這篇文章將為大家詳細(xì)講解有關(guān)traefik在kubernetes中的安裝及使用方法����,文章內(nèi)容質(zhì)量較高����,因此小編分享給大家做個(gè)參考,希望大家閱讀完這篇文章后對相關(guān)知識(shí)有一定的了解。
我們提供的服務(wù)有:成都網(wǎng)站設(shè)計(jì)�����、成都做網(wǎng)站��、微信公眾號開發(fā)����、網(wǎng)站優(yōu)化、網(wǎng)站認(rèn)證�、嵐皋ssl等。為數(shù)千家企事業(yè)單位解決了網(wǎng)站和推廣的問題����。提供周到的售前咨詢和貼心的售后服務(wù),是有科學(xué)管理��、有技術(shù)的嵐皋網(wǎng)站制作公司
環(huán)境 traefik 2.2+����,k8s 1.18+
需求:自動(dòng)獲得證書,使用aliyun DNS方式獲證書�,暴露給外網(wǎng)訪問
參考官方網(wǎng)站:https://docs.traefik.io/user-guides/crd-acme/
首先安裝helm, k8s的一個(gè)類似yum包管理器。 參考https://helm.sh/docs/intro/install/
Download your desired version
Unpack it (tar -zxvf helm-v3.0.0-linux-amd64.tar.gz)
Find the helm binary in the unpacked directory, and move it to its desired destination (mv linux-amd64/helm /usr/local/bin/helm)
traefik有二種模式: 1. 使用 Traefik CRD 配置路由規(guī)則(IngressRoute)����,2. 使用 Kubernetes Ingress 配置路由規(guī)則(Ingress)
IngressRoute Definition����,拷貝 https://docs.traefik.io/user-guides/crd-acme/#ingressroute-definition 里面的yaml文件并應(yīng)用
kubectl apply -f ingress-route-definition.yaml
#說明1:secret的數(shù)據(jù)需要base64編碼(https://kubernetes.io/zh/docs/concepts/configuration/secret/)
echo -n 'admin' | base64
#說明2:增加一個(gè)存儲(chǔ)(根據(jù)實(shí)際情況修改)����,驗(yàn)證通過的證書我們這里存到/etc/acme/acme.json文件中,我們一定要將這個(gè)文件持久化����,否則每次 Traefik 重建后就需要重新認(rèn)證
#說明3:Service直接暴露了端口使用(NodePort),未使用官方文檔的kubectl port-forward
#說明4:- --providers.kubernetesingress
# - --providers.kubernetescrd
# 導(dǎo)出二種支持的模式ingress, ingress-route
#說明5:dashboard不直接導(dǎo)出,保護(hù)資源��,后面會(huì)通過https+basic auth方式查看
#traefik.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
---
apiVersion: v1
kind: Secret
metadata:
name: aliyun-secret
data:
ALICLOUD_ACCESS_KEY: your_key_base64
ALICLOUD_SECRET_KEY: your_secret_base64
ALICLOUD_REGION_ID: your_region_base64
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik-acme-cephfs-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: rook-cephfs
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
volumes:
- name: acme-store
persistentVolumeClaim:
claimName: traefik-acme-cephfs-pvc
readOnly: false
containers:
- name: traefik
image: traefik:v2.4
args:
- --api.insecure
- --log.level=INFO
- --accesslog
- --entrypoints.web.Address=:8000
- --entrypoints.websecure.Address=:4443
- --providers.kubernetesingress
- --providers.kubernetescrd
- --certificatesresolvers.aliyun.acme.dnschallenge.provider=alidns
- --certificatesresolvers.aliyun.acme.email=your_email@qq.com
- --certificatesresolvers.aliyun.acme.storage=/etc/acme/acme.json
envFrom:
- secretRef:
name: aliyun-secret
volumeMounts:
- name: acme-store
mountPath: /etc/acme
ports:
- name: web
containerPort: 8000
- name: websecure
containerPort: 4443
- name: admin
containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
type: NodePort
selector:
app: traefik
ports:
- protocol: TCP
port: 8000
name: web
targetPort: 80
nodePort: 31001
- protocol: TCP
port: 4443
name: websecure
targetPort: 4443
nodePort: 31000
---
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard
spec:
selector:
app: traefik
ports:
- protocol: TCP
port: 8080
name: admin
targetPort: 8080
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls.certresolver: aliyun
traefik.ingress.kubernetes.io/router.tls.domains.0.main: your_domain.com
spec:
rules:
- host: your_domain.com
http:
paths:
- path: /bar
backend:
serviceName: whoami
servicePort: 80
- path: /foo
backend:
serviceName: whoami
servicePort: 80
模式二:IngressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressi-route-wqtls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`your_domain.com`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certResolver: aliyun
domains:
- main: "your_domain.com"
解析域名并可以訪問了https://your_domain.com:31000/bar
dashboard安全使用��。參考: https://docs.traefik.io/operations/dashboard/
#通過以下命令生成(在線生成https://tool.oschina.net/htpasswd)帳號密碼
#并替換Secret中的users
sudo apt install apache2-utils
echo $(htpasswd -nb admin gJv4EAfuXp5vFJ8)
apiVersion: v1
kind: Secret
metadata:
name: traefik-dashboard-auth-secret
namespace: default
type: Opaque
stringData:
users: admin:$apr1$tQ1iFwRf$8SvGrGQcBT.RdZS73ULXH1
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-auth
namespace: default
spec:
basicAuth:
secret: traefik-dashboard-auth-secret
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: default
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`traefik.your_domain.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
services:
- kind: TraefikService
name: api@internal
middlewares:
- name: traefik-dashboard-auth
tls:
certResolver: aliyun
domains:
- main: "traefik.your_domain.com"
關(guān)于traefik在kubernetes中的安裝及使用方法就分享到這里了��,希望以上內(nèi)容可以對大家有一定的幫助�,可以學(xué)到更多知識(shí)。如果覺得文章不錯(cuò)����,可以把它分享出去讓更多的人看到。
網(wǎng)站題目:traefik在kubernetes中的安裝及使用方法
當(dāng)前地址:
http://weahome.cn/article/gioiss.html
重慶分公司
重慶分公司
