使用nomad管理集群-3 traefik管理入口
背景
上一篇文章介绍了如何通过tailscale组成大内网来管理nomad集群,这一篇介绍如何使用traefik管理集群的入口
traefik介绍
traefik与nginx一样,是一款优秀的反向代理工具,或者叫Edge Router。至于使用它的原因则基于以下几点
- 无须重启即可更新配置
- 自动的服务发现与负载均衡
- 与
docker的完美集成,基于container label的配置- 漂亮的
dashboard界面metrics的支持,对prometheus和k8s的集成(现在也支持nomad)
部署过程
-
标记一个client节点作为入口
填入traefik,值为1
-
起一个job
job "traefik" { type = "service" constraint { attribute = "${meta.traefik}" operator = "=" value = "1" } group "traefik" { count = 1 network { port "http" { static = 8080 } port "ssl" { static = 443 } port "http2" { static = 80 } port "api" { static = 8081 } } service { name = "traefik" provider = "nomad" port = "ssl" } service { name = "traefik-dashboard" provider = "nomad" port = "api" } task "traefik" { driver = "docker" user = "root" config { image = "traefik:v3.0" network_mode = "host" privileged = true volumes = [ "local/traefik.toml:/etc/traefik/traefik.toml", "/opt/acme:/acme" ] } template { data = <<EOF [entryPoints] [entryPoints.http] address = ":8080" [entryPoints.websecure] address = ":443" [entryPoints.web] address = ":80" [entryPoints.traefik] address = ":8081" [api] dashboard = true insecure = true # Enable Consul Catalog configuration backend. [providers.consulCatalog] prefix = "traefik" exposedByDefault = false [providers.consulCatalog.endpoint] address = "{{ range $i, $v := nomadService "consul-service" }}{{if eq $i 0}}{{.Address}}:8500{{end}}{{end}}" scheme = "http" [providers.nomad] exposedByDefault = false [providers.nomad.endpoint] address = "http://{{env "NOMAD_IP_http"}}:4646" [accessLog] filePath = "access.log" bufferingSize = 100 [tracing] serviceName = "traefik" EOF destination = "local/traefik.toml" } resources { cpu = 100 memory = 128 } } } } -
到traefik管理页面查看界面效果,页面各个部分的具体说明可以看官方文档
-
修改hello world任务
修改job定义中的service部分,增加name和tags,需要注意的是
${meta.alias}指nomad配置文件中定义的别名,如果按照之前的步骤走,该值应该就是hostname,而${NOMAD_HOST_PORT_www}指该job使用的端口,由port = "www"指定service { provider = "nomad" port = "www" name = "helloworld" tags = [ "traefik.enable=true", "traefik.http.routers.to_helloworld-router.rule=PathPrefix(`/helloworld`)", "traefik.http.routers.to_helloworld-router.priority=100", "traefik.http.routers.to_helloworld-router.service=helloworld", "traefik.http.routers.to_helloworld-router.middlewares=to_helloworld", "traefik.http.middlewares.to_helloworld.redirectregex.regex=^https?://(.*)/helloworld/(.*)", "traefik.http.middlewares.to_helloworld.redirectregex.replacement=http://${meta.alias}:${NOMAD_HOST_PORT_www}/$2" ] } -
到traefik管理页面查看会发现多了红框的部分
点进去之后效果如下
配置中所写的规则是访问
traefik的http入口+/helloword会重定向跳转到helloword的服务地址即访问
http://100.94.45.135:8080/helloworld/(一定要加上最后的/)会跳转到对应的helloword的服务地址到此基本的部署已经完成
配置证书
这个过程需要有一个域名,当然也可以用tailscale自带的证书服务,参考这里,但是由于tailscale似乎不能自定义域名(只能用hostname),就直接用自己的证书了
步骤为
-
将域名停靠在cloudflare上,这一步自行百度
-
生成一个global的api key,在这个地方生成,之后记住此令牌
-
修改traefik任务定义,修改service定义(记得改成你的域名)和template,并添加一下env 属性
service { name = "traefik" provider = "nomad" port = "ssl" tags = [ "traefik.enable=true", "traefik.http.routers.traefik-router.rule=Host(`traefik.你的域名`)", "traefik.http.routers.traefik-router.tls=true", "traefik.http.routers.traefik-router.tls.certresolver=myresolver" ] } service { name = "traefik-dashboard" provider = "nomad" port = "api" tags = [ "traefik.enable=true", "traefik.http.routers.traefik-dashboard-router.rule=Host(`traefik-dashboard.你的域名`)", "traefik.http.routers.traefik-dashboard-router.tls=true", "traefik.http.routers.traefik-dashboard-router.tls.certresolver=myresolver", "traefik.http.routers.traefik-dashboard-router.service=traefik-dashboard" ] } // task env { CF_API_EMAIL = "2281675608@qq.com" CF_API_KEY = "478f0181640275c66f3471671b57f0d85dd2b" } // template # dns setting [certificatesResolvers.myresolver.acme] storage = "/acme/acme.json" [certificatesResolvers.myresolver.acme.dnsChallenge] provider = "cloudflare" delayBeforeCheck = 0 -
添加两条记录:traefik-dashboard和traefik,均指向traefik服务所在的节点的内网ip,即tailscale分配的ip。注意如果需要外网访问,则直接填外网ip
-
之后访问
traefik-dashboard.你的域名
其他job需要通过traefik配置入口的话,可以以此为参考,更多的配置可以阅读官方文档,不在深入介绍
