14 部署Ingress

#服务反向代理
#部署Traefik 2.0版本

14.1创建 traefik-crd.yaml 文件 (yanglin1)

[root@yanglin1 ~]# mkdir /root/ingress && cd /root/ingress
[root@yanglin1 ~]# vim traefik-crd.yaml
## IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
---
## IngressRouteTCP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
---
## Middleware
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
singular: tlsoption

14.1.1 :Q创建Traefik CRD资源(yanglin1)

[root@yanglin1 ~]#  cd /root/ingress
[root@yanglin1 ingress]#  kubectl create -f traefik-crd.yaml                                         
customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created

[root@yanglin1 ingress]# kubectl get CustomResourceDefinition
NAME                                   CREATED AT
ingressroutes.traefik.containo.us      2022-06-13T08:40:56Z
ingressroutetcps.traefik.containo.us   2022-06-13T08:40:56Z
middlewares.traefik.containo.us        2022-06-13T08:40:56Z
tlsoptions.traefik.containo.us         2022-06-13T08:40:56Z


14.2 创建Traefik RBAC文件(master-1)

[root@yanglin1 ~]#  vi  traefik-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: kube-system
  name: traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups: [""]
    resources: ["services","endpoints","secrets"]
    verbs: ["get","list","watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get","list","watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["middlewares"]
    verbs: ["get","list","watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutes"]
    verbs: ["get","list","watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutetcps"]
    verbs: ["get","list","watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["tlsoptions"]
    verbs: ["get","list","watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
namespace: kube-system

14.2.1 创建RABC 资源

[root@yanglin1 ingress]# kubectl create -f traefik-rbac.yaml
serviceaccount/traefik-ingress-controller created
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created

14.3 创建Traefik ConfigMap (yanglin1)

[root@yanglin1 ~]#  vi traefik-config.yaml 
kind: ConfigMap
apiVersion: v1
metadata:
  name: traefik-config
data:
  traefik.yaml: |-
    serversTransport:
      insecureSkipVerify: true
    api:
      insecure: true
      dashboard: true
      debug: true
    metrics:
      prometheus: ""
    entryPoints:
      web:
        address: ":80"
      websecure:
        address: ":443"
    providers:
      kubernetesCRD: ""
    log:
      filePath: ""
      level: error
      format: json
    accessLog:
      filePath: ""
      format: json
      bufferingSize: 0
      filters:
        retryAttempts: true
        minDuration: 20
      fields:
        defaultMode: keep
        names:
          ClientUsername: drop
        headers:
          defaultMode: keep
          names:
            User-Agent: redact
            Authorization: drop
            Content-Type: keep
            
            

14.3.1 创建Traefik ConfigMap资源配置

[root@yanglin1 ~]#  kubectl apply -f traefik-config.yaml -n kube-system

14.4 设置节点标签

#设置节点label
[root@yanglin1 ingress]# kubectl label nodes 192.168.177.155 IngressProxy=true

#暂时不做
[root@yanglin1 ingress]# kubectl label nodes 192.168.177.156 IngressProxy=true

14.4.1 查看节点标签

#检查是否成功
[root@yanglin1 ingress]# kubectl get nodes --show-labels

14.5 创建 traefik 部署文件

#注意每个Node节点的80与443端口不能被占用
[root@yanglin1 ingress]# netstat -antupl | grep -E "80|443"

[root@yanglin1 ingress]# vi traefik-deploy.yaml
apiVersion: v1
kind: Service
metadata:
  name: traefik
spec:
  ports:
    - name: web
      port: 80
    - name: websecure
      port: 443
    - name: admin
      port: 8080
  selector:
    app: traefik
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: traefik-ingress-controller
  labels:
    app: traefik
spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      name: traefik
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 1
      containers:
        - image: traefik:latest
          name: traefik-ingress-lb
          ports:
            - name: web
              containerPort: 80
              hostPort: 80 
            - name: websecure
              containerPort: 443
              hostPort: 443
            - name: admin
              containerPort: 8080
          resources:
            limits:
              cpu: 2000m
              memory: 1024Mi
            requests:
              cpu: 1000m
              memory: 1024Mi
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
          args:
            - --configfile=/config/traefik.yaml
          volumeMounts:
            - mountPath: "/config"
              name: "config"
      volumes:
        - name: config
          configMap:
            name: traefik-config 
      tolerations: 
        - operator: "Exists"
      nodeSelector: 
        IngressProxy: "true"

14.5.1部署 Traefik 资源

[root@yanglin1 ingress]#  kubectl apply -f traefik-deploy.yaml -n kube-system

#查看运行状态
[root@yanglin1 ingress]# kubectl get DaemonSet -n kube-system              
NAME                         DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR       AGE
traefik-ingress-controller   1         1         1       1            1           IngressProxy=true   77s
 

14.6 Traefik 路由配置
14.6.1 配置Traefik Dashboard

[root@yanglin1 ingress]#  vi traefik-dashboard-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard-route
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`ingress.abcd.com`)
      kind: Rule
      services:
        - name: traefik
          port: 8080

#创建Ingress (traefik)
[root@yanglin1 ingress]#  kubectl apply -f traefik-dashboard-route.yaml

14.6.2 客户端访问Traefik Dashboard
14.6.2.1 绑定物理主机Hosts文件或者域名解析
/etc/hosts
192.168.177.155 ingress.abcd.com
访问web

 

14.7 部署访问服务(http)

#创建nginx服务
[root@yanglin1 ingress]#  kubectl run nginx-ingress-demo1 --image=nginx --replicas=1 -n kube-system
[root@yanglin1 ingress]#  kubectl expose deployment nginx-ingress-demo1 --port=1099 --target-port=80 -n kube-system

#创建nginx路由服务
vim nginx-ingress-demo-route1.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-nginx-demo-route1
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`nginx11.abcd.com`)
      kind: Rule
      services:
        - name: nginx-ingress-demo1
          port: 1099

#创建
[root@yanglin1 ingress]# kubectl  apply -f nginx-ingress-demo-route1.yaml

[root@yanglin1 ingress]# kubectl get IngressRoute -A
NAMESPACE     NAME                       AGE
default       traefik-dashboard-route    48m
kube-system   traefik-nginx-demo-route   68s

#访问
#绑定hosts (物理机器)
192.168.177.155 nginx11.abcd.com

 14.8 创建https服务

#代理dashboard https 服务
# 创建自签名证书
[root@master-1 ingress]#  cd /root/ingress
[root@master-1 ingress]#  openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=cloud.abcd.com"

#将证书存储到 Kubernetes Secret中
[root@master-1 ingress]#  kubectl create secret tls dashboard-tls --key=tls.key --cert=tls.crt -n kube-system

#查看系统secret
[root@master-1 ingress]# kubectl get secret
NAME                                     TYPE                                  DATA   AGE
default-token-l77nw                      kubernetes.io/service-account-token   3      6d22h
traefik-ingress-controller-token-pdbhn   kubernetes.io/service-account-token   3      132m

#创建路由文件
#先查询kuberbentes dashboard 的命名空间
[root@master-1 ingress]# cat kubernetes-dashboard-route.yaml 
#注意命名空间
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: kubernetes-dashboard-route
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  tls:
    secretName: dashboard-tls
  routes:
    - match: Host(`cloud.abcd.com`) 
      kind: Rule
      services:
        - name: kubernetes-dashboard
          port: 443

#创建 Kubernetes Dashboard 路由规则对象
[root@master-1 ingress]# kubectl apply  -f kubernetes-dashboard-route.yaml

#查看创建的路由
[root@master-1 ingress]#  kubectl get IngressRoute -A                     
NAMESPACE              NAME                         AGE
default                traefik-dashboard-route      125m
kube-system            traefik-nginx-demo-route     77m
kube-system            traefik-nginx-demo-route1    3m5s
kubernetes-dashboard   kubernetes-dashboard-route   13s

#绑定hosts 访问
192.168.91.21  cloud.abcd.com
配置完成后,打开浏览器输入地址:https://cloud.abcd.com打开 Dashboard Dashboard。

14.9 TCP服务访问

#修改配置文件
#traefik-config.yaml
    entryPoints:
      web:
        address: ":80"
      websecure:
        address: ":443"
      redistcp:
        address: ":6379"

#应用配置
[root@yanglin1 ingress]# kubectl apply -f traefik-config.yaml -n kube-system

#修改配置文件
#traefik-deploy.yaml
      containers:
          ports:
            - name: web
              containerPort: 80
              hostPort: 80
            - name: websecure
              containerPort: 443
              hostPort: 443
            - name: admin
              containerPort: 8080
            - name: redistcp
              containerPort: 6379
              hostPort: 6379

#应用配置
[root@yanglin1 ingress]#kubectl apply -f traefik-deploy.yaml -n kube-system


#配置redis文件
[root@yanglin1 ingress]# cat redis-tcp-deploy.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: redis-tcp
spec:
  template:
    metadata:
      labels:
        app: redis-tcp
    spec:
      containers:
      - name: redis-tcp
        image: redis
        ports:
        - containerPort: 6379
          protocol: TCP
---

apiVersion: v1
kind: Service
metadata:
  name: redis-tcp-svc
spec:
  ports:
  - port: 6379
    targetPort: 6379
  selector:
    app: redis-tcp

#部署redis
[root@yanglin1 ingress]# kubectl apply -f redis-tcp-deploy.yaml 
deployment.extensions/redis-tcp unchanged
service/redis-tcp-svc unchanged

#配置路由
[root@yanglin1 ingress]# cat  traefik-redis-tcp-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: redis-tcp-ingress
spec:
  entryPoints:
    - redistcp
  routes:
  - match: HostSNI(`*`)
    services:
    - name: redis-tcp-svc
      port: 6379
      weight: 10
      terminationDelay: 400

#部署路由
[root@yanglin1 ingress]# kubectl apply -f traefik-redis-tcp-route.yaml


#查看界面
 
#绑定任意主机名到node节点访问
#192.168.177.155 redis.cc.com (注意节点,也可以直接使用node Ip 访问)
[root@yanglin2 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@yanglin2 ~]# redis-cli -h 192.168.177.155 -p 6379   或者  
[root@yanglin2 ~]# redis-cli -h redis.cc.com -p 6379
redis.cc.com:6379> set a 12131
OK
redis.cc.com:6379> get a
"12131"

 

posted @ 2022-06-14 17:19  从此重新定义啦  阅读(217)  评论(0编辑  收藏  举报