kubernetes 部署 traefik2.5
一、系统环境
Traefik版本: 2.5.6
Kubernetes 版本:1.23.3
二、helm 安装
2.1 系统环境
Kubernetes 1.23+
Helm 3.x
2.2 安装
添加Traefik chart 仓库
helm repo add traefik https://helm.traefik.io/traefik
更新仓库
helm repo update
使用helm 安装
helm install traefik traefik/traefik
三、手动安装
3.1 创建CRD
这里要注意你的k8s版本,从k8s 1.16开始废弃apiextensions.k8s.io/v1beta1,1.22完全删除。 对于k8s 1.16 以上版本,使用apiextensions.k8s.io/v1
00-traefik-v2.5-crd.yaml
--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.6.2 creationTimestamp: null name: ingressroutes.traefik.containo.us spec: group: traefik.containo.us names: kind: IngressRoute listKind: IngressRouteList plural: ingressroutes singular: ingressroute scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: IngressRoute is an Ingress CRD specification. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: IngressRouteSpec is a specification for a IngressRouteSpec resource. properties: entryPoints: items: type: string type: array routes: items: description: Route contains the set of routes. properties: kind: enum: - Rule type: string match: type: string middlewares: items: description: MiddlewareRef is a ref to the Middleware resources. properties: name: type: string namespace: type: string required: - name type: object type: array priority: type: integer services: items: description: Service defines an upstream to proxy traffic. properties: kind: enum: - Service - TraefikService type: string name: description: Name is a reference to a Kubernetes Service object (for a load-balancer of servers), or to a TraefikService object (service load-balancer, mirroring, etc). The differentiation between the two is specified in the Kind field. type: string namespace: type: string passHostHeader: type: boolean port: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true responseForwarding: description: ResponseForwarding holds configuration for the forward of the response. properties: flushInterval: type: string type: object scheme: type: string serversTransport: type: string sticky: description: Sticky holds the sticky configuration. properties: cookie: description: Cookie holds the sticky configuration based on cookie. properties: httpOnly: type: boolean name: type: string sameSite: type: string secure: type: boolean type: object type: object strategy: type: string weight: description: Weight should only be specified when Name references a TraefikService object (and to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object type: array required: - kind - match type: object type: array tls: description: "TLS contains the TLS certificates configuration of the routes. To enable Let's Encrypt, use an empty TLS struct, e.g. in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName: # block format" properties: certResolver: type: string domains: items: description: Domain holds a domain name with SANs. properties: main: type: string sans: items: type: string type: array type: object type: array options: description: Options is a reference to a TLSOption, that specifies the parameters of the TLS connection. properties: name: type: string namespace: type: string required: - name type: object secretName: description: SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. type: string store: description: Store is a reference to a TLSStore, that specifies the parameters of the TLS store. properties: name: type: string namespace: type: string required: - name type: object type: object required: - routes type: object required: - metadata - spec type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.6.2 creationTimestamp: null name: ingressroutetcps.traefik.containo.us spec: group: traefik.containo.us names: kind: IngressRouteTCP listKind: IngressRouteTCPList plural: ingressroutetcps singular: ingressroutetcp scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: IngressRouteTCP is an Ingress CRD specification. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec resource. properties: entryPoints: items: type: string type: array routes: items: description: RouteTCP contains the set of routes. properties: match: type: string middlewares: description: Middlewares contains references to MiddlewareTCP resources. items: description: ObjectReference is a generic reference to a Traefik resource. properties: name: type: string namespace: type: string required: - name type: object type: array services: items: description: ServiceTCP defines an upstream to proxy traffic. properties: name: type: string namespace: type: string port: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true proxyProtocol: description: ProxyProtocol holds the ProxyProtocol configuration. properties: version: type: integer type: object terminationDelay: type: integer weight: type: integer required: - name - port type: object type: array required: - match type: object type: array tls: description: "TLSTCP contains the TLS certificates configuration of the routes. To enable Let's Encrypt, use an empty TLS struct, e.g. in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName: # block format" properties: certResolver: type: string domains: items: description: Domain holds a domain name with SANs. properties: main: type: string sans: items: type: string type: array type: object type: array options: description: Options is a reference to a TLSOption, that specifies the parameters of the TLS connection. properties: name: type: string namespace: type: string required: - name type: object passthrough: type: boolean secretName: description: SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. type: string store: description: Store is a reference to a TLSStore, that specifies the parameters of the TLS store. properties: name: type: string namespace: type: string required: - name type: object type: object required: - routes type: object required: - metadata - spec type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.6.2 creationTimestamp: null name: ingressrouteudps.traefik.containo.us spec: group: traefik.containo.us names: kind: IngressRouteUDP listKind: IngressRouteUDPList plural: ingressrouteudps singular: ingressrouteudp scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: IngressRouteUDP is an Ingress CRD specification. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec resource. properties: entryPoints: items: type: string type: array routes: items: description: RouteUDP contains the set of routes. properties: services: items: description: ServiceUDP defines an upstream to proxy traffic. properties: name: type: string namespace: type: string port: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true weight: type: integer required: - name - port type: object type: array type: object type: array required: - routes type: object required: - metadata - spec type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.6.2 creationTimestamp: null name: middlewares.traefik.containo.us spec: group: traefik.containo.us names: kind: Middleware listKind: MiddlewareList plural: middlewares singular: middleware scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: Middleware is a specification for a Middleware resource. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: MiddlewareSpec holds the Middleware configuration. properties: addPrefix: description: AddPrefix holds the AddPrefix configuration. properties: prefix: type: string type: object basicAuth: description: BasicAuth holds the HTTP basic authentication configuration. properties: headerField: type: string realm: type: string removeHeader: type: boolean secret: type: string type: object buffering: description: Buffering holds the request/response buffering configuration. properties: maxRequestBodyBytes: format: int64 type: integer maxResponseBodyBytes: format: int64 type: integer memRequestBodyBytes: format: int64 type: integer memResponseBodyBytes: format: int64 type: integer retryExpression: type: string type: object chain: description: Chain holds a chain of middlewares. properties: middlewares: items: description: MiddlewareRef is a ref to the Middleware resources. properties: name: type: string namespace: type: string required: - name type: object type: array type: object circuitBreaker: description: CircuitBreaker holds the circuit breaker configuration. properties: expression: type: string type: object compress: description: Compress holds the compress configuration. properties: excludedContentTypes: items: type: string type: array minResponseBodyBytes: type: integer type: object contentType: description: ContentType middleware - or rather its unique `autoDetect` option - specifies whether to let the `Content-Type` header, if it has not been set by the backend, be automatically set to a value derived from the contents of the response. As a proxy, the default behavior should be to leave the header alone, regardless of what the backend did with it. However, the historic default was to always auto-detect and set the header if it was nil, and it is going to be kept that way in order to support users currently relying on it. This middleware exists to enable the correct behavior until at least the default one can be changed in a future version. properties: autoDetect: type: boolean type: object digestAuth: description: DigestAuth holds the Digest HTTP authentication configuration. properties: headerField: type: string realm: type: string removeHeader: type: boolean secret: type: string type: object errors: description: ErrorPage holds the custom error page configuration. properties: query: type: string service: description: Service defines an upstream to proxy traffic. properties: kind: enum: - Service - TraefikService type: string name: description: Name is a reference to a Kubernetes Service object (for a load-balancer of servers), or to a TraefikService object (service load-balancer, mirroring, etc). The differentiation between the two is specified in the Kind field. type: string namespace: type: string passHostHeader: type: boolean port: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true responseForwarding: description: ResponseForwarding holds configuration for the forward of the response. properties: flushInterval: type: string type: object scheme: type: string serversTransport: type: string sticky: description: Sticky holds the sticky configuration. properties: cookie: description: Cookie holds the sticky configuration based on cookie. properties: httpOnly: type: boolean name: type: string sameSite: type: string secure: type: boolean type: object type: object strategy: type: string weight: description: Weight should only be specified when Name references a TraefikService object (and to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object status: items: type: string type: array type: object forwardAuth: description: ForwardAuth holds the http forward authentication configuration. properties: address: type: string authRequestHeaders: items: type: string type: array authResponseHeaders: items: type: string type: array authResponseHeadersRegex: type: string tls: description: ClientTLS holds TLS specific configurations as client. properties: caOptional: type: boolean caSecret: type: string certSecret: type: string insecureSkipVerify: type: boolean type: object trustForwardHeader: type: boolean type: object headers: description: Headers holds the custom header configuration. properties: accessControlAllowCredentials: description: AccessControlAllowCredentials is only valid if true. false is ignored. type: boolean accessControlAllowHeaders: description: AccessControlAllowHeaders must be used in response to a preflight request with Access-Control-Request-Headers set. items: type: string type: array accessControlAllowMethods: description: AccessControlAllowMethods must be used in response to a preflight request with Access-Control-Request-Method set. items: type: string type: array accessControlAllowOriginList: description: AccessControlAllowOriginList is a list of allowable origins. Can also be a wildcard origin "*". items: type: string type: array accessControlAllowOriginListRegex: description: AccessControlAllowOriginListRegex is a list of allowable origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/). items: type: string type: array accessControlExposeHeaders: description: AccessControlExposeHeaders sets valid headers for the response. items: type: string type: array accessControlMaxAge: description: AccessControlMaxAge sets the time that a preflight request may be cached. format: int64 type: integer addVaryHeader: description: AddVaryHeader controls if the Vary header is automatically added/updated when the AccessControlAllowOriginList is set. type: boolean allowedHosts: items: type: string type: array browserXssFilter: type: boolean contentSecurityPolicy: type: string contentTypeNosniff: type: boolean customBrowserXSSValue: type: string customFrameOptionsValue: type: string customRequestHeaders: additionalProperties: type: string type: object customResponseHeaders: additionalProperties: type: string type: object featurePolicy: description: 'Deprecated: use PermissionsPolicy instead.' type: string forceSTSHeader: type: boolean frameDeny: type: boolean hostsProxyHeaders: items: type: string type: array isDevelopment: type: boolean permissionsPolicy: type: string publicKey: type: string referrerPolicy: type: string sslForceHost: description: 'Deprecated: use RedirectRegex instead.' type: boolean sslHost: description: 'Deprecated: use RedirectRegex instead.' type: string sslProxyHeaders: additionalProperties: type: string type: object sslRedirect: description: 'Deprecated: use EntryPoint redirection or RedirectScheme instead.' type: boolean sslTemporaryRedirect: description: 'Deprecated: use EntryPoint redirection or RedirectScheme instead.' type: boolean stsIncludeSubdomains: type: boolean stsPreload: type: boolean stsSeconds: format: int64 type: integer type: object inFlightReq: description: InFlightReq limits the number of requests being processed and served concurrently. properties: amount: format: int64 type: integer sourceCriterion: description: SourceCriterion defines what criterion is used to group requests as originating from a common source. If none are set, the default is to use the request's remote address field. All fields are mutually exclusive. properties: ipStrategy: description: IPStrategy holds the ip strategy configuration. properties: depth: type: integer excludedIPs: items: type: string type: array type: object requestHeaderName: type: string requestHost: type: boolean type: object type: object ipWhiteList: description: IPWhiteList holds the ip white list configuration. properties: ipStrategy: description: IPStrategy holds the ip strategy configuration. properties: depth: type: integer excludedIPs: items: type: string type: array type: object sourceRange: items: type: string type: array type: object passTLSClientCert: description: PassTLSClientCert holds the TLS client cert headers configuration. properties: info: description: TLSClientCertificateInfo holds the client TLS certificate info configuration. properties: issuer: description: TLSClientCertificateIssuerDNInfo holds the client TLS certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739 properties: commonName: type: boolean country: type: boolean domainComponent: type: boolean locality: type: boolean organization: type: boolean province: type: boolean serialNumber: type: boolean type: object notAfter: type: boolean notBefore: type: boolean sans: type: boolean serialNumber: type: boolean subject: description: TLSClientCertificateSubjectDNInfo holds the client TLS certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739 properties: commonName: type: boolean country: type: boolean domainComponent: type: boolean locality: type: boolean organization: type: boolean organizationalUnit: type: boolean province: type: boolean serialNumber: type: boolean type: object type: object pem: type: boolean type: object plugin: additionalProperties: x-kubernetes-preserve-unknown-fields: true type: object rateLimit: description: RateLimit holds the rate limiting configuration for a given router. properties: average: format: int64 type: integer burst: format: int64 type: integer period: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true sourceCriterion: description: SourceCriterion defines what criterion is used to group requests as originating from a common source. If none are set, the default is to use the request's remote address field. All fields are mutually exclusive. properties: ipStrategy: description: IPStrategy holds the ip strategy configuration. properties: depth: type: integer excludedIPs: items: type: string type: array type: object requestHeaderName: type: string requestHost: type: boolean type: object type: object redirectRegex: description: RedirectRegex holds the redirection configuration. properties: permanent: type: boolean regex: type: string replacement: type: string type: object redirectScheme: description: RedirectScheme holds the scheme redirection configuration. properties: permanent: type: boolean port: type: string scheme: type: string type: object replacePath: description: ReplacePath holds the ReplacePath configuration. properties: path: type: string type: object replacePathRegex: description: ReplacePathRegex holds the ReplacePathRegex configuration. properties: regex: type: string replacement: type: string type: object retry: description: Retry holds the retry configuration. properties: attempts: type: integer initialInterval: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true type: object stripPrefix: description: StripPrefix holds the StripPrefix configuration. properties: forceSlash: type: boolean prefixes: items: type: string type: array type: object stripPrefixRegex: description: StripPrefixRegex holds the StripPrefixRegex configuration. properties: regex: items: type: string type: array type: object type: object required: - metadata - spec type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.6.2 creationTimestamp: null name: middlewaretcps.traefik.containo.us spec: group: traefik.containo.us names: kind: MiddlewareTCP listKind: MiddlewareTCPList plural: middlewaretcps singular: middlewaretcp scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: MiddlewareTCP is a specification for a MiddlewareTCP resource. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: MiddlewareTCPSpec holds the MiddlewareTCP configuration. properties: inFlightConn: description: TCPInFlightConn holds the TCP in flight connection configuration. properties: amount: format: int64 type: integer type: object ipWhiteList: description: TCPIPWhiteList holds the TCP ip white list configuration. properties: sourceRange: items: type: string type: array type: object type: object required: - metadata - spec type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.6.2 creationTimestamp: null name: serverstransports.traefik.containo.us spec: group: traefik.containo.us names: kind: ServersTransport listKind: ServersTransportList plural: serverstransports singular: serverstransport scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: ServersTransport is a specification for a ServersTransport resource. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: ServersTransportSpec options to configure communication between Traefik and the servers. properties: certificatesSecrets: description: Certificates for mTLS. items: type: string type: array disableHTTP2: description: Disable HTTP/2 for connections with backend servers. type: boolean forwardingTimeouts: description: Timeouts for requests forwarded to the backend servers. properties: dialTimeout: anyOf: - type: integer - type: string description: DialTimeout is the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. x-kubernetes-int-or-string: true idleConnTimeout: anyOf: - type: integer - type: string description: IdleConnTimeout is the maximum period for which an idle HTTP keep-alive connection will remain open before closing itself. x-kubernetes-int-or-string: true pingTimeout: anyOf: - type: integer - type: string description: PingTimeout is the timeout after which the HTTP/2 connection will be closed if a response to ping is not received. x-kubernetes-int-or-string: true readIdleTimeout: anyOf: - type: integer - type: string description: ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection. If zero, no health check is performed. x-kubernetes-int-or-string: true responseHeaderTimeout: anyOf: - type: integer - type: string description: ResponseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. x-kubernetes-int-or-string: true type: object insecureSkipVerify: description: Disable SSL certificate verification. type: boolean maxIdleConnsPerHost: description: If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used. type: integer peerCertURI: description: URI used to match against SAN URI during the peer certificate verification. type: string rootCAsSecrets: description: Add cert file for self-signed certificate. items: type: string type: array serverName: description: ServerName used to contact the server. type: string type: object required: - metadata - spec type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.6.2 creationTimestamp: null name: tlsoptions.traefik.containo.us spec: group: traefik.containo.us names: kind: TLSOption listKind: TLSOptionList plural: tlsoptions singular: tlsoption scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: TLSOption is a specification for a TLSOption resource. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: TLSOptionSpec configures TLS for an entry point. properties: alpnProtocols: items: type: string type: array cipherSuites: items: type: string type: array clientAuth: description: ClientAuth defines the parameters of the client authentication part of the TLS connection, if any. properties: clientAuthType: description: ClientAuthType defines the client authentication type to apply. enum: - NoClientCert - RequestClientCert - RequireAnyClientCert - VerifyClientCertIfGiven - RequireAndVerifyClientCert type: string secretNames: description: SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. items: type: string type: array type: object curvePreferences: items: type: string type: array maxVersion: type: string minVersion: type: string preferServerCipherSuites: type: boolean sniStrict: type: boolean type: object required: - metadata - spec type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.6.2 creationTimestamp: null name: tlsstores.traefik.containo.us spec: group: traefik.containo.us names: kind: TLSStore listKind: TLSStoreList plural: tlsstores singular: tlsstore scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: TLSStore is a specification for a TLSStore resource. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: TLSStoreSpec configures a TLSStore resource. properties: defaultCertificate: description: DefaultCertificate holds a secret name for the TLSOption resource. properties: secretName: description: SecretName is the name of the referenced Kubernetes Secret to specify the certificate details. type: string required: - secretName type: object required: - defaultCertificate type: object required: - metadata - spec type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.6.2 creationTimestamp: null name: traefikservices.traefik.containo.us spec: group: traefik.containo.us names: kind: TraefikService listKind: TraefikServiceList plural: traefikservices singular: traefikservice scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: TraefikService is the specification for a service (that an IngressRoute refers to) that is usually not a terminal service (i.e. not a pod of servers), as opposed to a Kubernetes Service. That is to say, it usually refers to other (children) services, which themselves can be TraefikServices or Services. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: ServiceSpec defines whether a TraefikService is a load-balancer of services or a mirroring service. properties: mirroring: description: Mirroring defines a mirroring service, which is composed of a main load-balancer, and a list of mirrors. properties: kind: enum: - Service - TraefikService type: string maxBodySize: format: int64 type: integer mirrors: items: description: MirrorService defines one of the mirrors of a Mirroring service. properties: kind: enum: - Service - TraefikService type: string name: description: Name is a reference to a Kubernetes Service object (for a load-balancer of servers), or to a TraefikService object (service load-balancer, mirroring, etc). The differentiation between the two is specified in the Kind field. type: string namespace: type: string passHostHeader: type: boolean percent: type: integer port: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true responseForwarding: description: ResponseForwarding holds configuration for the forward of the response. properties: flushInterval: type: string type: object scheme: type: string serversTransport: type: string sticky: description: Sticky holds the sticky configuration. properties: cookie: description: Cookie holds the sticky configuration based on cookie. properties: httpOnly: type: boolean name: type: string sameSite: type: string secure: type: boolean type: object type: object strategy: type: string weight: description: Weight should only be specified when Name references a TraefikService object (and to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object type: array name: description: Name is a reference to a Kubernetes Service object (for a load-balancer of servers), or to a TraefikService object (service load-balancer, mirroring, etc). The differentiation between the two is specified in the Kind field. type: string namespace: type: string passHostHeader: type: boolean port: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true responseForwarding: description: ResponseForwarding holds configuration for the forward of the response. properties: flushInterval: type: string type: object scheme: type: string serversTransport: type: string sticky: description: Sticky holds the sticky configuration. properties: cookie: description: Cookie holds the sticky configuration based on cookie. properties: httpOnly: type: boolean name: type: string sameSite: type: string secure: type: boolean type: object type: object strategy: type: string weight: description: Weight should only be specified when Name references a TraefikService object (and to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object weighted: description: WeightedRoundRobin defines a load-balancer of services. properties: services: items: description: Service defines an upstream to proxy traffic. properties: kind: enum: - Service - TraefikService type: string name: description: Name is a reference to a Kubernetes Service object (for a load-balancer of servers), or to a TraefikService object (service load-balancer, mirroring, etc). The differentiation between the two is specified in the Kind field. type: string namespace: type: string passHostHeader: type: boolean port: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true responseForwarding: description: ResponseForwarding holds configuration for the forward of the response. properties: flushInterval: type: string type: object scheme: type: string serversTransport: type: string sticky: description: Sticky holds the sticky configuration. properties: cookie: description: Cookie holds the sticky configuration based on cookie. properties: httpOnly: type: boolean name: type: string sameSite: type: string secure: type: boolean type: object type: object strategy: type: string weight: description: Weight should only be specified when Name references a TraefikService object (and to be precise, one that embeds a Weighted Round Robin). type: integer required: - name type: object type: array sticky: description: Sticky holds the sticky configuration. properties: cookie: description: Cookie holds the sticky configuration based on cookie. properties: httpOnly: type: boolean name: type: string sameSite: type: string secure: type: boolean type: object type: object type: object type: object required: - metadata - spec type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: []
Resources.yaml
apiVersion: traefik.containo.us/v1alpha1 kind: TraefikService metadata: name: wrr2 namespace: default spec: weighted: services: - name: s1 weight: 1 port: 80 # Optional, as it is the default value kind: Service - name: s3 weight: 1 port: 80 --- apiVersion: traefik.containo.us/v1alpha1 kind: TraefikService metadata: name: wrr1 namespace: default spec: weighted: services: - name: wrr2 kind: TraefikService weight: 1 - name: s3 weight: 1 port: 80 --- apiVersion: traefik.containo.us/v1alpha1 kind: TraefikService metadata: name: mirror1 namespace: default spec: mirroring: name: s1 port: 80 mirrors: - name: s3 percent: 20 port: 80 - name: mirror2 kind: TraefikService percent: 20 --- apiVersion: traefik.containo.us/v1alpha1 kind: TraefikService metadata: name: mirror2 namespace: default spec: mirroring: name: wrr2 kind: TraefikService # Optional maxBodySize: 2000000000 mirrors: - name: s2 # Optional, as it is the default value kind: Service percent: 20 port: 80 --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: ingressroute spec: entryPoints: - web - websecure routes: - match: Host(`example.net`) && PathPrefix(`/bar`) kind: Rule priority: 12 # defining several services is possible and allowed, but for now the servers of # all the services (for a given route) get merged altogether under the same # load-balancing strategy. services: - name: s1 port: 80 # strategy defines the load balancing strategy between the servers. It defaults # to Round Robin, and for now only Round Robin is supported anyway. strategy: RoundRobin - name: s2 port: 433 serversTransport: mytransport - match: PathPrefix(`/misc`) kind: Rule services: - name: s3 port: 80 middlewares: - name: stripprefix - name: addprefix - match: PathPrefix(`/misc`) kind: Rule services: - name: s3 # Optional, as it is the default value kind: Service port: 8443 # scheme allow to override the scheme for the service. (ex: https or h2c) scheme: https - match: PathPrefix(`/lb`) kind: Rule services: - name: wrr1 kind: TraefikService - match: PathPrefix(`/mirrored`) kind: Rule services: - name: mirror1 kind: TraefikService # use an empty tls object for TLS with Let's Encrypt tls: secretName: supersecret options: name: my-tls-option namespace: default --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRouteTCP metadata: name: ingressroutetcp.crd namespace: default spec: entryPoints: - footcp routes: - match: HostSNI(`example.com`) services: - name: whoamitcp port: 8080 middlewares: - name: ipwhitelist tls: secretName: foosecret passthrough: false options: name: my-tls-option namespace: default --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRouteUDP metadata: name: ingressrouteudp.crd namespace: default spec: entryPoints: - footcp routes: - services: - name: whoamiudp port: 8080 --- apiVersion: traefik.containo.us/v1alpha1 kind: TLSOption metadata: name: tlsoption namespace: default spec: minVersion: foobar maxVersion: foobar cipherSuites: - foobar - foobar curvePreferences: - foobar - foobar clientAuth: secretNames: - foobar - foobar clientAuthType: RequireAndVerifyClientCert sniStrict: true preferServerCipherSuites: true alpnProtocols: - foobar - foobar --- apiVersion: traefik.containo.us/v1alpha1 kind: ServersTransport metadata: name: mytransport namespace: default spec: serverName: foobar insecureSkipVerify: true rootCAsSecrets: - foobar - foobar certificatesSecrets: - foobar - foobar maxIdleConnsPerHost: 1 forwardingTimeouts: dialTimeout: 42s responseHeaderTimeout: 42s idleConnTimeout: 42s disableHTTP2: true
创建namespace
apiVersion: v1
kind: Namespace
metadata:
name: traefik-ingress
创建serviceAccount
apiVersion: v1 kind: ServiceAccount metadata: namespace: traefik-ingress name: traefik-ingress-controller
RBAC.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us resources: - middlewares - middlewaretcps - ingressroutes - traefikservices - ingressroutetcps - ingressrouteudps - tlsoptions - tlsstores - serverstransports verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: traefik-ingress
traefik-deployment.yaml
--- kind: DaemonSet apiVersion: apps/v1 metadata: namespace: traefik-ingress name: traefik labels: app: traefik spec: #replicas: 1 selector: matchLabels: app: traefik template: metadata: labels: app: traefik spec: serviceAccountName: traefik-ingress-controller containers: - name: traefik image: traefik:v2.6 args: - --api.insecure - --accesslog - --entrypoints.web.Address=:80 - --entrypoints.websecure.Address=:443 # http自动跳转https # - --entrypoints.web.http.redirections.entrypoint.scheme=https # web自动转到websecure # - --entrypoints.web.http.redirections.entrypoint.to=websecure - --providers.kubernetescrd - --certificatesresolvers.myresolver.acme.tlschallenge - --certificatesresolvers.myresolver.acme.email=foo@you.com - --certificatesresolvers.myresolver.acme.storage=acme.json # Please note that this is the staging Let's Encrypt server. # Once you get things working, you should remove that whole line altogether. - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory ports: - name: web containerPort: 80 hostport: 80 - name: websecure containerPort: 443 hostport: 443 - name: admin containerPort: 8080
traefik-service.yaml
apiVersion: v1 kind: Service metadata: name: traefik-svc namespace: traefik-ingress spec: # 默认为ClusterIP类型,不会暴露端口到每个node上 type: NodePort ports: # dashboard端口 - protocol: TCP name: admin port: 8080 nodePort: 30000 # http端口 - protocol: TCP name: web port: 80 # https端口 - protocol: TCP name: websecure port: 443 selector: app: traefik
部署应用
--- kind: Deployment apiVersion: apps/v1 metadata: namespace: default name: nginx labels: app: nginx spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - name: web containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: nginx namespace: default spec: # 默认为ClusterIP类型,不会暴露端口到每个node上 type: NodePort ports: - protocol: TCP name: web port: 80 selector: app: nginx
设置IngressRoute
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: simpleingressroute namespace: default spec: entryPoints: - web routes: - match: Host(`www.abc.com`) && PathPrefix(`/abc`) kind: Rule services: - name: whoami port: 80 --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: ingressroutetls namespace: default spec: entryPoints: - websecure routes: - match: Host(`www.abc.com`) && PathPrefix(`/abc`) kind: Rule services: - name: whoami port: 80 tls: certResolver: myresolver
https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions