k8s安装traefik配置使用ingress

简介

traefik 是一个前端负载均衡器，对于微服务 架构尤其是 kubernetes 等编排工具具有良好的支持；同 nginx 等相比，traefik 能够自动感知后端容器变化，从而实现自动服务发现。

traefik部署在k8s上分为daemonset和deployment两种方式各有优缺点：

• daemonset 能确定有哪些node在运行traefik，所以可以确定的知道后端ip，但是不能方便的伸缩
• deployment 可以更方便的伸缩，但是不能确定有哪些node在运行traefik所以不能确定的知道后端ip

一般部署两种不同类型的traefik:

• 面向内部(internal)服务的traefik，建议可以使用deployment的方式
• 面向外部(external)服务的traefik，建议可以使用daemonset的方式

建议使用traffic-type标签

• traffic-type: external
• traffic-type: internal

traefik相应地使用labelSelector

• traffic-type=internal
• traffic-type=external

安装

mkdir traefik && cd traefik
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml

# 配置rbac
kubectl apply -f traefik-rbac.yaml

# 以下两种方式选择一个 # 80 提供正常服务，8080 是其自带的 UI 界面 # 以daemonset方式启动traefik # 会在所有node节点启动一个traefik并监听在80端口 # master节点不会启动traefik
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-ds.yaml
kubectl apply -f traefik-ds.yaml


# 以deployment方式启动traefik
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-deployment.yaml
kubectl apply -f traefik-deployment.yaml

# 查看状态
kubectl get pods -n kube-system

# 访问测试，如果有响应说明安装正确 # 应该返回404 # 如果以daemonset方式启动traefik使用如下方式验证 # 11.11.11.112为任何一个node节点的ip
curl 11.11.11.112

# 如果以deployment方式启动traefik # 访问node:nodeport或者集群ip验证 复制代码

部署Træfik Web UI

wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/ui.yaml
kubectl apply -f ui.yaml

# 访问webui # 需要先配置host # 11.11.11.112为任何一个node节点的ip
11.11.11.112 traefik-ui.minikube

# 浏览器访问如下地址
http://traefik-ui.minikube/
复制代码

使用basic验证

# 生成加密密码，如果没有安装htpasswd可以在线生成 # https://tool.lu/htpasswd/
htpasswd -c ./auth myusername
cat auth
myusername:$apr1$78Jyn/1K$ERHKVRPPlzAX8eBtLuvRZ0 # 从密码文件创建secret # monitoring必须和ingress rule处于同一个namespace 
kubectl create secret generic mysecret --from-file auth --namespace=monitoring

# 创建ingress
cat >prometheus-ingress.yaml<<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: prometheus-dashboard
 namespace: monitoring
 annotations:
 kubernetes.io/ingress.class: traefik
 ingress.kubernetes.io/auth-type: "basic"
 ingress.kubernetes.io/auth-secret: "mysecret"
spec:
 rules:
 - host: dashboard.prometheus.example.com
 http:
 paths:
 - backend:
 serviceName: prometheus
 servicePort: 9090
EOF

kubectl create -f prometheus-ingress.yaml -n monitoring
复制代码

官方实例

1. 根据域名(host)路由

# deployment
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-deployments.yaml
kubectl apply -f cheese-deployments.yaml

# service
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-services.yaml
kubectl apply -f cheese-services.yaml

# ingress
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-ingress.yaml
kubectl apply -f cheese-ingress.yaml

# 查看状态
kubectl get pods
kubectl get svc
kubectl get ingress

# 测试 # 配置hosts
11.11.11.112 stilton.minikube cheddar.minikube wensleydale.minikube

# 浏览器访问测试
http://stilton.minikube/
http://cheddar.minikube/
http://wensleydale.minikube/
复制代码

2. 根据路径(path)路由

# 使用新的ingress
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheeses-ingress.yaml
kubectl apply -f cheeses-ingress.yaml

# 测试 # 配置hosts
11.11.11.112 cheeses.minikube

# 浏览器访问测试
http://cheeses.minikube/stilton/
http://cheeses.minikube/cheddar/
http://cheeses.minikube/wensleydale/
复制代码

3. 指定路由优先级

apiVersion: extensions/v1beta1 kind: Ingress metadata:  name: wildcard-cheeses  annotations: traefik.frontend.priority: "1" spec:  rules:  - host: *.minikube  http:  paths:  - path: /  backend:  serviceName: stilton  servicePort: http kind: Ingress metadata:  name: specific-cheeses  annotations: traefik.frontend.priority: "2" spec:  rules:  - host: specific.minikube  http:  paths:  - path: /  backend:  serviceName: stilton  servicePort: http