目录
- 前言
- 一、简介
- 二、下载traefik
- 二、安装traefik
- 1.创建CRD资源
- 2.创建RBAC权限
- 3.创建configMap配置
- 4.创建traefik service
- 四、配置Dashboard路由
前言
目前traefik更新到了 2.5 的版本,本文基于最新版本安装traefik。
一、简介
Traefik 是一个云原生的新型的 HTTP 反向代理、负载均衡软件,能轻易的部署微服务. 它支持多种后端 (Docker, Swarm, Mesos/Marathon, Consul, Etcd, Zookeeper, BoltDB, Rest API, file…) ,可以对配置进行自动化、动态的管理。
Traefik是一个开源的边缘路由器,它使发布您的服务成为一个有趣和简单的体验。它接受外部请求,通过路由找到相关组件处理请求。
特点:
Golang编写,单文件部署,与系统无关,同时也提供小尺寸Docker镜像。
支持Docker/Etcd后端,天然连接我们的微服务集群。
内置Web UI(dashboard),管理相对方便。
自动配置ACME(Let’s Encrypt)证书功能。
性能尚可,我们也没有到压榨LB性能的阶段,易用性更重要。
Restful API支持。
支持后端健康状态检查,根据状态自动配置。
支持动态加载配置文件和graceful重启。
支持WebSocket和HTTP/2。
二、下载traefik
1、查询
[root@k8s-master k8s]# docker search traefik
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
traefik Traefik, The Cloud Native Edge Router 2310 [OK]
containous/traefik Traefik unofficial image (please use officia… 37 [OK]
thomseddon/traefik-forward-auth Minimal forward authentication that provides… 35 [OK]2、下载
[root@k8s-master k8s]# docker pull traefik
Using default tag: latest
latest: Pulling from library/traefik
97518928ae5f: Pull complete
8f1084cd7998: Pull complete
7f585f616a11: Pull complete
c4f598fe2b15: Pull complete
Digest: sha256:2f603f8d3abe1dd3a4eb28960c55506be48293b41ea2c6ed4a4297c851a57a05
Status: Downloaded newer image for traefik:latest
docker.io/library/traefik:latest3、打tag
[root@k8s-master k8s]# docker tag traefik:latest 172.16.10.158:85/traefik4、推送到私有仓库
[root@k8s-master k8s]# docker push 172.16.10.158:85/traefik
The push refers to repository [172.16.10.158:85/traefik]
d5027df3849a: Pushed
089094788c81: Pushed
329f6072fea0: Pushed
1a058d5342cc: Pushed
latest: digest: sha256:cb6c620b70f3981b2323cf759d452164e84ed6ce82c2a2a84e0df825a8428309 size: 1157二、安装traefik
1.创建CRD资源
(1)traefik-crd.yaml
[root@k8s-master 2]# cat traefik-crd.yaml
## IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
---
## IngressRouteTCP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
---
## Middleware
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
---
## MiddlewareTcp
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewaretcps.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: MiddlewareTCP
plural: middlewaretcps
singular: middlewaretcp
---
## ServersTransport
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: serverstransports.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: ServersTransport
plural: serverstransports
singular: serverstransport
scope: Namespaced
---
## TLSOption
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
---
## TraefikService
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: traefikservices.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TraefikService
plural: traefikservices
singular: traefikservice
---
## TraefikTLSStore
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsstores.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSStore
plural: tlsstores
singular: tlsstore
---
## IngressRouteUDP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressrouteudps.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteUDP
plural: ingressrouteudps
singular: ingressrouteudp(2)创建
[root@k8s-master 2]# kubectl create -f traefik-crd.yaml
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewaretcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/serverstransports.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/traefikservices.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsstores.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressrouteudps.traefik.containo.us created2.创建RBAC权限
(1)traefik-rbac.yaml
[root@k8s-master 2]# cat traefik-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
- middlewaretcps
- serverstransports
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system(2)创建
[root@k8s-master 2]# kubectl create -f traefik-rbac.yaml
serviceaccount/traefik-ingress-controller created
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created3.创建configMap配置
(1)traefik-config.yaml
[root@k8s-master 2]# cat traefik-config.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config
namespace: kube-system
data:
traefik.yaml: |-
serversTransport:
insecureSkipVerify: true ## 忽略验证代理服务的 TLS 证书
api:
insecure: true ## 允许 HTTP 方式访问 API
dashboard: true ## 启用 Dashboard UI
debug: true ## 启用 Debug 模式
metrics:
prometheus: metrics ## 配置 Prometheus 监控指标数据
entryPoints:
web:
address: ":80" ## 配置 80 端口,并设置入口名称为 web
websecure:
address: ":443" ## 配置 443 端口,并设置入口名称为 websecure
traefik:
address: ":8090" ## 配置 8090 端口,并设置入口名称为 dashboard
metrics:
address: ":8082" ## 配置 8082 端口,作为metrics收集入口
tcpep:
address: ":8000" ## 配置 8000 端口,作为tcp入口
udpep:
address: ":9000/udp" ## 配置 9000 端口,作为udp入口
providers:
kubernetescrd: ## 启用 Kubernetes CRD 方式来配置路由规则
ingressclass: traefik-v2.5
kubernetesingress: ## 启动 Kubernetes Ingress 方式来配置路由规则
ingressclass: traefik-v2.5
log:
filePath: "/etc/traefik/logs/traefik.log" ## 设置调试日志文件存储路径,如果为空则输出到控制台
level: error ## 设置调试日志级别
format: json ## 设置调试日志格式
accessLog:
filePath: "/etc/traefik/logs/access.log" ## 设置访问日志文件存储路径,如果为空则输出到控制台
format: json
bufferingSize: 0
filters:
retryAttempts: true ## 设置代理访问重试失败时,保留访问日志
minDuration: 10 ## 设置保留请求时间超过指定持续时间的访问日志
fields: ## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
defaultMode: keep ## 设置默认保留访问日志字段
names: ## 针对访问日志特别字段特别配置保留模式
ClientUsername: drop
headers: ## 设置 Header 中字段是否保留
defaultMode: keep ## 设置默认保留 Header 中字段
names: ## 针对 Header 中特别字段特别配置保留模式
User-Agent: redact
Authorization: drop
Content-Type: keep(2)创建
[root@k8s-master 2]# kubectl create -f traefik-config.yaml
configmap/traefik-config created4.创建traefik service
(1)traefik-service.yaml
[root@k8s-master 2]# cat traefik-service.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-v2
namespace: kube-system
labels:
app: traefik-v2
spec:
replicas: 2
selector:
matchLabels:
app: traefik-v2
template:
metadata:
labels:
app: traefik-v2
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 1
containers:
- name: traefik-v2
image: 172.16.10.158:85/traefik
args:
- --configfile=/config/traefik.yaml
ports:
- name: web
containerPort: 80
hostPort: 80
- name: websecure
containerPort: 443
hostPort: 443
- name: admin
containerPort: 8090
- name: tcpep
containerPort: 8000
- name: udpep
containerPort: 9000
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 300m
memory: 1024Mi
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
volumeMounts:
- mountPath: "/config"
name: "config"
- mountPath: /etc/traefik/logs
name: logdir
- mountPath: /etc/localtime
name: timezone
readOnly: true
volumes:
- name: config
configMap:
name: traefik-config
- name: logdir
hostPath:
path: /data/traefik/logs
type: "DirectoryOrCreate"
- name: timezone
hostPath:
path: /etc/localtime
type: File
tolerations:
- operator: "Exists"
hostNetwork: true
---
apiVersion: v1
kind: Service
metadata:
name: traefik-v2
namespace: kube-system
spec:
type: LoadBalancer
selector:
app: traefik-v2
ports:
- protocol: TCP
port: 80
name: web
targetPort: 80
- protocol: TCP
port: 443
name: websecure
targetPort: 443
- protocol: TCP
port: 8090
name: admin
targetPort: 8090
- protocol: TCP
port: 8000
name: tcpep
targetPort: 8000(2)创建
[root@k8s-master 2]# kubectl create -f traefik-service.yaml
deployment.apps/traefik-v2 created
service/traefik-v2 created四、配置Dashboard路由
1、dashboard-route.yaml
[root@k8s-master 2]# cat dashboard-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: dashboard-route
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik-v2.5
spec:
entryPoints:
- web
routes:
- match: Host(`dashboard.test.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: traefik-v2
port: 80902、编辑本机hosts文件
添加ip域名
172.16.10.158 dashboard.test.com3、访问
http://dashboard.test.com/
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
