Traefik版本升级与生产使用

devops运维先行者 2019-10-14

706

前篇文章Traefik 2.0 Now GA! Traefik V2真正来了！作者主要介绍traefik v2.0相较于v1.0版本的一些新功能特性，此篇文章主要介绍在K8S集群中，traefik v1.0升级至v2.0的流程介绍和在线上的一些功能使用。

V1配置清单

#ingress-rbac.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ingress
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

#traefik-ingress.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: traefik-ingress-lb
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 4
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      restartPolicy: Always
      serviceAccountName: ingress
      volumes:
      - name: ssl
        hostPath:
          path: etc/kubernetes/cert
      - name: config
        configMap:
          name: traefik-conf
      containers:
      - image: traefik:v1.7.17-alpine
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        resources:
          limits:
            cpu: 200m
            memory: 1Gi
          requests:
            cpu: 100m
            memory: 20Mi
        ports:
        - containerPort: 80
        - containerPort: 443
        - containerPort: 8580
        args:
        - --web.address=:8580
        - --web
        - --kubernetes
        - --configfile=/config/traefik.toml
---
kind: Service
apiVersion: v1
metadata:
  name: traefik
  namespace: kube-system
spec:
  type: NodePort
  ports:
  - protocol: TCP
    port: 80
    nodePort: 30201
    name: http
  - protocol: TCP
    port: 443
    nodePort: 30202
    name: https
  selector:
    k8s-app: traefik-ingress-lb

#traefik-map.yaml
kind: ConfigMap
apiVersion: v1
metadata:
 name: traefik-conf
 namespace: kube-system
data:
 traefik.toml: |
   MaxIdleConnsPerHost = 5000
   graceTimeOut = 60
   insecureSkipVerify = true
   defaultEntryPoints = ["http"]
   [entryPoints]
     [entryPoints.http]
     address = ":80"
     compress = true

#traefik_ui.yaml 
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  type: NodePort
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 801
    targetPort: 8580
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/auth-type: basic
    ingress.kubernetes.io/auth-secret: basic-auth
spec:
  rules:
  - host: www.traefik-v1.com
    http:
      paths:
      - path: 
        backend:
          serviceName: traefik-web-ui
          servicePort: web

V2配置清单

#CRD-rbac.yaml 
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us


spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced


---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us


spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced


---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us


spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced


---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us


spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced


---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller


rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - ingressroutes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - ingressroutetcps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - tlsoptions
    verbs:
      - get
      - list
      - watch


---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller


roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: default


---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: traefik-ingress-controller

#traefik-deployment.yaml
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  namespace: default
  name: traefik
  labels:
    app: traefik


spec:
  replicas: 4
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      restartPolicy: Always
      containers:
        - name: traefik
          image: traefik:v2.0
          args:
            - --api
            - --api.insecure
            - --entrypoints.http.Address=:80
            - --entrypoints.https.Address=:443
            - --providers.kubernetescrd
            - --ping
            - --accesslog=true
            - --log.level=ERROR
            - --serversTransport.insecureSkipVerify
            - --serversTransport.maxIdleConnsPerHost=5000
            - --global.checkNewVersion
            - --global.sendAnonymousUsage
          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
            - name: admin
              containerPort: 8080
          resources:
            limits:
              cpu: 500m
              memory: 1Gi
            requests:
              cpu: 100m
              memory: 20Mi
---
apiVersion: v1
kind: Service
metadata:
  name: traefik
spec:
  type: NodePort
  ports:
    - protocol: TCP
      name: http
      port: 80
    - protocol: TCP
      name: https
      port: 443
    - protocol: TCP
      name: admin
      port: 8080
  selector:
    app: traefik

#traefik-middleware.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: admin-auth
  namespace: default
spec:
  basicAuth:
    secret: basic-auth
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect
  namespace: default
spec:
  redirectScheme:
    scheme: https
---
# Enable gzip compression
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: compress
  namespace: default
spec:
  compress: {}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: header
  namespace: default
spec:
  headers:
    customResponseHeaders:
      Access-Control-Allow-Headers: content-type,x-token,x-request-id,authorization,token
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: ipwhitelist
  namespace: default
spec:
  ipWhiteList:
    sourceRange:
      - 127.0.0.1
      - 172.16.0.0/16
      - 10.42.0.0/16
    ipStrategy:
      depth: 2
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: allowall
  namespace: default
spec:
  ipWhiteList:
    sourceRange:
      - 0.0.0.0/0

# traefik-admin.yaml
apiVersion: v1
kind: Service
metadata:
  name: traefik-admin
  namespace: default
spec:
  type: ClusterIP
  ports:
    - protocol: TCP
      name: admin
      port: 8080
  selector:
    app: traefik
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-admin
  namespace: default
spec:
#  entryPoints:
#    - traefik
  entryPoints: []
  routes:
    - match: Host(`www.traefik-v2.com`) && PathPrefix(`/`) 
      kind: Rule
      priority: 1
      middlewares:
        - name: admin-auth
          namespace: default
        - name: compress 
          namespace: default
        - name: header
          namespace: default
      services:
        - name: traefik-admin
          namespace: default
          port: 8080

从V1跟V2的配置上不难发现，V2使用了K8S CRD，采用IngressRoute来解析代理后端服务。

k8s traefik采用hostNetwork网络模式，所以阿里云SLB只要指向后端work node的80端口就可以访问目标域名，如traefik admin界面www.traefik-v2.com，

traefik线上使用

假设我们有一个Java 微服务需要上线，K8S配置文件为：

apiVersion: apps/v1
kind: Deployment
metadata:
  name: server-name
  namespace: ENV
  labels:
    jenkinsname: jenkins-name
spec:
  replicas: 1
  selector:
    matchLabels:
      app: server-name
  template:
    metadata:
      labels:
        app: server-name
    spec:
      containers:
      - name: server-name
        image: 172.16.10.13/test-server/server-name:<BUILD_TAG>
        imagePullPolicy: Always
        securityContext:
          allowPrivilegeEscalation: false
        readinessProbe:
          tcpSocket:
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 5
        livenessProbe:
          tcpSocket:
            port: 80
          initialDelaySeconds: 600
          periodSeconds: 20
        ports:
        - name: web
          protocol: TCP
          containerPort: 80
        resources:
          requests:
            #cpu: "100m"
            memory: "128Mi"
          limits:
            #cpu: "300m"
            memory: "MAXMEM"
        volumeMounts:
        - name: zone
          mountPath: /etc/localtime
          readOnly: true
        - name: app-logs
          mountPath: /var/log/nginx
      - name: filebeat
        image: 172.16.10.13/library/filebeat:v6.5.4
        args: [
          "-c", "/etc/filebeat.yml",
          "-e",
        ]
        securityContext:
          runAsUser: 0
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 50m
            memory: 100Mi
        env:
        - name: servername
          value: "server-name"
        volumeMounts:
        - name: app-logs
          mountPath: /var/log/nginx
        - name: filebeatconfig
          mountPath: /etc/filebeat.yml
          readOnly: true
          subPath: filebeat.yml
        - name: zone
          mountPath: /etc/localtime
          readOnly: true
      volumes:
      - name: zone
        hostPath:
          path: /etc/localtime
      - name: filebeatconfig
        configMap:
          defaultMode: 0600
          name: filebeat-template
      - name: app-logs
        emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: server-name-svc
  namespace: ENV
spec:
  template:
    metadata:
      labels:
        name: server-name-svc
        namespace: ENV
spec:
  selector:
    app: server-name
  ports:
  - name: web
    port: 80
    targetPort: 80

按traefik v1的使用习惯，我们将使用ingress来代理：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: server-name-ing
  namespace: ENV
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/custom-response-headers: Access-Control-Allow-Headers:content-type,x-token,x-request-id,authorization,token
spec:
  rules:
  - host: ENV-k8s-server-name.com
    http:
      paths: 
        - path: 
          backend:
            serviceName: server-name-svc
            servicePort: 80
  - host: ENV-server-name.com
    http:
      paths: 
        - path: 
          backend:
            serviceName: server-name-svc
            servicePort: 80
  - host: domain
    http:
      paths: 
        - path: 
          backend:
            serviceName: server-name-svc
            servicePort: 80

Traefik v2将使用k8s CRD，ingressroute来代理：

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: server-name
  namespace: ENV
spec:
  entryPoints:
    - http
  routes:
    - match: Host(`ENV-k8s-server-name.com`,`ENV-server-name.k8s.com`,`domain`) && PathPrefix(`/`) 
      kind: Rule
      priority: 10
      middlewares:
        - name: compress 
          namespace: default
        - name: header
          namespace: default
      services:
        - name: server-name-svc
          namespace: ENV
          port: 80

注解：

entryPoints：后端使用的端口服务；

match：匹配规则；

priority：权重；

middlewares：中间件；

middlewares中间件可以查看traefik-middleware.yaml，配合match和middlewares字段，我们可以对域名路径做许多访问规则，类似于Nginx。

好了，今天的文章先讲一部分内容，后面继续更新ing···

数据库

文章转载自devops运维先行者，如果涉嫌侵权，请发送邮件至：contact@modb.pro进行举报，并提供相关证据，一经查实，墨天轮将立刻删除相关内容。

Traefik版本升级与生产使用

评论