开篇
本文主要介绍 Kubernetes采用Traefik做ingress代理服务时,TCP服务和HTTP服务的最基础代理方式。
介绍
先附上traefik deployment.yaml配置文件
代码语言:javascript复制kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: traefik
labels:
app: traefik
spec:
replicas: 5
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: true
restartPolicy: Always
containers:
- name: traefik
image: traefik:v2.0
args:
- --api
- --api.insecure
- --entrypoints.http.Address=:80
- --entrypoints.https.Address=:443
- --entrypoints.redis.Address=:6379
- --providers.kubernetescrd
- --ping
- --accesslog=true
- --log.level=ERROR
- --serversTransport.insecureSkipVerify
- --serversTransport.maxIdleConnsPerHost=5000
- --global.checkNewVersion=false
- --global.sendAnonymousUsage=false
- --providers.file.directory=/config/
- --metrics.prometheus=true
- --providers.file.watch=true
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: admin
containerPort: 8080
- name: redis
containerPort: 6379
resources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 100m
memory: 20Mi
volumeMounts:
- mountPath: /config
name: config
- mountPath: /config/tls
name: tls
volumes:
- name: config
configMap:
name: traefik-conf
- name: tls
persistentVolumeClaim:
claimName: tls
从yaml配置配置文件中,我们可以看到有三个entrypoints:[http]、[https]、[redis],采用hostNetwork的方式,将80,443,6379及8080端口暴露到host主机上。并且有一个configMap配置文件和tls-pvc数据盘挂载到pods上。
代码语言:javascript复制# traefik-configmap.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-conf
namespace: default
data:
traefik.toml: |
[providers]
providersThrottleDuration = "2s"
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/config/tls/cert.crt"
keyFile = "/config/tls/privkey.pem"
在configmap中,指定了ssl证书放置位置。
Traefik Routers
traefik routers主要有HTTP和TCP两种,k8s api kind分别为IngressRoute和IngressRouteTCP,负责将传入请求连接到可以处理这些请求的服务。按照我司现有架构,数据传输顺序为:client --> aliyun SLB --> traefik --> services --> pods。
HTTP Routers
代码语言:javascript复制apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: simpleingressroute
namespace: default
spec:
entryPoints:
- http
routes:
- match: Host(`your.domain.com`) && PathPrefix(`/notls`)
kind: Rule
services:
- name: whoami
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
namespace: default
spec:
entryPoints:
- https
routes:
- match: Host(`your.domain.com`) && PathPrefix(`/tls`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certResolver: default
passthrough: true
创建两个HTTP IngressRoute,simpleingressroute 为无tls访问,ingressroutetls 为tls访问。 在此介绍HTTPS & TLS的一点小知识。从之前介绍的configmap配置中,有一项为:
代码语言:javascript复制 [tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/config/tls/cert.crt"
keyFile = "/config/tls/privkey.pem"
在此,设置了tls的默认stores为default,默认Certificate为certFile与keyFile定义的证书。所以IngressRoute ingressroutetls的tls certResolver设置为default,且passthrough为true,允许无证书也可访问。更多内容,可去官网阅读 https://docs.traefik.io/https/tls/ 。
TCP Routers
TCP Routers的介绍,将通过redis的实例来详解。
代码语言:javascript复制# redis.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: redis
spec:
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:3.2.11
ports:
- containerPort: 6379
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: redis
spec:
ports:
- port: 6379
targetPort: 6379
selector:
app: redis
新建一个redis服务,端口指向为6379。并生成一个IngressRouteTCP,将entryPoints为redis(即host 6379端口)指向services-redis-6379。
代码语言:javascript复制apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: redis
spec:
entryPoints:
- redis
routes:
- match: HostSNI(`*`)
services:
- name: redis
port: 6379
就可以通过host 6379端口访问,如:redis-cli -h hostip -p 6379
。
TCP Routers与HTTP Routers的routes有所不同:
- TCP Routers match采用HostSNI,而HTTP Routers match直接匹配Host。
- TCP Routers只能定位TCP服务(不能定位HTTP服务)。
- 如果HTTP Routers和TCP Routers都侦听相同的入口点,则TCP Routers将在HTTP Routers之前应用。如果找不到与TCP Routers匹配的路由,则HTTP Routers将接管。
参考链接
https://docs.traefik.io/ https://www.qikqiak.com/post/expose-redis-by-traefik2/