本篇文章介绍了在k8s上treafik1.7的搭建和使用。
因为我这里是作为kubernetes服务的暴露,因此你得有一个kubernetes集群
集群准备好了,需要下面的配置文件
部署rbac文件
rbac文件让ingress获取对应命名空间的权限
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| [root@master traefik] apiVersion: v1 kind: ServiceAccount metadata: name: ingress namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: ingress subjects: - kind: ServiceAccount name: ingress namespace: kube-system roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io
|
部署traefik应用
这里部署应用中包含了https服务,因此需要在对应的节点上生成证书进行认证
首先openssl命令生成 CA 证书
1
| $ openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
|
现在我们有了证书,我们可以使用 kubectl 创建一个 secret 对象来存储上面的证书
1
| $ kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system
|
现在我们来配置 Traefik,让其支持 https,新建traefik.toml文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| [root@master https]# cat traefik.toml defaultEntryPoints = ["http", "https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] CertFile = "/ssl/tls.crt" KeyFile = "/ssl/tls.key"
然后通过cm挂载进pod里面,让pod能够访问该配置文件
|
然后通过cm挂载进pod里面,让pod能够访问该配置文件
1
| $ kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
|
最后部署我们的对应的traefik应用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
| [root@master traefik]# cat traefik.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: traefik-ingress-lb namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: terminationGracePeriodSeconds: 60 hostNetwork: true restartPolicy: Always serviceAccountName: ingress containers: - image: traefik:v1.7.17 name: traefik-ingress-lb volumeMounts: - mountPath: "/ssl" name: "ssl" - mountPath: "/config" name: "config" resources: limits: cpu: 200m memory: 30Mi requests: cpu: 100m memory: 20Mi ports: - name: http containerPort: 80 hostPort: 80 - name: https containerPort: 443 hostPort: 443 - name: admin containerPort: 8580 hostPort: 8580 args: - --web - --web.address=:8580 - --kubernetes - --configfile=/config/traefik.toml volumes: - name: ssl secret: secretName: traefik-cert - name: config configMap: name: traefik-conf
|
部署traefik的service
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| [root@master traefik] apiVersion: v1 kind: Service metadata: name: traefik-web-ui namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - name: web port: 80 targetPort: 8580 - protocol: TCP port: 443 name: https type: NodePort
|
给trarfik部署一个路由
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| [root@master traefik] apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-web-ui namespace: kube-system spec: rules: - host: traefik.k8s.niewx.club http: paths: - path: / backend: serviceName: traefik-web-ui servicePort: web
|
ingress 中 path 的用法
部署nginx测试服务测试ingress 中 path 的用法
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107
| [root@master traefik] kind: Deployment apiVersion: extensions/v1beta1 metadata: name: svc1 spec: replicas: 1 template: metadata: labels: app: svc1 spec: containers: - name: svc1 image: cnych/example-web-service env: - name: APP_SVC value: svc1 ports: - containerPort: 8080 protocol: TCP
--- kind: Deployment apiVersion: extensions/v1beta1 metadata: name: svc2 spec: replicas: 1 template: metadata: labels: app: svc2 spec: containers: - name: svc2 image: cnych/example-web-service env: - name: APP_SVC value: svc2 ports: - containerPort: 8080 protocol: TCP
--- kind: Deployment apiVersion: extensions/v1beta1 metadata: name: svc3 spec: replicas: 1 template: metadata: labels: app: svc3 spec: containers: - name: svc3 image: cnych/example-web-service env: - name: APP_SVC value: svc3 ports: - containerPort: 8080 protocol: TCP --- kind: Service apiVersion: v1 metadata: labels: app: svc1 name: svc1 spec: type: ClusterIP ports: - port: 8080 name: http selector: app: svc1 --- kind: Service apiVersion: v1 metadata: labels: app: svc2 name: svc2 spec: type: ClusterIP ports: - port: 8080 name: http selector: app: svc2 --- kind: Service apiVersion: v1 metadata: labels: app: svc3 name: svc3 spec: type: ClusterIP ports: - port: 8080 name: http selector: app: svc3
|
设置不同的同一个路由不同的路由访问对应的nginx服务
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| [root@master traefik] apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-test spec: rules: - host: test.k8s.niewx.club http: paths: - path: /s1 backend: serviceName: svc1 servicePort: 8080 - path: /s2 backend: serviceName: svc2 servicePort: 8080 - path: / backend: serviceName: svc3 servicePort: 8080
|
部署结果
基于traefik的Basic auth认证
首先采用htpasswd创建文件
1
| htpasswd -bc auth admin admin
|
基于上面的htpasswd创建secret(注意命名空间)
1
| kubectl create secret generic nginx-basic-auth --from-file=auth -n kube-system
|
treafik引用对应的secret进行认证(注意如下)
- Secret文件必须与Ingress规则在同一命名空间。
- 目前只支持basic authentication。
- Realm不可配置,默认使用traefik。
- Secret必须只包含一个文件。
引用secret的yaml配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
| [root@master traefik] apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-test namespace: kube-system annotations: kubernetes.io/ingress.class: traefik ingress.kubernetes.io/auth-type: basic ingress.kubernetes.io/auth-secret: nginx-basic-auth spec: rules: - host: test.k8s.niewx.club http: paths: - path: /s1 backend: serviceName: svc1 servicePort: 8080 - path: /s2 backend: serviceName: svc2 servicePort: 8080 - path: / backend: serviceName: svc3 servicePort: 8080
|
解析域名到k8s集群中
一般暴露服务到外部都是提供域名访问,我们这边的集群节点通过lb来负载均衡,将域名解析到对应的lb上,后端监听的服务为treafik的80端口即可,这样treafik可以使用你所绑定解析的域名