Received: Hello
    

UDP应用示例

  • 更新Traefik运行参数

    更新Traefik运行参数,创建新的EntryPoint

    # ports.whoamiudp.protocol=UDP     网络协议
    # ports.whoamiudp.port=8082        监听端口
    # ports.whoamiudp.exposedPort=8082 服务公开端口
    # ports.whoamiudp.expose=true      是否暴露端口
    helm upgrade --install --namespace kube-system   --set deployment.replicas=3   --set pilot.dashboard=false   --set ports.web.redirectTo=websecure   --set additionalArguments[0]=--entrypoints.websecure.http.tls   --set ports.whoamitcp.protocol=TCP   --set ports.whoamitcp.port=8081   --set ports.whoamitcp.exposedPort=8081   --set ports.whoamitcp.expose=true   --set ports.whoamiudp.protocol=UDP   --set ports.whoamiudp.port=8082   --set ports.whoamiudp.exposedPort=8082   --set ports.whoamiudp.expose=true   traefik traefik/traefik
    
  • 部署whoamiudp应用

    创建Deployment,部署whoamiudp应用。

    cat <<EOF | kubectl apply -f -
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: whoamiudp
      namespace: apps-choral
    spec:
      replicas: 3
      selector:
        matchLabels:
          app: whoamiudp
      template:
        metadata:
          labels:
            app: whoamiudp
        spec:
          containers:
            - name: whoamiudp
              image: traefik/whoamiudp:latest
              imagePullPolicy: IfNotPresent
              ports:
                - protocol: UDP
                  containerPort: 8080
    EOF
    

    创建一个用于访问whoamiudp应用的服务。

    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Service
    metadata:
      name: whoamiudp
      namespace: apps-choral
    spec:
      type: ClusterIP
      ports:
        - protocol: UDP
          port: 8080
      selector:
        app: whoamiudp
    EOF
    

    创建一个IngressRouteUDP,用于配置whoamiudp应用的入口规则。

    cat <<EOF | kubectl apply -f -
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRouteUDP
    metadata:
      name: whoamiudp
      namespace: apps-choral
    spec:
      entryPoints:
        - whoamiudp
      routes:
        - services:
            - name: whoamiudp
              port: 8080
    EOF
    

    验证反向代理和服务运行状态。

    # `10.0.0.202`是`traefik-udp`服务的负载均衡器地址(kubectl get svc traefik-udp -n kube-system)
    echo "Hello" | socat - udp4:10.0.0.202:8082
    # 终端回显如下内容
    Received: Hello
    

参考资料

Kubernetes环境Traefik部署与应用

上一篇:如何选择 Linux 操作系统版本?


下一篇:数据类型转换