本作品由Galen Suen采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可。由原作者转载自个人站点。
概述
本文用于整理基于Kubernetes环境的Traefik部署与应用,实现Ingress Controller、七层/四层反向代理等功能。
本次演练环境为Kubernetes集群环境,环境配置可参考笔者另一篇笔记《Kubernetes集群部署笔记》。
组件版本
Traefik v2.5.1
Traefik Helm Chart v10.3.2
配置过程
安装Traefik
-
helm repo add traefik https://helm.traefik.io/traefik
helm repo update -
安装Traefik
本次演练中将
traefik安装至kube-system命名空间,可根据需要替换。# deployment.replicas=3 设置Traefik部署副本数
# pilot.dashboard=false 禁用Dashboard中Pilot链接。
helm upgrade --install --namespace kube-system \
--set deployment.replicas=3 \
--set pilot.dashboard=false \
traefik traefik/traefik -
其他准备工作
获取
traefik服务的负载均衡器地址。执行该命令,记录返回的EXTERNAL-IP地址备用。本次演练环境中,已将local.choral.io和*.local.choral.io指向该地址。kubectl get svc traefik -n kube-system创建一个用于部署演练用对象的命名空间。本次演练中使用
apps-choral命名空间,可根据需要替换。kubectl create namespace apps-choral
部署Dashboard
-
创建一个
IngressRoute,用于配置api和dashboard的入口规则。本次演练中,使用
traefik.local.choral.io域名访问Dashboard,可根据需要替换。cat <<EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: apps-choral
spec:
entryPoints:
- web
routes:
- match: Host(`traefik.local.choral.io`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
kind: Rule
services:
- name: api@internal
kind: TraefikService
EOF -
启用BasicAuth认证
首先,创建一个用于保存用户名和密码的
Secret,其中的users字段内容可使用htpassword工具生成。本次演练中,认证username和password都是admin。cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: traefik-basicauth-secret
namespace: apps-choral
data:
users: |2 # htpasswd -nb admin admin | openssl base64
YWRtaW46e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9Cg==
EOF创建一个
Traefik中间件,用于对请求启用BasicAuth认证。cat <<EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-basicauth
namespace: apps-choral
spec:
basicAuth:
realm: traefik.local.choral.io
secret: traefik-basicauth-secret
EOF更新
Dashboard的IngressRoute,启用BasicAuth中间件。cat <<EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: apps-choral
spec:
entryPoints:
- web
routes:
- match: Host(`traefik.local.choral.io`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: traefik-basicauth
EOF
七层反向代理
HTTP应用示例
-
部署
whoami应用创建
Deployment,部署whoami应用。cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
namespace: apps-choral
spec:
replicas: 3
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
EOF创建一个用于访问
whoami应用的服务。cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: apps-choral
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 80
selector:
app: whoami
EOF创建一个
Ingress,用于配置whoami应用的入口规则。cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami
namespace: apps-choral
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: local.choral.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80
EOF
启用TLS(HTTPS)
本次演练使用静态证书配置TLS,该证书被手动创建,应用于local.choral.io和*.local.choral.io域名。
有关自动证书管理,可参考Cert Manager项目文档。
-
更新Traefik运行参数
# ports.web.redirectTo=websecure 启用Web跳转至WebSecure
# additionalArguments[0]=--entrypoints.websecure.http.tls Ingress默认启用TLS
helm upgrade --install --namespace kube-system \
--set deployment.replicas=3 \
--set pilot.dashboard=false \
--set ports.web.redirectTo=websecure \
--set additionalArguments[0]=--entrypoints.websecure.http.tls \
traefik traefik/traefik -
创建TLS证书Secret
从已准备好的证书
key文件和crt文件创建Secret。kubectl create secret tls local-choral-io-tls -n kube-system --key=local.choral.io.key --cert=local.choral.io.crt -
更新
Dashboard的IngressRoute更新
Dashboard的IngressRoute,启用TLS配置。cat <<EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: apps-choral
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.local.choral.io`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: traefik-basicauth
tls:
secretName: local-choral-io-tls
EOF -
更新
whoami的Ingress更新
whoami的Ingress,启用TLS配置。cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami
namespace: apps-choral
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
tls:
- secretName: local-choral-io-tls
rules:
- host: local.choral.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80
EOF
四层反向代理
TCP应用示例
-
更新Traefik运行参数
更新Traefik运行参数,创建新的
EntryPoint。# ports.whoamitcp.protocol=TCP 网络协议
# ports.whoamitcp.port=8081 监听端口
# ports.whoamitcp.exposedPort=8081 服务公开端口
# ports.whoamitcp.expose=true 是否暴露端口
helm upgrade --install --namespace kube-system \
--set deployment.replicas=3 \
--set pilot.dashboard=false \
--set ports.web.redirectTo=websecure \
--set additionalArguments[0]=--entrypoints.websecure.http.tls \
--set ports.whoamitcp.protocol=TCP \
--set ports.whoamitcp.port=8081 \
--set ports.whoamitcp.exposedPort=8081 \
--set ports.whoamitcp.expose=true \
traefik traefik/traefik -
部署
whoamitcp应用创建
Deployment,部署whoamitcp应用。cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoamitcp
namespace: apps-choral
spec:
replicas: 3
selector:
matchLabels:
app: whoamitcp
template:
metadata:
labels:
app: whoamitcp
spec:
containers:
- name: whoamitcp
image: traefik/whoamitcp:latest
imagePullPolicy: IfNotPresent
ports:
- protocol: TCP
containerPort: 8080
EOF创建一个用于访问
whoamitcp应用的服务。cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: whoamitcp
namespace: apps-choral
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 8080
selector:
app: whoamitcp
EOF创建一个
IngressRouteTCP,用于配置whoamitcp应用的入口规则。cat <<EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: whoamitcp
namespace: apps-choral
spec:
entryPoints:
- whoamitcp
routes:
- match: HostSNI(\`*\`)
services:
- name: whoamitcp
port: 8080
EOF验证反向代理和服务运行状态。
# `10.0.0.201`是`traefik`服务的负载均衡器地址(kubectl get svc traefik -n kube-system)
echo "Hello" | socat - tcp4:10.0.0.201:8081
# 终端回显如下内容
Received: Hello
UDP应用示例
-
更新Traefik运行参数
更新Traefik运行参数,创建新的
EntryPoint。# ports.whoamiudp.protocol=UDP 网络协议
# ports.whoamiudp.port=8082 监听端口
# ports.whoamiudp.exposedPort=8082 服务公开端口
# ports.whoamiudp.expose=true 是否暴露端口
helm upgrade --install --namespace kube-system \
--set deployment.replicas=3 \
--set pilot.dashboard=false \
--set ports.web.redirectTo=websecure \
--set additionalArguments[0]=--entrypoints.websecure.http.tls \
--set ports.whoamitcp.protocol=TCP \
--set ports.whoamitcp.port=8081 \
--set ports.whoamitcp.exposedPort=8081 \
--set ports.whoamitcp.expose=true \
--set ports.whoamiudp.protocol=UDP \
--set ports.whoamiudp.port=8082 \
--set ports.whoamiudp.exposedPort=8082 \
--set ports.whoamiudp.expose=true \
traefik traefik/traefik -
部署
whoamiudp应用创建
Deployment,部署whoamiudp应用。cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoamiudp
namespace: apps-choral
spec:
replicas: 3
selector:
matchLabels:
app: whoamiudp
template:
metadata:
labels:
app: whoamiudp
spec:
containers:
- name: whoamiudp
image: traefik/whoamiudp:latest
imagePullPolicy: IfNotPresent
ports:
- protocol: UDP
containerPort: 8080
EOF创建一个用于访问
whoamiudp应用的服务。cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: whoamiudp
namespace: apps-choral
spec:
type: ClusterIP
ports:
- protocol: UDP
port: 8080
selector:
app: whoamiudp
EOF创建一个
IngressRouteUDP,用于配置whoamiudp应用的入口规则。cat <<EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
name: whoamiudp
namespace: apps-choral
spec:
entryPoints:
- whoamiudp
routes:
- services:
- name: whoamiudp
port: 8080
EOF验证反向代理和服务运行状态。
# `10.0.0.202`是`traefik-udp`服务的负载均衡器地址(kubectl get svc traefik-udp -n kube-system)
echo "Hello" | socat - udp4:10.0.0.202:8082
# 终端回显如下内容
Received: Hello