traefik详细说明:https://www.qikqiak.com/traefik-book/
环境说明:
k8s 1.23.4
helm3 3.8
一、添加traefik仓库
#添加 Traefik v2 helm chart
helm repo add traefik https://helm.traefik.io/traefik
# 更新下仓库
helm repo update
#查询repo
helm repo list
二、部暑traefik2
#
mkdir -p /data/traefik2
cd /data/traefik2
#下载traefik2
helm pull traefik/traefik --version 10.19.4
#提取values.yaml文件
tar zxvf traefik-10.19.4.tgz --strip-components 1 traefik/values.yaml
cat > /data/traefik2/start.sh << 'EOF'
helm install traefik2 traefik-10.19.4.tgz -f values.yaml -n kube-system
EOF
bash /data/traefik2/start.sh
三、更新traefik2
#helm3 升级
cat > /data/traefik2/upgrade.sh << 'EOF'
helm upgrade traefik2 traefik-10.19.4.tgz -f values.yaml -n kube-system
cp values.yaml values.yaml.bak_`date +%F_%R`
EOF
四、配置values.yaml
选择部分配置
deployment:
#部暑的副本数量
replicas: 1
#let's encrypt配置
#additionalArguments:
# - "--certificatesresolvers.defalut.acme.storage=/data/acme.json"
# - --certificatesresolvers.default.acme.tlschallenge
# - --certificatesresolvers.default.acme.email=me@myself.com
# - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
#日志相关配置
logs:
general:
level: ERROR
access:
enabled: true
format: json
bufferingSize: 100
filters:
statuscodes: "200,300-302"
retryattempts: true
minduration: 10ms
fields:
general:
defaultmode: keep
names:
ClientUsername: drop
headers:
defaultmode: drop
names:
User-Agent: redact
Authorization: drop
Content-Type: keep
#全局参数,开启dashboard,metrics等
globalArguments:
- "--global.checknewversion"
- "--global.sendanonymoususage"
- "--serversTransport.insecureSkipVerify=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--metrics.prometheus=true"
- "--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000"
- "--metrics.prometheus.addEntryPointsLabels=true"
- "--metrics.prometheus.addServicesLabels=true"
- "--metrics.prometheus.entryPoint=metrics"
- "--metrics.prometheus.manualrouting=true"
#- "--entryPoints.metrics.address=:8020"
#- "--metrics.prometheus.manualrouting=true"
# zinkin tracing 配置
- "--tracing.zipkin=true"
- "--tracing.zipkin.httpEndpoint=http://localhost:9411/api/v2/spans"
- "--tracing.zipkin.sameSpan=true"
- "--tracing.zipkin.id128Bit=false"
- "--tracing.zipkin.sampleRate=0.2"
#端口暴露配置
ports:
traefik:
port: 9000
# hostPort: 9000
# hostIP: 192.168.100.10
expose: true
exposedPort: 9000
protocol: TCP
nodePort: 29000
web:
port: 8000
# hostPort: 8000
expose: true
exposedPort: 80
protocol: TCP
nodePort: 20080
# redirectTo: websecure
websecure:
port: 8443
# hostPort: 8443
expose: true
exposedPort: 443
protocol: TCP
nodePort: 20443
#设置tcp代理
mongo:
port: 27017
expose: true
exposedPort: 27017
protocol: TCP
#hostPort: 27017
nodePort: 27017
#资源限制
resources:
requests:
cpu: "100m"
memory: "50Mi"
limits:
cpu: "300m"
memory: "150Mi"
#端口暴露方式
service:
#type: LoadBalancer
type: NodePort
启动traefik2
bash /data/traefik2/start.sh
五、访问管理后台:
http://192.168.11.211:29000/dashboard/#/
六 、把traefik的dashboard发布到http接口上
cat > /data/traefik2/traefik_dashboard.yaml << 'EOF'
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
namespace: kube-system #配置命名空间
spec:
entryPoints:
- web
# tls:
# secretName: cloudfe-cert-tls
routes:
- match: Host(`traefik.kids.cn`) && PathPrefix(`/`) #配置域名
kind: Rule
services:
- name: traefik2 #与sevicename对应
port: 9000 #与serviceport对应
EOF
七、traefik中间件
- 7.1basicauth验证
帐号密码生成工具:http://web.chacuo.net/nethtpasswd
cat > /data/traefik2/traefik_authsecret.yaml << 'EOF'
apiVersion: v1
kind: Secret
metadata:
name: traefik-authsecret
namespace: kube-system
type: Opaque
stringData:
users: test:$apr1$XeP7Hl7a$HZggi6xLd5IlYFrOxFNpe1
EOF
配置 BasicAuth 中间件
cat > /data/traefik2/traefik_basic_auth.yaml << 'EOF'
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-basic-auth
namespace: kube-system
spec:
basicAuth:
secret: traefik-authsecret
EOF
重新配置 Ingress Route
cat > /data/traefik2/traefik_dashboard.yaml << 'EOF'
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
namespace: kube-system #配置命名空间
spec:
entryPoints:
- web
# tls:
# secretName: cloudfe-cert-tls
routes:
- match: Host(`traefik.kids.cn`) #配置域名
kind: Rule
services:
- name: traefik2 #与sevicename对应
port: 9000 #与serviceport对应
middlewares:
- name: traefik-basic-auth
EOF
应用配置
kubectl apply -f traefik_authsecret.yaml
kubectl apply -f traefik_basic_auth.yaml
kubectl apply -f traefik_dashboard.yaml
访问地址:http://traefik.kids.cn:20080/dashboard/#/
帐号,密码: test/test
- 7.2 https
7.2.1 #自签证书
cd /data/traefik2/
#创建证书
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik-tls.key -out traefik-tls.crt -subj "/CN=*.kids.cn"
#通过 Secret 对象来引用证书文件
kubectl create secret tls traefik-tls --cert=traefik-tls.crt --key=traefik-tls.key -n kube-system
#修改 ingressroute
cat > /data/traefik2/traefik_dashboard_https.yaml << 'EOF'
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route-tls
namespace: kube-system #配置命名空间
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.kids.cn`) #配置域名
kind: Rule
services:
- name: traefik2 #与sevicename对应
port: 9000 #与serviceport对应
middlewares:
- name: traefik-basic-auth
tls:
secretName: traefik-tls
EOF
7.2.2 Let’s Encrypt 来进行自动化 HTTPS
cat > /data/traefik2/certificatesresolvers.yaml << 'EOF'
certificatesresolvers:
default:
acme:
tlsChallenge: {}
email: "xbzeng@163.com"
storage: "acme.json"
EOF
#在IngressRoute中引用
tls:
certResolver: default
7.2.3 traefik使用cert-manager自签证书
cert-manager 的helm3安装方法https://blog.csdn.net/u010533742/article/details/120201547
cat > /data/cert-manager/ca-sign.yaml << 'EOF'
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ca-issuer
namespace: cert-manager
spec:
selfSigned: {}
EOF
kubectl apply -f /data/cert-manager/ca-sign.yaml
#创建Certificate资源
cat >/data/cert-manager/Certificate.yaml<< EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kids-cn
namespace: kube-system
spec:
secretName: kids-cn-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
privateKey:
algorithm: ECDSA
size: 256
# algorithm: RSA
# encoding: PKCS1
# size: 2048
issuerRef:
name: ca-issuer
kind: ClusterIssuer
group: cert-manager.io
commonName: kids.cn
dnsNames:
- kids.cn
- www.kids.cn
- traefik.kids.cn
ipAddresses:
- 127.0.0.1
EOF
kubectl apply -f /data/cert-manager/Certificate.yaml
#修改 ingressroute
cat > /data/traefik2/traefik_dashboard_https.yaml << 'EOF'
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route-tls
namespace: kube-system #配置命名空间
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.kids.cn`) #配置域名
kind: Rule
services:
- name: traefik2 #与sevicename对应
port: 9000 #与serviceport对应
# middlewares:
# - name: traefik-basic-auth
tls:
secretName: kids-cn-tls
EOF
kubectl apply -f /data/traefik2/traefik_dashboard_https.yaml
7.3 希望用户通过 https 来访问应用(http自动跳转到https)
cat > /data/traefik2/redirect-https.yaml << 'EOF'
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: kube-system
spec:
redirectScheme:
scheme: https
port: "20443"
permanent: true
EOF
在IngressRoute中引用中间件
middlewares:
- name: redirect-https #引用中间件
7.4 替换路径
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-replacepathregex
namespace: kube-system
spec:
replacePathRegex:
regex: ^/foo/(.*)
replacement: /bar/$1
在IngressRoute中引用中间件
middlewares:
- name: test-replacepathregex #引用中间件
7.5 去掉路径
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-stripprefix
spec:
stripPrefix:
prefixes:
- /foobar
- /fiibar
在IngressRoute中引用中间件
middlewares:
- name: test-stripprefix #引用中间件
7.6 TCP代理
cat > /data/traefik2/tcp_mongo.yaml << 'EOF'
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: mongo-route
namespace: base #配置命名空间
spec:
entryPoints:
- mongo
routes:
- match: Host(`*`) # TCP 路由配置需要 SNI,而 SNI 有是依赖 TLS 的,所以我们需要配置证书才行,但是如果没有证书的话,我们可以使用通配符 *
kind: Rule
services:
- name: mongo #与sevicename对应
port: 27017 #与serviceport对应
EOF
或者
cat > /data/traefik2/tcp_mongo_sni.yaml << 'EOF'
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: mongo-route
namespace: base #配置命名空间
spec:
entryPoints:
- mongo
routes:
- match: Host(`mongo.kids.cn`) #配置域名
kind: Rule
services:
- name: mongo #与sevicename对应
port: 27017 #与serviceport对应
tls:
secretName: traefik-tls
passthrough: true
EOF
