Traefik1.7.17的部署使用
本篇文章介绍了在k8s上treafik1.7的搭建和使用。
因为我这里是作为kubernetes服务的暴露,因此你得有一个kubernetes集群
集群准备好了,需要下面的配置文件
部署rbac文件
rbac文件让ingress获取对应命名空间的权限
[root@master traefik]# cat ingress-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: ingress
subjects:
- kind: ServiceAccount
name: ingress
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
部署traefik应用
这里部署应用中包含了https服务,因此需要在对应的节点上生成证书进行认证
首先openssl命令生成 CA 证书
$ openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
现在我们有了证书,我们可以使用 kubectl 创建一个 secret 对象来存储上面的证书
$ kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system
现在我们来配置 Traefik,让其支持 https,新建traefik.toml文件
[root@master https]# cat traefik.toml
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
然后通过cm挂载进pod里面,让pod能够访问该配置文件
然后通过cm挂载进pod里面,让pod能够访问该配置文件
$ kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
最后部署我们的对应的traefik应用
[root@master traefik]# cat traefik.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: traefik-ingress-lb
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
terminationGracePeriodSeconds: 60
hostNetwork: true
restartPolicy: Always
serviceAccountName: ingress
containers:
- image: traefik:v1.7.17
name: traefik-ingress-lb
volumeMounts:
- mountPath: "/ssl"
name: "ssl"
- mountPath: "/config"
name: "config"
resources:
limits:
cpu: 200m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
ports:
- name: http
containerPort: 80
hostPort: 80
- name: https
containerPort: 443
hostPort: 443
- name: admin
containerPort: 8580
hostPort: 8580
args:
- --web
- --web.address=:8580
- --kubernetes
- --configfile=/config/traefik.toml
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
部署traefik的service
[root@master traefik]# cat traefik-service.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8580
- protocol: TCP
port: 443
name: https
type: NodePort
给trarfik部署一个路由
[root@master traefik]# cat ingress-route.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
rules:
- host: traefik.k8s.niewx.club #配置ui的域名
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
ingress 中 path 的用法
部署nginx测试服务测试ingress 中 path 的用法
[root@master traefik]# cat test.yaml
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: svc1
spec:
replicas: 1
template:
metadata:
labels:
app: svc1
spec:
containers:
- name: svc1
image: cnych/example-web-service
env:
- name: APP_SVC
value: svc1
ports:
- containerPort: 8080
protocol: TCP
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: svc2
spec:
replicas: 1
template:
metadata:
labels:
app: svc2
spec:
containers:
- name: svc2
image: cnych/example-web-service
env:
- name: APP_SVC
value: svc2
ports:
- containerPort: 8080
protocol: TCP
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: svc3
spec:
replicas: 1
template:
metadata:
labels:
app: svc3
spec:
containers:
- name: svc3
image: cnych/example-web-service
env:
- name: APP_SVC
value: svc3
ports:
- containerPort: 8080
protocol: TCP
---
kind: Service
apiVersion: v1
metadata:
labels:
app: svc1
name: svc1
spec:
type: ClusterIP
ports:
- port: 8080
name: http
selector:
app: svc1
---
kind: Service
apiVersion: v1
metadata:
labels:
app: svc2
name: svc2
spec:
type: ClusterIP
ports:
- port: 8080
name: http
selector:
app: svc2
---
kind: Service
apiVersion: v1
metadata:
labels:
app: svc3
name: svc3
spec:
type: ClusterIP
ports:
- port: 8080
name: http
selector:
app: svc3
设置不同的同一个路由不同的路由访问对应的nginx服务
[root@master traefik]# cat test-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-test
spec:
rules:
- host: test.k8s.niewx.club #配置ui的域名
http:
paths:
- path: /s1
backend:
serviceName: svc1
servicePort: 8080
- path: /s2
backend:
serviceName: svc2
servicePort: 8080
- path: /
backend:
serviceName: svc3
servicePort: 8080
部署结果
基于traefik的Basic auth认证
首先采用htpasswd创建文件
htpasswd -bc auth admin admin
基于上面的htpasswd创建secret(注意命名空间)
kubectl create secret generic nginx-basic-auth --from-file=auth -n kube-system
treafik引用对应的secret进行认证(注意如下)
Secret文件必须与Ingress规则在同一命名空间。
目前只支持basic authentication。
Realm不可配置,默认使用traefik。
Secret必须只包含一个文件。
引用secret的yaml配置
[root@master traefik]# cat test-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-test
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
# 认证类型
ingress.kubernetes.io/auth-type: basic
# 包含 user/password 的 Secret 名称
ingress.kubernetes.io/auth-secret: nginx-basic-auth
# 当认证的时候显示一个合适的上下文信息
#ingress.kubernetes.io/auth-realm: 'Authentication Required - admin'
spec:
rules:
- host: test.k8s.niewx.club #配置ui的域名
http:
paths:
- path: /s1
backend:
serviceName: svc1
servicePort: 8080
- path: /s2
backend:
serviceName: svc2
servicePort: 8080
- path: /
backend:
serviceName: svc3
servicePort: 8080
解析域名到k8s集群中
一般暴露服务到外部都是提供域名访问,我们这边的集群节点通过lb来负载均衡,将域名解析到对应的lb上,后端监听的服务为treafik的80端口即可,这样treafik可以使用你所绑定解析的域名
最后更新于