说明

关于Traefik介绍，网上有很多资料可以参考，本文主要讲解traefik基本使用。

核心概念

首先，当启动Traefik时，需要定义entrypoints（入口点），然后，根据连接到这些entrypoints的路由来分析传入的请求，来查看他们是否与一组规则相匹配，如果匹配，则路由可能会将请求通过一系列中间件转换过后再转发到你的服务上去。在了解Traefik之前有几个核心概念我们必须要了解：

• Providers: 用来自动发现平台上的服务，可以是编排工具、容器引擎或者 key-value 存储等，比如 Docker、Kubernetes、File

• Entrypoints: 监听传入的流量（端口等…），是网络入口点，它们定义了接收请求的端口（HTTP 或者 TCP）。

• Routers: 分析请求（host, path, headers, SSL, …），负责将传入请求连接到可以处理这些请求的服务上去。

• Services: 将请求转发给你的应用（load balancing, …），负责配置如何获取最终将处理传入请求的实际服务。

• Middlewares: 中间件，用来修改请求或者根据请求来做出一些判断（authentication, rate limiting, headers, …），中间件被附件到路由上，是一种在请求发送到你的服务之前（或者在服务的响应发送到客户端之前）调整请求的一种方法。

部署Traefik

系统环境

Traefik version: v2.4.13 Kubernetes version: v1.17.9

创建 CRD 资源

在Traefik v2.0版本后，开始使用CRD（Custom Resource Definition）来完成路由配置等，所以需要提前创建CRD资源。

# cat traefik-crd.yaml apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutes.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRoute plural: ingressroutes singular: ingressroute scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: middlewares.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: Middleware plural: middlewares singular: middleware scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutetcps.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteTCP plural: ingressroutetcps singular: ingressroutetcp scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressrouteudps.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteUDP plural: ingressrouteudps singular: ingressrouteudp scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsoptions.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TLSOption plural: tlsoptions singular: tlsoption scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsstores.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TLSStore plural: tlsstores singular: tlsstore scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: traefikservices.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TraefikService plural: traefikservices singular: traefikservice scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: serverstransports.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: ServersTransport plural: serverstransports singular: serverstransport scope: Namespaced # 创建 Traefik CRD 资源 kubectl apply -f traefik-crd.yaml

创建 RBAC 权限

Kubernetes 在 1.6 版本中引入了基于角色的访问控制（RBAC）策略，方便对 Kubernetes 资源和 API 进行细粒度控制。Traefik 需要一定的权限，所以，这里提前创建好Traefik ServiceAccount并分配一定的权限。

# cat traefik-rbac.yaml ## ServiceAccount apiVersion: v1 kind: ServiceAccount metadata: namespace: kube-system name: traefik-ingress-controller --- ## ClusterRole kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us resources: - ingressroutes - ingressroutetcps - ingressrouteudps - middlewares - tlsoptions - tlsstores - traefikservices - serverstransports verbs: - get - list - watch - apiGroups: - networking.x-k8s.io resources: - gatewayclasses - gatewayclasses/status - gateways verbs: - get - list - watch - apiGroups: - networking.x-k8s.io resources: - gatewayclasses/status verbs: - get - patch - update - apiGroups: - networking.x-k8s.io resources: - gateways/status verbs: - get - patch - update - apiGroups: - networking.x-k8s.io resources: - httproutes verbs: - create - delete - get - list - patch - update - watch - apiGroups: - networking.x-k8s.io resources: - httproutes/status verbs: - get - patch - update --- ## ClusterRoleBinding kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system # 创建 Traefik RBAC 资源 kubectl apply -f traefik-rbac.yaml

创建 Traefik 配置文件

由于 Traefik 配置很多，通过 CLI 定义不是很方便，一般时候都会通过配置文件配置 Traefik 参数，然后存入ConfigMap，将其挂入 Traefik 中。

下面配置中可以通过配置kubernetesCRD与kubernetesIngress和kubernetesGateway三项参数，让 Traefik 支持CRD、Ingress与kubernetesGateway三种路由配置方式。

# cat traefik-config.yaml kind: ConfigMap apiVersion: v1 metadata: name: traefik-config namespace: kube-system data: traefik.yaml: |- ping: "" ## 启用 Ping serversTransport: insecureSkipVerify: true ## Traefik 忽略验证代理服务的 TLS 证书 api: insecure: true ## 允许 HTTP 方式访问 API dashboard: true ## 启用 Dashboard debug: false ## 启用 Debug 调试模式 metrics: prometheus: "" ## 配置 Prometheus 监控指标数据，并使用默认配置 entryPoints: web: address: ":80" ## 配置 80 端口，并设置入口名称为 web websecure: address: ":443" ## 配置 443 端口，并设置入口名称为 websecure providers: kubernetesCRD: "" ## 启用 Kubernetes CRD 方式来配置路由规则 kubernetesIngress: "" ## 启用 Kubernetes Ingress 方式来配置路由规则 kubernetesGateway: "" ## 启用 Kubernetes Gateway API experimental: kubernetesGateway: true ## 允许使用 Kubernetes Gateway API log: filePath: "" ## 设置调试日志文件存储路径，如果为空则输出到控制台 level: error ## 设置调试日志级别 format: json ## 设置调试日志格式 accessLog: filePath: "" ## 设置访问日志文件存储路径，如果为空则输出到控制台 format: json ## 设置访问调试日志格式 bufferingSize: 0 ## 设置访问日志缓存行数 filters: #statusCodes: ["200"] ## 设置只保留指定状态码范围内的访问日志 retryAttempts: true ## 设置代理访问重试失败时，保留访问日志 minDuration: 20 ## 设置保留请求时间超过指定持续时间的访问日志 fields: ## 设置访问日志中的字段是否保留（keep 保留、drop 不保留） defaultMode: keep ## 设置默认保留访问日志字段 names: ## 针对访问日志特别字段特别配置保留模式 ClientUsername: drop headers: ## 设置 Header 中字段是否保留 defaultMode: keep ## 设置默认保留 Header 中字段 names: ## 针对 Header 中特别字段特别配置保留模式 User-Agent: redact Authorization: drop Content-Type: keep #tracing: ## 链路追踪配置,支持 zipkin、datadog、jaeger、instana、haystack 等 # serviceName: ## 设置服务名称（在链路追踪端收集后显示的服务名） # zipkin: ## zipkin配置 # sameSpan: true ## 是否启用 Zipkin SameSpan RPC 类型追踪方式 # id128Bit: true ## 是否启用 Zipkin 128bit 的跟踪 ID # sampleRate: 0.1 ## 设置链路日志采样率（可以配置0.0到1.0之间的值） # httpEndpoint: http://localhost:9411/api/v2/spans ## 配置 Zipkin Server 端点 # 创建Traefik configmap 资源 kubectl apply -f traefik-config.yaml

设置节点 Label 标签

# 节点设置 Label 标签 kubectl label nodes fsyy IngressProxy=true # 查看节点是否设置 Label 成功 kubectl get nodes --show-labels # 删除标签 kubectl label nodes fsyy IngressProxy-

创建 Traefik

下面将用DaemonSet方式部署 Traefik，便于在多服务器间扩展，用 hostport 方式绑定服务器 80、443 端口，方便流量通过物理机进入 Kubernetes 内部。

# cat traefik-deploy.yaml apiVersion: v1 kind: Service metadata: name: traefik namespace: kube-system labels: app: traefik spec: ports: - name: web port: 80 - name: websecure port: 443 - name: admin port: 8080 selector: app: traefik --- apiVersion: apps/v1 kind: DaemonSet metadata: name: traefik-ingress-controller namespace: kube-system labels: app: traefik spec: selector: matchLabels: app: traefik template: metadata: name: traefik labels: app: traefik spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 1 containers: - image: traefik:v2.4.13 name: traefik-ingress-lb ports: - name: web containerPort: 80 hostPort: 80 ## 将容器端口绑定所在服务器的 80 端口 - name: websecure containerPort: 443 hostPort: 443 ## 将容器端口绑定所在服务器的 443 端口 - name: admin containerPort: 8080 ## Traefik Dashboard 端口 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 1000m memory: 1024Mi securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --configfile=/config/traefik.yaml volumeMounts: - mountPath: "/config" name: "config" readinessProbe: httpGet: path: /ping port: 8080 failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 livenessProbe: httpGet: path: /ping port: 8080 failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 volumes: - name: config configMap: name: traefik-config tolerations: ## 设置容忍所有污点，防止节点被设置污点 - operator: "Exists" nodeSelector: ## 设置node筛选器，在特定label的节点上启动 IngressProxy: "true" # 创建 Traefik kubectl apply -f traefik-deploy.yaml

配置路由规则

使用 CRD 方式配置 Traefik 路由规则 -- Traefik Dashboard 为例

# cat traefik-dashboard-route.yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard-route namespace: kube-system spec: entryPoints: - web routes: - match: Host(`traefik.mydlq.club`) kind: Rule services: - name: traefik port: 8080

接下来配置 Hosts，客户端想通过域名访问服务，必须要进行 DNS 解析，这里可以通过 DNS 服务器进行域名解析，也可以修改 hosts 文件将 Traefik 指定节点的 IP 和自定义 host 绑定

# 浏览器访问 http://traefik.mydlq.club/

使用 CRD 方式配置 Traefik 路由规则 -- ArgoCD 为例

我在之前的文章中讲过部署 Argo CD，当时argocd-server服务暴露的方式采用的是NodePort，现在我们使用今天的方法。

首先，我们需要将暴露服务类型由NodePort更改为ClusterIP。然后，编辑argocd-server Deployment以将--insecure标志添加到argocd-server命令中：

spec: template: spec: containers: - name: argocd-server command: - argocd-server - --staticassets - /shared/app - --repo-server - argocd-repo-server:8081 - --insecure # 需要禁用 tls，否则会 `redirected you too many times`

然后创建如下IngressRoute资源对象即可，我们创建了一个redirect-https的中间件，可以让 http 服务强制跳转到 https 服务去：

# cat argocd-dashboard-https.yaml apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: redirect-https namespace: argocd spec: redirectScheme: scheme: https --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: argocd-server-http namespace: argocd spec: entryPoints: - web routes: - kind: Rule match: Host(`argocd.k8s.local`) priority: 10 middlewares: - name: redirect-https services: - name: argocd-server port: 80 - kind: Rule match: Host(`argocd.k8s.local`) && Headers(`Content-Type`, `application/grpc`) priority: 11 middlewares: - name: redirect-https services: - name: argocd-server port: 80 scheme: h2c --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: argocd-server namespace: argocd spec: entryPoints: - websecure routes: - kind: Rule match: Host(`argocd.k8s.local`) priority: 10 services: - name: argocd-server port: 80 - kind: Rule match: Host(`argocd.k8s.local`) && Headers(`Content-Type`, `application/grpc`) priority: 11 services: - name: argocd-server port: 80 scheme: h2c tls: certResolver: default options: {} # 浏览器访问 # 证书是自签名的，所以在第一次访问的时候会提示不安全，强制跳转即可 http://argocd.k8s.local/

CLI命令行登录：

# 系统 /etc/hosts 做下解析 argocd login argocd.k8s.local --username admin --password Transsion#123

参考链接

Kubernetes 部署 Ingress 控制器 Traefik v2.4