Traefik - Kubernetes 配置TCP/HTTP服务

2022-06-01 08:50:35 浏览数 (1)

开篇

本文主要介绍 Kubernetes采用Traefikingress代理服务时,TCP服务和HTTP服务的最基础代理方式。

介绍

先附上traefik deployment.yaml配置文件

代码语言:javascript复制
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: traefik
  labels:
    app: traefik

spec:
  replicas: 5
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      restartPolicy: Always
      containers:
        - name: traefik
          image: traefik:v2.0
          args:
            - --api
            - --api.insecure
            - --entrypoints.http.Address=:80
            - --entrypoints.https.Address=:443
            - --entrypoints.redis.Address=:6379
            - --providers.kubernetescrd
            - --ping
            - --accesslog=true
            - --log.level=ERROR
            - --serversTransport.insecureSkipVerify
            - --serversTransport.maxIdleConnsPerHost=5000
            - --global.checkNewVersion=false
            - --global.sendAnonymousUsage=false
            - --providers.file.directory=/config/
            - --metrics.prometheus=true
            - --providers.file.watch=true
          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
            - name: admin
              containerPort: 8080
            - name: redis
              containerPort: 6379
          resources:
            limits:
              cpu: 500m
              memory: 1Gi
            requests:
              cpu: 100m
              memory: 20Mi
          volumeMounts:
            - mountPath: /config
              name: config
            - mountPath: /config/tls
              name: tls
      volumes:
      - name: config 
        configMap:
          name: traefik-conf
      - name: tls
        persistentVolumeClaim:
          claimName: tls

从yaml配置配置文件中,我们可以看到有三个entrypoints:[http]、[https]、[redis],采用hostNetwork的方式,将80,443,6379及8080端口暴露到host主机上。并且有一个configMap配置文件和tls-pvc数据盘挂载到pods上。

代码语言:javascript复制
# traefik-configmap.yaml
kind: ConfigMap
apiVersion: v1
metadata:
 name: traefik-conf
 namespace: default
data:
 traefik.toml: |   
   [providers]
     providersThrottleDuration = "2s"

   [tls.stores]
     [tls.stores.default]
       [tls.stores.default.defaultCertificate]
         certFile = "/config/tls/cert.crt"
         keyFile  = "/config/tls/privkey.pem"

在configmap中,指定了ssl证书放置位置。

Traefik Routers

traefik routers主要有HTTPTCP两种,k8s api kind分别为IngressRouteIngressRouteTCP,负责将传入请求连接到可以处理这些请求的服务。按照我司现有架构,数据传输顺序为:client --> aliyun SLB --> traefik --> services --> pods。

HTTP Routers
代码语言:javascript复制
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: simpleingressroute
  namespace: default
spec:
  entryPoints:
    - http
  routes:
  - match: Host(`your.domain.com`) && PathPrefix(`/notls`)
    kind: Rule
    services:
    - name: whoami
      port: 80

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  namespace: default
spec:
  entryPoints:
    - https
  routes:
  - match: Host(`your.domain.com`) && PathPrefix(`/tls`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    certResolver: default
    passthrough: true

创建两个HTTP IngressRoutesimpleingressroute 为无tls访问,ingressroutetls 为tls访问。 在此介绍HTTPS & TLS的一点小知识。从之前介绍的configmap配置中,有一项为:

代码语言:javascript复制
   [tls.stores]
     [tls.stores.default]
       [tls.stores.default.defaultCertificate]
         certFile = "/config/tls/cert.crt"
         keyFile  = "/config/tls/privkey.pem"

在此,设置了tls的默认stores为default,默认Certificate为certFile与keyFile定义的证书。所以IngressRoute ingressroutetlstls certResolver设置为default,且passthroughtrue,允许无证书也可访问。更多内容,可去官网阅读 https://docs.traefik.io/https/tls/ 。

TCP Routers

TCP Routers的介绍,将通过redis的实例来详解。

代码语言:javascript复制
# redis.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: redis
spec:
  template:
    metadata:
      labels:
        app: redis
    spec:
      containers:
      - name: redis
        image: redis:3.2.11
        ports:
        - containerPort: 6379
          protocol: TCP

---

apiVersion: v1
kind: Service
metadata:
  name: redis
spec:
  ports:
  - port: 6379
    targetPort: 6379
  selector:
    app: redis

新建一个redis服务,端口指向为6379。并生成一个IngressRouteTCP,将entryPoints为redis(即host 6379端口)指向services-redis-6379。

代码语言:javascript复制
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: redis
spec:
  entryPoints:
    - redis
  routes:
  - match: HostSNI(`*`)
    services:
    - name: redis
      port: 6379

就可以通过host 6379端口访问,如:redis-cli -h hostip -p 6379

TCP Routers与HTTP Routers的routes有所不同:
  • TCP Routers match采用HostSNI,而HTTP Routers match直接匹配Host。
  • TCP Routers只能定位TCP服务(不能定位HTTP服务)。
  • 如果HTTP Routers和TCP Routers都侦听相同的入口点,则TCP Routers将在HTTP Routers之前应用。如果找不到与TCP Routers匹配的路由,则HTTP Routers将接管。

参考链接

https://docs.traefik.io/ https://www.qikqiak.com/post/expose-redis-by-traefik2/

0 人点赞