kubernetes k8s 集群代理

traefik最佳实践

最佳实践

Posted by dbstack on May 20, 2019

traefik最佳实践

(1) 证书生成,使用下面的 openssl 命令生成 CA 证书:

openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt

(2) 现在我们有了证书,我们可以使用 kubectl 创建一个 secret 对象来存储上面的证书:

 kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system

(3) 现在我们来配置 Traefik,让其支持 https:

cat >traefik.toml<<-EOF
insecureSkipVerify = true
defaultEntryPoints = [""https"]
[entryPoints]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/ssl/tls.crt"
      keyFile = "/ssl/tls.key"
EOF

注:上面的配置文件中我们配置了http和https 两个入口,并且配置了将 http服务强制跳转到 https服务,这样我们所有通过 traefik进来的服务都是 https的,要访问 https服务,当然就得配置对应的证书了,可以看到我们指定 CertFile和KeyFile两个文件, 由于traefik pod 中并没有这两个证书,所以我们要想办法将上面生成的证书挂载到 Pod 中去,是不是前面我们讲解过 secret 对象可以 通过 volume 形式挂载到 Pod 中,至于上面的 traefik.toml 这个文件我们要怎么让 traefik pod 能够访问到呢?还记得我们前面讲 过的 ConfigMap 吗?我们是不是可以将上面的 traefik.toml配置文件通过一个 ConfigMap对象挂载到 traefik pod 中去:

 kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system

(4)traefik 授权文件

cat >traefik-rbac.yaml<<-EOF 
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system
EOF

(5)应用traefik-rbac.yaml

kubectl apply -f traefik-rbac.yaml

(6)traefik 部署文件

cat >traefik-deployment.yaml<<-EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 2
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      containers:
      - image: traefik
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
        - --configfile=/config/traefik.toml
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: NodePort
EOF

(7)部署traefik

kubectl apply -f traefik-deployment.yaml

(8)traefik ui 部署:

cat >traefik-ui.yaml<<-EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  creationTimestamp: 2018-04-09T11:39:48Z
  generation: 1
  name: traefik-ui
  namespace: default
  resourceVersion: "140644"
  selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/test
  uid: b54bbda8-3bea-11e8-b75a-000c29858eab
spec:
  rules:
  - host: www.demo-traefik.com
    http:
      paths: 
      - backend:
          serviceName: traefik-ingress-service
          servicePort: 80
status:
  loadBalancer: {}
EOF

(9) 部署traefik-ui

kubectl apply -f traefik-ui.yaml

(10)访问 http://www.demo-traefik.com:8080/dashboard/ 即可看到traefik 界面 (11) traefik 设置上下文示例

cat >cluster_ip yaml<<-EOF
kind: Service
apiVersion: v1
metadata:
  labels:
    workload.user.cattle.io/workloadselector: deployment-default-demo-app-web
  name: demo-app-web
  namespace: default
spec:
  ports:
    - port: 80
  selector: 
    workload.user.cattle.io/workloadselector: deployment-default-demo-app-web
EOF

(12) traefik 调用

cat >demo-app-web-traefik.yaml<<-EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: demo-app-web 
  annotations:
    kubernetes.io/ingress.class: "traefik"
    traefik.backend.circuitbreaker: "NetworkErrorRatio() > 0.5" 
spec:
  rules:
  - host: wwww.demo-traefik.com
    http:
      paths:
      - path: /study
        backend:
          serviceName: demo-app-web
          servicePort: 80
EOF
CATALOG
    FEATURED TAGS
    终端 Notes MySQL mongodb linux oracle nginx ELK kibana redis
    FRIENDS