traefik 部署使用
traefik 部署使用
1、基础概念
Traefik 基于入口点、路由器、中间件和服务的概念。
主要功能包括动态配置、自动服务发现以及对多种后端和协议的支持。
- EntryPoints:EntryPoints 是 Traefik 的网络入口点。它们定义接收数据包的端口,以及是否监听 TCP 或 UDP。
- 路由器:路由器负责将传入的请求连接到可以处理它们的服务。
- 中间件:中间件连接到路由器,可以在请求或响应发送到你的服务之前对其进行修改
- 服务:服务负责配置如何到达最终处理传入请求的实际服务。
参考: https://blog.csdn.net/qq_33816243/article/details/127117324 traefik2.8部署与配置
2、安装traefik
官方提供了4种方法部署。推荐使用helm部署,注意需要修改的变量。
主要从以下几个方面考虑:
- 资源限制
- 持久化卷,文档中说明的是用来存放证书的。
- dashboard 的ingressroute
- 日志记录。
- 多副本亲和性。
在install的时候会自动安装crd资源。
helm repo add traefik https://traefik.github.io/charts
~]# helm search repo traefik/traefik -l
~]# helm pull traefik/traefik --version 31.0.0
# 编辑values.yaml
# 镜像配置
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`traefik.kailinesb.com`) && PathPrefix(`/dashboard`) || PathPrefix(`/api`)
# 设置时间
env:
- name: TZ
value: Asia/Shanghai
# 根据实际需求设置,考虑导日志采集的问题。
logs:
general:
format: json
level: INFO
#
#filePath: "/var/log/traefik/traefik.log"
# noColor: true
access:
enabled: true
format: json
#filePath: "/var/log/traefik/access.log
persistence:
enabled: true
name: data
accessMode: ReadWriteMany
size: 128Mi
storageClass: "nfs"
path: /data
annotations: {}
replicas: 2
# svc 暴露9000端口
ports:
traefik:
port: 9000
expose:
default: true
# 配置资源限制
resources:
requests:
cpu: 1
memory: 2Gi
limits:
cpu: 2
memory: 4Gi
# 亲和性
affinity:
# 配置自动发现的目录
globalArguments:
.....
- "--providers.file.directory=/etc/traefik/dynamic"
- "--providers.file.watch=true"
# 客户端的真实IP
- "--entrypoints.web.forwardedheaders.insecure"
- "--entrypoints.websecure.forwardedheaders.insecure"
# router基于文件的配置发现
providers.file.enabled: true
# 必须提供默认配置
content:
"# this is dynamic configuration files."
3、DRD 资源的详细说明
traefik Ingress CRD对每个资源每个字段详细的解释。
4、启用dashboard
traefik 2.0的dashboard使用的是9000端口。
修改svc暴露9000端口。
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik LoadBalancer 10.96.89.192 <pending> 80:32044/TCP,443:32013/TCP,9000:32014/TCP 4d3h
修改ingressroute设置路由规则。
~# kubectl get ingressroute traefik-dashboard -o yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
annotations:
meta.helm.sh/release-name: traefik
meta.helm.sh/release-namespace: traefik
creationTimestamp: "2024-09-06T08:20:26Z"
generation: 1
labels:
app.kubernetes.io/instance: traefik-traefik
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: traefik
helm.sh/chart: traefik-31.0.0
name: traefik-dashboard
namespace: traefik
resourceVersion: "16556351"
uid: 16bb521e-3fbe-4fda-8309-f28185e156c5
spec:
entryPoints:
- traefik
routes:
- kind: Rule
match: Host(`traefik.kailinesb.com`) && PathPrefix(`/dashboard`) || PathPrefix(`/api`)
services:
- kind: TraefikService
name: api@internal
root@dev-km-01-175:~# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik LoadBalancer 10.96.89.192 <pending> 80:32044/TCP,443:32013/TCP,9000:32014/TCP 4d3h
这是从ingressroue直接到9000端口。
方法二:
kubectl get ingress traefik -o yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
creationTimestamp: "2024-09-06T08:28:31Z"
generation: 3
labels:
app: traefik
name: traefik
namespace: traefik
resourceVersion: "16562868"
uid: 6e16a0bd-e376-4af8-b3a0-32b20cf1142a
spec:
ingressClassName: traefik
rules:
- host: traefik.kailinesb.com
http:
paths:
- backend:
service:
name: traefik
port:
number: 9000
path: /
pathType: Prefix
status:
loadBalancer: {}
root@dev-km-01-175:~# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik LoadBalancer 10.96.89.192 <pending> 80:32044/TCP,443:32013/TCP,9000:32014/TCP 4d3h
5、设置LTS
对外开放一个入口http、https。
# cat ingress.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingress
namespace: default
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`ng.kailinesb.com`)
services:
- kind: Service
name: nginx
namespace: default
passHostHeader: true
port: 80
responseForwarding:
flushInterval: 1ms
~# cat ingressroute-tls.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
annotations:
name: ingress-tls
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`ng.kailinesb.com`)
services:
- kind: Service
name: nginx
namespace: default
passHostHeader: true
port: 80
responseForwarding:
flushInterval: 1ms
tls:
domains:
- main: ng.kailinesb.com
secretName: tls-kailinesb-com
只有单独提供不同的入口点才能够区分80和443的流量,配置正常之后在管理面板能够看到生效的配置。
如果只配置tls类型,traefik会自动重定向到https端口。
5.1 配置一个https redirect
# 声明一个中间件
~# cat /home/ops/middle.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirectscheme
spec:
redirectScheme:
scheme: https
permanent: true
kubectl -n traefik create -f /home/ops/middle.yaml
root@dev-km-01-175:~# kubectl edit ingressroute ingress
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingress
namespace: default
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`ng.kailinesb.com`)
middlewares:
- name: redirectscheme
services:
- kind: Service
name: nginx
namespace: default
passHostHeader: true
port: 80
responseForwarding:
flushInterval: 1ms
6、基于Header的灰度
创建两个灰度应用。
kubectl -n default create deploy nginx --image=nginx:1.22.1 --replicas=1
kubectl -n default create deploy nginx-gray --image=nginx:1.22.1 --replicas=1
kubectl -n default expose deploy/nginx --port=80 --target-port=80
kubectl -n default expose deploy/nginx-gray --port=80 --target-port=80
~# kubectl exec -it deploy/nginx-gray -- sed -i 's#nginx#nginx-gray#g' /usr/share/nginx/html/index.html
这样两个svc就会返回两个不同的版本。
root@dev-km-01-175:~# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx ClusterIP 10.96.147.91 <none> 80/TCP 56m
nginx-gray ClusterIP 10.96.174.188 <none> 80/TCP 15m
root@dev-km-01-175:~# curl -s 10.96.147.91 | grep title
<title>Welcome to nginx!</title>
root@dev-km-01-175:~# curl -s 10.96.174.188 | grep title
<title>Welcome to nginx-gray!</title>
使用IngressRoute的rule字段处理请求的头部信息然后进行分流。
kubectl get ingressroute nginx -o yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nginx
namespace: default
spec:
entryPoints: # 这里的endpoint就是traefik启动时候定义的入口点
- web
- websecure
routes:
- kind: Rule
match: Host(`test.nginx.com`)
services:
- kind: Service
name: nginx
namespace: default
passHostHeader: true
port: 80
responseForwarding:
flushInterval: 1ms
- kind: Rule
match: Host(`test.nginx.com`) && Header(`GRAYVERSION`, `true`)
services:
- kind: Service
name: nginx-gray
namespace: default
passHostHeader: true
port: 80
responseForwarding:
flushInterval: 1ms
通过traefik暴露的svc带上特定的头部信息进行访问测试。
root@dev-km-01-175:~# kubectl -n traefik get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik LoadBalancer 10.96.89.192 <pending> 80:32044/TCP,443:32013/TCP,9000:32014/TCP 4d5h
# 带有灰度标签的请求头到了灰度版本
root@dev-km-01-175:~# curl -s -H "Host: test.nginx.com" -H "GRAYVERSION: true" http://10.96.89.192/ | grep title
<title>Welcome to nginx-gray!</title>
root@dev-km-01-175:~# curl -s -H "Host: test.nginx.com" http://10.96.89.192/ | grep title
<title>Welcome to nginx!</title>
7、Provier动态配置
参考链接:
https://doc.traefik.io/traefik/getting-started/configuration-overview/
根据官网的说明这个功能是route功能的附加功能的引用。
动态配置包含定义系统如何处理请求的所有内容。此配置可以更改,并且可以无缝热重载,不会中断任何请求或丢失连接。
除了使用文件的方式定义,还可以使用k8s CRD资源直接声明。
root@dev-km-01-175:~# cat traefik-cm.yml
apiVersion: v1
data:
traefik.yml: |
# this is dynamic configuration files.
# you can edit it. don't restart tarefik.
http:
middlewares:
testHeader:
headers:
customRequestHeaders:
X-Script-Name: "gongxiaoliao"
customResponseHeaders:
X-Custom-Response-Header: "gongxiaoliao"
kind: ConfigMap
metadata:
creationTimestamp: null
name: traefik
namespace: traefik
# 把上面的配置文件写入
kubectl -n traefik edit cm traefik-file-provider
- apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
creationTimestamp: "2024-09-11T08:24:01Z"
generation: 1
name: ingress-tls
namespace: default
resourceVersion: "18176735"
uid: 3b7d9127-b847-460f-9cb1-479e527a23d4
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`ng.kailinesb.com`)
middlewares:
- name: testHeader@file # 这里添加了头的配置信息
services:
- kind: Service
name: nginx
namespace: default
passHostHeader: true
port: 80
responseForwarding:
flushInterval: 1ms
tls:
domains:
- main: ng.kailinesb.com
secretName: tls-kailinesb-com
