Traefik - Kubernetes 配置TCP/HTTP服务

devops运维先行者 2020-02-27

1584

开篇

本文主要介绍 Kubernetes采用Traefik做ingress代理服务时，TCP服务和HTTP服务的最基础代理方式。

介绍

先附上traefik deployment.yaml配置文件

kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: traefik
  labels:
    app: traefik


spec:
  replicas: 5
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      restartPolicy: Always
      containers:
        - name: traefik
          image: traefik:v2.0
          args:
            - --api
            - --api.insecure
            - --entrypoints.http.Address=:80
            - --entrypoints.https.Address=:443
            - --entrypoints.redis.Address=:6379
            - --providers.kubernetescrd
            - --ping
            - --accesslog=true
            - --log.level=ERROR
            - --serversTransport.insecureSkipVerify
            - --serversTransport.maxIdleConnsPerHost=5000
            - --global.checkNewVersion=false
            - --global.sendAnonymousUsage=false
            - --providers.file.directory=/config/
            - --metrics.prometheus=true
            - --providers.file.watch=true
          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
            - name: admin
              containerPort: 8080
            - name: redis
              containerPort: 6379
          resources:
            limits:
              cpu: 500m
              memory: 1Gi
            requests:
              cpu: 100m
              memory: 20Mi
          volumeMounts:
            - mountPath: config
              name: config
            - mountPath: config/tls
              name: tls
      volumes:
      - name: config 
        configMap:
          name: traefik-conf
      - name: tls
        persistentVolumeClaim:
          claimName: tls

从yaml配置配置文件中，我们可以看到有三个entrypoints：[http]、[https]、[redis]，采用hostNetwork的方式，将80,443,6379及8080端口暴露到host主机上。并且有一个configMap配置文件和tls-pvc数据盘挂载到pods上。

# traefik-configmap.yaml
kind: ConfigMap
apiVersion: v1
metadata:
 name: traefik-conf
 namespace: default
data:
 traefik.toml: |   
   [providers]
     providersThrottleDuration = "2s"


   [tls.stores]
     [tls.stores.default]
       [tls.stores.default.defaultCertificate]
         certFile = "/config/tls/cert.crt"
         keyFile  = "/config/tls/privkey.pem"

在configmap中，指定了ssl证书放置位置。

Traefik Routers

traefik routers主要有HTTP和TCP两种，k8s api kind分别为IngressRoute和IngressRouteTCP，负责将传入请求连接到可以处理这些请求的服务。按照我司现有架构，数据传输顺序为：client --> aliyun SLB --> traefik --> services --> pods。

HTTP Routers

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: simpleingressroute
  namespace: default
spec:
  entryPoints:
    - http
  routes:
  - match: Host(`your.domain.com`) && PathPrefix(`/notls`)
    kind: Rule
    services:
    - name: whoami
      port: 80


---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  namespace: default
spec:
  entryPoints:
    - https
  routes:
  - match: Host(`your.domain.com`) && PathPrefix(`/tls`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    certResolver: default
    passthrough: true

创建两个HTTP IngressRoute，simpleingressroute 为无tls访问，ingressroutetls 为tls访问。
在此介绍HTTPS & TLS的一点小知识。从之前介绍的configmap配置中，有一项为：

   [tls.stores]
     [tls.stores.default]
       [tls.stores.default.defaultCertificate]
         certFile = "/config/tls/cert.crt"
         keyFile  = "/config/tls/privkey.pem"

在此，设置了tls的默认stores为default，默认Certificate为certFile与keyFile定义的证书。所以IngressRoute ingressroutetls的tls certResolver设置为default，且passthrough为true，允许无证书也可访问。更多内容，可去官网阅读 https://docs.traefik.io/https/tls/ 。

TCP Routers

TCP Routers的介绍，将通过redis的实例来详解。

# redis.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: redis
spec:
  template:
    metadata:
      labels:
        app: redis
    spec:
      containers:
      - name: redis
        image: redis:3.2.11
        ports:
        - containerPort: 6379
          protocol: TCP


---


apiVersion: v1
kind: Service
metadata:
  name: redis
spec:
  ports:
  - port: 6379
    targetPort: 6379
  selector:
    app: redis

新建一个redis服务，端口指向为6379。并生成一个IngressRouteTCP，将entryPoints为redis（即host 6379端口）指向services-redis-6379。

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: redis
spec:
  entryPoints:
    - redis
  routes:
  - match: HostSNI(`*`)
    services:
    - name: redis
      port: 6379

就可以通过host 6379端口访问，如：redis-cli -h hostip -p 6379
。

TCP Routers与HTTP Routers的routes有所不同：

TCP Routers match采用HostSNI,而HTTP Routers match直接匹配Host。
TCP Routers只能定位TCP服务（不能定位HTTP服务）。
如果HTTP Routers和TCP Routers都侦听相同的入口点，则TCP Routers将在HTTP Routers之前应用。如果找不到与TCP Routers匹配的路由，则HTTP Routers将接管。