Kubernetes traefik 系列|traefik摆设与利用
一、traefik简介Traefik是一个功能强盛的负载均衡工具,它支持4层和7层的根本负载均衡操作,通过IngressRoute、IngressRouteTCP、IngressRouteUDP资源即可轻松实现。为了满意更复杂的负载均衡需求,Traefik还抽象出了TraefikService资源,答应实现加权轮询、流量复制等高级操作。整体流量走向为:外部流量起首通过entryPoints端口进入Traefik,然后由IngressRoute/IngressRouteTCP/IngressRouteUDP举行匹配,进入TraefikService举行高级负载均衡处理,最后将哀求转发至Kubernetes的service。除此之外,Traefik还支持7层的粘性会话、康健检查、传递哀求头、响应转发、故障转移等丰富功能,为微服务架构提供全面的负载均衡和流量管理能力。
https://i-blog.csdnimg.cn/direct/187ebdd9cf0044ecbf59b8c6515de9f8.png
官方文档:https://doc.traefik.io/traefik/getting-started/install-traefik/
gtihub地址:https://github.com/traefik/traefik-helm-chart
https://i-blog.csdnimg.cn/direct/3b647c2335c1498d998977e56108ff5a.png
当启动Traefik时,需要定义entrypoints,然后通过entrypoints的路由来分析传入的哀求,来查看他们是否是一组规则匹配,如果匹配,则路由可能将哀求通过一系列的转换过来在发送到服务上去。
二、安装traefik
# 添加repo
# helm repo add traefik https://helm.traefik.io/traefik
# 更新repo仓库资源
# helm repo update
# 查看repo仓库traefik
# helm search repo traefik
# 创建traefik名称空间
# kubectl create ns traefik
# 安装traefik
# helm install --namespace=traefik traefik traefik/traefik
# 查看helm列表
# helm list -n traefik
# 查看pod资源信息
# kubectl get pod -n traefik
域名访问dashboard服务
利用helm摆设的traefik默认利用LoadBalancer袒露服务,如果想利用此方式访问,起主要摆设MetalLB才能分配到EXTERNAL-IP
Kubernetes LoadBalancer系列|MetalLB配置摆设
kubectl get svc -n traefik
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: dashboard
namespace: traefik
spec:
entryPoints:
- web
routes:
- match: Host(`traefik.zgh.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
kind: Rule
services:
- name: api@internal
kind: TraefikService
https://i-blog.csdnimg.cn/direct/e811ec07522840f7ad60e4e4a22bb4d4.png
三、traefik利用
IngressRoute
摆设myapp1实例
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp1
spec:
selector:
matchLabels:
app: myapp1
template:
metadata:
labels:
app: myapp1
spec:
containers:
- name: myapp1
image: ikubernetes/myapp:v1
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: myapp1
spec:
type: ClusterIP
selector:
app: myapp1
ports:
- port: 80
targetPort: 80
摆设myapp2实例
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp2
spec:
selector:
matchLabels:
app: myapp2
template:
metadata:
labels:
app: myapp2
spec:
containers:
- name: myapp2
image: ikubernetes/myapp:v2
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: myapp2
spec:
type: ClusterIP
selector:
app: myapp2
ports:
- port: 80
targetPort: 80
创建资源并访问测试
# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp1-795d947b45-9lsm6 1/1 Running 0 2m18s
myapp2-6ffd54f76-ljkr9 1/1 Running 0 66s
# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) 44h
myapp1 ClusterIP 10.104.91.200 <none> 80/TCP 2m26s
myapp2 ClusterIP 10.111.245.32 <none> 80/TCP 100s
# curl 10.104.91.200
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
# curl 10.111.245.32
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
HTTP域名路由
实现目的:集群外部用户通过访问http://myapp1.test.com域名时,将哀求署理至myapp1应用。
创建ingressrouter规则文件
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: myapp1
spec:
entryPoints:
- web
routes:
- match: Host(`myapp1.test.com`) # 域名
kind: Rule
services:
- name: myapp1# 与svc的name一致
port: 80 # 与svc的port一致
创建资源
# kubectl apply -f myapp1-ingress.yaml
ingressroute.traefik.containo.us/myapp1 created
# kubectl get ingressroute
dashboardmyapp1
# kubectl get ingressroute
NAME AGE
dashboard 4h26m
myapp1 20s
客户端添加hosts记录192.168.93.128 myapp1.test.com,然后访问验证
192.168.93.128 为traefik 访问地址
https://i-blog.csdnimg.cn/direct/c2ee8a55e93d4f96be049651cc8ac563.png
示例
https://i-blog.csdnimg.cn/direct/b1bdb793814a49bab3896dafa9d87135.png
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: amq
namespace: activemq-artemis-operator
spec:
entryPoints:
- web
routes:
- match: Host(`amq.test.com`) # 域名
kind: Rule
services:
- name: amq # 与svc的name一致
port: 8161 # 与svc的port一致
HTTPS域名路由(自有证书)
公网服务的话,可以在云厂商那里购买证书。内部服务的话,就直接用 openssl 来创建一个自签名的证书即可,要留意证书文件名称必须是 tls.crt 和 tls.key。接下来演示自签证书的配置。
创建自签证书
root@k8s-master ingress]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=myapp2.test.com"
创建Secret资源来引用证书文件
# kubectl create secret tls myapp2-tls --cert=tls.crt --key=tls.key
secret/myapp2-tls created
# kubectl describe secrets myapp2-tls
Name: myapp2-tls
Namespace: default
Labels: <none>
Annotations:<none>
Type:kubernetes.io/tls
Data
====
tls.crt:1131 bytes
tls.key:1704 bytes
创建IngressRouter规则文件,集群外部用户通过访问https://myapp2.test.com域名时,将哀求署理至myapp2应用。
# cat myapp2-ingress.yaml
# cat myapp2-ingress.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: myapp2
spec:
entryPoints:
- websecure # 监听 websecure 这个入口点,也就是通过 443 端口来访问
routes:
- match: Host(`myapp2.test.com`)
kind: Rule
services:
- name: myapp2
port: 80
tls:
secretName: myapp2-tls # 指定tls证书名称
# kubectl apply -f myapp2-ingress.yaml
ingressroute.traefik.containo.us/myapp2 created
# kubectl get ingressroute
NAME AGE
dashboard 5h11m
myapp1 45m
myapp2 2m55s
客户端添加hosts记录10.10.101.15(traefik的地址) myapp2.test.com,然后访问验证,由于我们是自签名的证书,所以证书是不受信托的。
https://i-blog.csdnimg.cn/direct/ca01bd45e92340e1990258c8a15d1d1b.png
持续更新中,关注不含糊。。。
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]