本作品由Galen Suen采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可。由原作者转载自个人站点。
概述
本文用于整理基于Kubernetes环境的Traefik部署与应用,实现Ingress Controller、七层/四层反向代理等功能。
本次演练环境为Kubernetes集群环境,环境配置可参考笔者另一篇笔记《Kubernetes集群部署笔记》。
组件版本
配置过程
安装 Traefik
helm repo add traefik https://helm.traefik.io/traefikhelm repo update
复制代码
# deployment.replicas=3 设置Traefik部署副本数# pilot.dashboard=false 禁用Dashboard中Pilot链接。helm upgrade --install --namespace kube-system \ --set deployment.replicas=3 \ --set pilot.dashboard=false \ traefik traefik/traefik
复制代码
kubectl get svc traefik -n kube-system
复制代码
创建一个用于部署演练用对象的命名空间。本次演练中使用apps-choral命名空间,可根据需要替换。
kubectl create namespace apps-choral
复制代码
部署 Dashboard
cat <<EOF | kubectl apply -f -apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata: name: traefik-dashboard namespace: apps-choralspec: entryPoints: - web routes: - match: Host(`traefik.local.choral.io`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) kind: Rule services: - name: api@internal kind: TraefikServiceEOF
复制代码
cat <<EOF | kubectl apply -f -apiVersion: v1kind: Secretmetadata: name: traefik-basicauth-secret namespace: apps-choraldata: users: |2 # htpasswd -nb admin admin | openssl base64 YWRtaW46e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9Cg==EOF
复制代码
创建一个Traefik中间件,用于对请求启用BasicAuth认证。
cat <<EOF | kubectl apply -f -apiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata: name: traefik-basicauth namespace: apps-choralspec: basicAuth: realm: traefik.local.choral.io secret: traefik-basicauth-secretEOF
复制代码
更新Dashboard的IngressRoute,启用BasicAuth中间件。
cat <<EOF | kubectl apply -f -apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata: name: traefik-dashboard namespace: apps-choralspec: entryPoints: - web routes: - match: Host(`traefik.local.choral.io`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) kind: Rule services: - name: api@internal kind: TraefikService middlewares: - name: traefik-basicauthEOF
复制代码
七层反向代理
HTTP 应用示例
部署whoami应用
创建Deployment,部署whoami应用。
cat <<EOF | kubectl apply -f -apiVersion: apps/v1kind: Deploymentmetadata: name: whoami namespace: apps-choralspec: replicas: 3 selector: matchLabels: app: whoami template: metadata: labels: app: whoami spec: containers: - name: whoami image: traefik/whoami:latest imagePullPolicy: IfNotPresent ports: - containerPort: 80EOF
复制代码
创建一个用于访问whoami应用的服务。
cat <<EOF | kubectl apply -f -apiVersion: v1kind: Servicemetadata: name: whoami namespace: apps-choralspec: type: ClusterIP ports: - protocol: TCP port: 80 selector: app: whoamiEOF
复制代码
创建一个Ingress,用于配置whoami应用的入口规则。
cat <<EOF | kubectl apply -f -apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: whoami namespace: apps-choral annotations: traefik.ingress.kubernetes.io/router.entrypoints: webspec: rules: - host: local.choral.io http: paths: - path: / pathType: Prefix backend: service: name: whoami port: number: 80EOF
复制代码
启用 TLS(HTTPS)
本次演练使用静态证书配置 TLS,该证书被手动创建,应用于local.choral.io和*.local.choral.io域名。
有关自动证书管理,可参考Cert Manager项目文档。
# ports.web.redirectTo=websecure 启用Web跳转至WebSecure# additionalArguments[0]=--entrypoints.websecure.http.tls Ingress默认启用TLShelm upgrade --install --namespace kube-system \ --set deployment.replicas=3 \ --set pilot.dashboard=false \ --set ports.web.redirectTo=websecure \ --set additionalArguments[0]=--entrypoints.websecure.http.tls \ traefik traefik/traefik
复制代码
kubectl create secret tls local-choral-io-tls -n kube-system --key=local.choral.io.key --cert=local.choral.io.crt
复制代码
cat <<EOF | kubectl apply -f -apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata: name: traefik-dashboard namespace: apps-choralspec: entryPoints: - websecure routes: - match: Host(`traefik.local.choral.io`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) kind: Rule services: - name: api@internal kind: TraefikService middlewares: - name: traefik-basicauth tls: secretName: local-choral-io-tlsEOF
复制代码
cat <<EOF | kubectl apply -f -apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: whoami namespace: apps-choral annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecurespec: tls: - secretName: local-choral-io-tls rules: - host: local.choral.io http: paths: - path: / pathType: Prefix backend: service: name: whoami port: number: 80EOF
复制代码
四层反向代理
TCP 应用示例
# ports.whoamitcp.protocol=TCP 网络协议# ports.whoamitcp.port=8081 监听端口# ports.whoamitcp.exposedPort=8081 服务公开端口# ports.whoamitcp.expose=true 是否暴露端口helm upgrade --install --namespace kube-system \ --set deployment.replicas=3 \ --set pilot.dashboard=false \ --set ports.web.redirectTo=websecure \ --set additionalArguments[0]=--entrypoints.websecure.http.tls \ --set ports.whoamitcp.protocol=TCP \ --set ports.whoamitcp.port=8081 \ --set ports.whoamitcp.exposedPort=8081 \ --set ports.whoamitcp.expose=true \ traefik traefik/traefik
复制代码
cat <<EOF | kubectl apply -f -apiVersion: apps/v1kind: Deploymentmetadata: name: whoamitcp namespace: apps-choralspec: replicas: 3 selector: matchLabels: app: whoamitcp template: metadata: labels: app: whoamitcp spec: containers: - name: whoamitcp image: traefik/whoamitcp:latest imagePullPolicy: IfNotPresent ports: - protocol: TCP containerPort: 8080EOF
复制代码
创建一个用于访问whoamitcp应用的服务。
cat <<EOF | kubectl apply -f -apiVersion: v1kind: Servicemetadata: name: whoamitcp namespace: apps-choralspec: type: ClusterIP ports: - protocol: TCP port: 8080 selector: app: whoamitcpEOF
复制代码
创建一个IngressRouteTCP,用于配置whoamitcp应用的入口规则。
cat <<EOF | kubectl apply -f -apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata: name: whoamitcp namespace: apps-choralspec: entryPoints: - whoamitcp routes: - match: HostSNI(\`*\`) services: - name: whoamitcp port: 8080EOF
复制代码
验证反向代理和服务运行状态。
# `10.0.0.201`是`traefik`服务的负载均衡器地址(kubectl get svc traefik -n kube-system)echo "Hello" | socat - tcp4:10.0.0.201:8081# 终端回显如下内容Received: Hello
复制代码
UDP 应用示例
# ports.whoamiudp.protocol=UDP 网络协议# ports.whoamiudp.port=8082 监听端口# ports.whoamiudp.exposedPort=8082 服务公开端口# ports.whoamiudp.expose=true 是否暴露端口helm upgrade --install --namespace kube-system \ --set deployment.replicas=3 \ --set pilot.dashboard=false \ --set ports.web.redirectTo=websecure \ --set additionalArguments[0]=--entrypoints.websecure.http.tls \ --set ports.whoamitcp.protocol=TCP \ --set ports.whoamitcp.port=8081 \ --set ports.whoamitcp.exposedPort=8081 \ --set ports.whoamitcp.expose=true \ --set ports.whoamiudp.protocol=UDP \ --set ports.whoamiudp.port=8082 \ --set ports.whoamiudp.exposedPort=8082 \ --set ports.whoamiudp.expose=true \ traefik traefik/traefik
复制代码
cat <<EOF | kubectl apply -f -apiVersion: apps/v1kind: Deploymentmetadata: name: whoamiudp namespace: apps-choralspec: replicas: 3 selector: matchLabels: app: whoamiudp template: metadata: labels: app: whoamiudp spec: containers: - name: whoamiudp image: traefik/whoamiudp:latest imagePullPolicy: IfNotPresent ports: - protocol: UDP containerPort: 8080EOF
复制代码
创建一个用于访问whoamiudp应用的服务。
cat <<EOF | kubectl apply -f -apiVersion: v1kind: Servicemetadata: name: whoamiudp namespace: apps-choralspec: type: ClusterIP ports: - protocol: UDP port: 8080 selector: app: whoamiudpEOF
复制代码
创建一个IngressRouteUDP,用于配置whoamiudp应用的入口规则。
cat <<EOF | kubectl apply -f -apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata: name: whoamiudp namespace: apps-choralspec: entryPoints: - whoamiudp routes: - services: - name: whoamiudp port: 8080EOF
复制代码
验证反向代理和服务运行状态。
# `10.0.0.202`是`traefik-udp`服务的负载均衡器地址(kubectl get svc traefik-udp -n kube-system)echo "Hello" | socat - udp4:10.0.0.202:8082# 终端回显如下内容Received: Hello
复制代码
参考资料
https://github.com/traefik/traefik-helm-chart
https://doc.traefik.io/traefik/providers/kubernetes-crd/
https://doc.traefik.io/traefik/providers/kubernetes-ingress/
https://doc.traefik.io/traefik/middlewares/http/basicauth/
评论