本次文章的traefik以v2.0.2版本為例。
架構(gòu)介紹
安裝之前我們先簡(jiǎn)單了解traefik的基本原理
image.png
Traefik是Edge路由器,它攔截并路由每個(gè)傳入的請(qǐng)求:它了解確定哪些服務(wù)處理哪些請(qǐng)求的所有邏輯和規(guī)則(比如path,header,host等等)。傳統(tǒng)上,邊緣路由器(或反向代理)需要一個(gè)配置文件绽乔,配置包含需要你事先配置好的所有可能路由看疗,比如nginx就是這樣做的去枷,而Traefik則從服務(wù)本身獲取它們,通過(guò)支持自動(dòng)發(fā)現(xiàn)來(lái)做的特咆,并且服務(wù)發(fā)現(xiàn)天然支持k8s啥繁,consul等。
安裝
traefik支持多種安裝方式蚕钦,比如直接的二進(jìn)制包安裝,docker安裝整袁,rancher安裝炸客,k8s安裝。本次我們把traefik直接安裝在k8s上面众弓。采用是k8s的CRD方式暴匠。
廢話不多說(shuō),讓我們開(kāi)始吧:
- 準(zhǔn)備RBAC 權(quán)限和CRD(CustomResourceDefinition)
新建文件:01-crd.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
scope: Namespaced
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
verbs:
- get
- list
- watch
- apiGroups:
- traefik.containo.us
resources:
- ingressroutes
verbs:
- get
- list
- watch
- apiGroups:
- traefik.containo.us
resources:
- ingressroutetcps
verbs:
- get
- list
- watch
- apiGroups:
- traefik.containo.us
resources:
- tlsoptions
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
- Service定義
新建文件 02-svc.yaml,注意service采用nodeport方式傻粘,這個(gè)三個(gè)端口不能被占用每窖,可以按需要修改端口
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
type: NodePort
ports:
- protocol: TCP
name: web
port: 8000
- protocol: TCP
name: admin
port: 8080
- protocol: TCP
name: websecure
port: 4443
selector:
app: traefik
- 部署文件定義
新建03-deploy.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.0.2
args:
- --api.insecure
- --accesslog
- --entrypoints.web.Address=:8000
- --entrypoints.websecure.Address=:4443
- --providers.kubernetescrd
- --certificatesresolvers.default.acme.tlschallenge
- --certificatesresolvers.default.acme.email=foo@you.com
- --certificatesresolvers.default.acme.storage=acme.json
# Please note that this is the staging Let's Encrypt server.
# Once you get things working, you should remove that whole line altogether.
- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
ports:
- name: web
containerPort: 8000
- name: websecure
containerPort: 4443
- name: admin
containerPort: 8080
- 執(zhí)行kubectl命令安裝
在對(duì)于的有kubectl權(quán)限的k8s節(jié)點(diǎn)上執(zhí)行安裝命令
kubectl apply -f 01-crd.yaml
kubectl apply -f 02-svc.yaml
kubectl apply -f 03-deploy.yaml
正確安裝后,打開(kāi)安裝的節(jié)點(diǎn)ip弦悉,以本機(jī)為例:http://127.0.0.1:8080
就可以看到管理界面了:
image.png
- 安裝whoami服務(wù)進(jìn)行驗(yàn)證
新建文件 whoaim.yaml
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: whoami
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: whoami
labels:
app: whoami
spec:
replicas: 2
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: containous/whoami
ports:
- name: web
containerPort: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: simpleingressroute
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`192.168.0.200`) && PathPrefix(`/notls`)
kind: Rule
services:
- name: whoami
port: 80
通過(guò)crd定義的IngressRoute 資源來(lái)對(duì)whoaim進(jìn)行配置窒典,routes里面host配置traefik支持直接用對(duì)應(yīng)的節(jié)點(diǎn)ip,當(dāng)然用域名也可以稽莉,想nginx ingress只能用域名在測(cè)試環(huán)境就比較麻煩瀑志。
在traefik管理界面看到注冊(cè)成功:
image.png
服務(wù)詳情如下:
image.png
通過(guò)地址進(jìn)行訪問(wèn)whoami,正常訪問(wèn)污秆。到此traefik在k8s安裝成功劈猪。當(dāng)然還有中間件還沒(méi)有介紹,下篇我們?cè)僖?jiàn)良拼。
image.png
