简介
traefik 是一个前端负载均衡器,对于微服务架构尤其是 kubernetes 等编排工具具有良好的支持;同 nginx 等相比,traefik 能够自动感知后端容器变化,从而实现自动服务发现。
traefik部署在k8s上分为daemonset和deployment两种方式各有优缺点:
- daemonset 能确定有哪些node在运行traefik,所以可以确定的知道后端ip,但是不能方便的伸缩
- deployment 可以更方便的伸缩,但是不能确定有哪些node在运行traefik所以不能确定的知道后端ip
一般部署两种不同类型的traefik:
- 面向内部(internal)服务的traefik,建议可以使用deployment的方式
- 面向外部(external)服务的traefik,建议可以使用daemonset的方式
建议使用traffic-type标签
- traffic-type: external
- traffic-type: internal
traefik相应地使用labelSelector
- traffic-type=internal
- traffic-type=external
安装
mkdir traefik && cd traefik
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml
# 配置rbac
kubectl apply -f traefik-rbac.yaml
# 以下两种方式选择一个
# 80 提供正常服务,8080 是其自带的 UI 界面
# 以daemonset方式启动traefik
# 会在所有node节点启动一个traefik并监听在80端口
# master节点不会启动traefik
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-ds.yaml
kubectl apply -f traefik-ds.yaml
# 以deployment方式启动traefik
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-deployment.yaml
kubectl apply -f traefik-deployment.yaml
# 查看状态
kubectl get pods -n kube-system
# 访问测试,如果有响应说明安装正确
# 应该返回404
# 如果以daemonset方式启动traefik使用如下方式验证
# 11.11.11.112为任何一个node节点的ip
curl 11.11.11.112
# 如果以deployment方式启动traefik
# 访问node:nodeport或者集群ip验证
部署Træfik Web UI
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/ui.yaml
kubectl apply -f ui.yaml
# 访问webui
# 需要先配置host
# 11.11.11.112为任何一个node节点的ip
11.11.11.112 traefik-ui.minikube
# 浏览器访问如下地址
http://traefik-ui.minikube/
使用basic验证
# 生成加密密码,如果没有安装htpasswd可以在线生成
# https://tool.lu/htpasswd/
htpasswd -c ./auth myusername
cat auth
myusername:$apr1$78Jyn/1K$ERHKVRPPlzAX8eBtLuvRZ0
# 从密码文件创建secret
# monitoring必须和ingress rule处于同一个namespace
kubectl create secret generic mysecret --from-file auth --namespace=monitoring
# 创建ingress
cat >prometheus-ingress.yaml<<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: prometheus-dashboard
namespace: monitoring
annotations:
kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/auth-type: "basic"
ingress.kubernetes.io/auth-secret: "mysecret"
spec:
rules:
- host: dashboard.prometheus.example.com
http:
paths:
- backend:
serviceName: prometheus
servicePort: 9090
EOF
kubectl create -f prometheus-ingress.yaml -n monitoring
官方实例
1. 根据域名(host)路由
# deployment
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-deployments.yaml
kubectl apply -f cheese-deployments.yaml
# service
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-services.yaml
kubectl apply -f cheese-services.yaml
# ingress
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-ingress.yaml
kubectl apply -f cheese-ingress.yaml
# 查看状态
kubectl get pods
kubectl get svc
kubectl get ingress
# 测试
# 配置hosts
11.11.11.112 stilton.minikube cheddar.minikube wensleydale.minikube
# 浏览器访问测试
http://stilton.minikube/
http://cheddar.minikube/
http://wensleydale.minikube/
2. 根据路径(path)路由
# 使用新的ingress
wget https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheeses-ingress.yaml
kubectl apply -f cheeses-ingress.yaml
# 测试
# 配置hosts
11.11.11.112 cheeses.minikube
# 浏览器访问测试
http://cheeses.minikube/stilton/
http://cheeses.minikube/cheddar/
http://cheeses.minikube/wensleydale/
3. 指定路由优先级
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: wildcard-cheeses
annotations:
traefik.frontend.priority: "1"
spec:
rules:
- host: *.minikube
http:
paths:
- path: /
backend:
serviceName: stilton
servicePort: http
kind: Ingress
metadata:
name: specific-cheeses
annotations:
traefik.frontend.priority: "2"
spec:
rules:
- host: specific.minikube
http:
paths:
- path: /
backend:
serviceName: stilton
servicePort: http
