跳到主要内容

Traefik Ingress

  • Traefik Ingress
  • Traefik 的 K8S 分为 CRD 方式和标准的 IngressController
    • CRD 支持更多功能 - Helm 安装
  • Traefik 支持非常多的功能 - ACME, SNI, Dashboard, Tracing, Metrics
警告
  • traefik 内置 acme, 但有不少问题 - 官方推荐使用 cert-manager
    • 官方 issues 排前面有好几个关于证书的问题
  • 只有 repilca 为 1 才支持 acme - 开源版不支持集群
    • #5426 官方表明 社区版 不考虑集群
  • Middleware 通过 CRD 引用 - 使用相对麻烦
  • 使用 Ingress 方式很多功能得使用 annotation 非常不方便
    • 但直接使用 IngressRoute 会导致 Vendor Lockin
# 转发 9000
kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" -n traefik --output=name) 9000:9000 -n traefik

CRD

  • 示例资源配置

  • 启动参数

    • --global.checknewversion
    • --global.sendanonymoususage
    • --entryPoints.traefik.address=:9000
    • --entryPoints.web.address=:8000
    • --entryPoints.websecure.address=:8443
    • --api.dashboard=true
    • --ping=true
    • --providers.kubernetescrd
    • --providers.kubernetesingress
helm repo add traefik https://containous.github.io/traefik-helm-chart
helm repo update
helm install traefik traefik/traefik

# 可安装在独立命名空间
kubectl create ns traefik
helm install --namespace=traefik \
traefik traefik/traefik

# 转发 dashboard 到本地 9000
# 然后访问 http://localhost:9000/dashboard/
kubectl port-forward -n traefik $(kubectl get pods -n traefik --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000

# 可以配置一个 Ingress 然后即可通过域名访问
cat <<YAML
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: traefik
spec:
entryPoints:
- web
- traefik
routes:
- match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
kind: Rule
services:
- name: api@internal
kind: TraefikService
YAML
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: foo
namespace: bar
spec:
# 入口
entryPoints:
- foo
# 路由配置
routes:
- kind: Rule
# 路由匹配规则
match: Host(`test.example.com`)
# 匹配优先级
priority: 10
# 引用中间件
middlewares:
- name: middleware1
namespace: default
# 后端服务
services:
- kind: Service
name: foo
namespace: default
# 透传头信息
passHostHeader: true
port: 80
responseForwarding:
flushInterval: 1ms
scheme: https
# 粘性配置
sticky:
cookie:
httpOnly: true
name: cookie
secure: true
sameSite: none
# 负载策略
strategy: RoundRobin
weight: 10
# TLS
tls:
# 密钥信息
secretName: supersecret
# TLSOption
options:
name: opt
namespace: default
certResolver: foo # CertResolver
domains: # TLS 域名
- main: example.net
sans:
- a.example.net
- b.example.net

Ingress

# 全局默认
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: cheese
spec:
backend:
serviceName: stilton
servicePort: 80

---
apiVersion: v1
kind: Service
metadata:
name: whoami
annotations:
# 修改 schema: http h2c https
traefik.ingress.kubernetes.io/service.serversscheme: https
# 透传 头
traefik.ingress.kubernetes.io/service.passhostheader: 'true'
# 粘性配置
traefik.ingress.kubernetes.io/service.sticky: 'true'
traefik.ingress.kubernetes.io/service.sticky.cookie.name: foobar
traefik.ingress.kubernetes.io/service.sticky.cookie.secure: 'true'
traefik.ingress.kubernetes.io/service.sticky.cookie.samesite: 'none'
traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: 'true'
spec:
type: LoadBalancer
selector:
app: whoami
ports:
- protocol: TCP
port: 80
name: web
targetPort: 80

---
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: myingress
annotations:
# 终端
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
# 中间件
traefik.ingress.kubernetes.io/router.middlewares: <namespace>-<name>@kubernetescrd,cb@file
# 优先级
traefik.ingress.kubernetes.io/router.priority: '42'
# 路径匹配方式 Path, PathPrefix
traefik.ingress.kubernetes.io/router.pathmatcher: PathPrefix

# 是否 TLS
traefik.ingress.kubernetes.io/router.tls: 'true'
# 解析 TLS 方式
traefik.ingress.kubernetes.io/router.tls.certresolver: myresolver
# TLS 的 SNI 域名
traefik.ingress.kubernetes.io/router.tls.domains.0.main: example.org
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: test.example.org,dev.example.org
traefik.ingress.kubernetes.io/router.tls.options: foobar

spec:
# 证书
tls:
- secretName: supersecret
rules:
- host: example.com
http:
paths:
- path: /bar
backend:
serviceName: whoami
servicePort: 80

Cert Manager

FAQ

Cannot create service: subset not found

TBD

https://docs.traefik.io/routing/providers/kubernetes-ingress/ https://github.com/rancher/k3s/issues/1141 https://github.com/containous/traefik-helm-chart https://docs.traefik.io/getting-started/install-traefik/#use-the-helm-chart

kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000

ClusterRoleBinding

error syncing 'traefik/traefik' handler svccontroller: Operation cannot be fulfilled on "svccontroller": delaying object set, requeuing

INOTIFY_USR