今天將介紹如何使用 Traefik 作為 IngressController,提供 kubernetes 群集內部應用程式對外服務,作為整個群集應用程式的反向代理伺服。
首先建立用於 Traefik 對外提供 https 服務的憑證:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com
SUBJECT=/C=CN/ST=State/L=Location/O=Org/OU=Unit/CN=example.com
openssl genrsa -out cert.key
openssl req -sha512 -new -key cert.key -out cert.req -subj "${SUBJECT}"
openssl x509 -sha512 -req -days 730 -in cert.req -signkey cert.key -out cert.crt -extfile v3.ext
$ kubectl create secret generic traefik-cert-key --from-file=cert.key -n kube-system
$ kubectl create secret generic traefik-cert-crt --from-file=cert.crt -n kube-system
traefik.toml:
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/secret/cert.crt"
KeyFile = "/secret/cert.key"
[entryPoints.traefik]
address = ":8080"
[metrics]
[metrics.prometheus]
entryPoint = "traefik"
buckets = [0.1,0.3,1.2,5.0]
traefik-rbac.yaml:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
traefik-ds.yaml:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: true
volumes:
- name: secret-cert-crt
secret:
secretName: traefik-cert-crt
- name: secret-cert-key
secret:
secretName: traefik-cert-key
- name: config
configMap:
name: traefik-conf
containers:
- image: traefik
name: traefik-ingress-lb
volumeMounts:
- mountPath: "/secret/cert.crt"
name: secret-cert-crt
subPath: cert.crt
- mountPath: "/secret/cert.key"
name: secret-cert-key
subPath: cert.key
- mountPath: "/config"
name: config
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: traefik
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --configfile=/config/traefik.toml
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 443
name: https
- protocol: TCP
port: 8080
name: traefik
$ kubectl create configmap traefik-conf -n kube-system --from-file=traefik.toml
$ kubectl apply -f traefik-rbac.yaml
$ kubectl apply -f traefik-ds.yaml
預設情形下,所有 worker 節點均能提供對外 http/https 服務。
iThome鐵人賽
看影片追技術