Tr?fik是一个为了让部署微服务更加便捷而诞生的现代HTTP反向代理、负载均衡工具。 它支持多种后台 (Docker,Swarm mode,Kubernetes,Marathon,Consul,Etcd,Rancher, ...) 来自动化、动态的应用它的配置文件设置。
Tr?f?k 可以监听你的服务发现、管理API,并且每当你的微服务被添加、移除、杀死或更新都会被感知,并且可以自动生成它们的配置文件,指向到你服务的路由将会被直接创建出来。
如上图所示,kubernetes部署了一堆service,这里我们就可以通过在kubernetes上部署Tr?fik监听API,使用vhosts或者前缀路径配置反代:
域名api.domain.com将指向您的私有网络中微服务api
路径domain.com/web将指向您的私有网络的微服务Web
域名backoffice.domain.com将指向您的私有网络中的微服务backoffice,并在您的多个实例之间负载
让我们放大Tr?fik并查看其内部架构:
顾名思义,传入的请求在入口点结束,它们是Tr?fik的网络入口点(监听端口,SSL,流量重定向...)。
之后流量会被转发到匹配的前端。 前端定义从入口点到后端的路由。 路由是使用请求字段(Host,Path,Headers...)创建的,可以匹配或不匹配请求。
前端会将请求发送到后端。 后端可以由一台或经由负载均衡策略配置的多台服务器组成。
最后,服务器会将请求转发到私有网络中相应的微服务。
详细内容请查看官方文档:
https://docs.traefik.io/
二、Kubernetes安装Tr?fik
1.下载Tr?fik的yaml文件
#wgethttps://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml#wgethttps://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-ds.yaml#wgethttps://raw.githubusercontent.com/containous/traefik/master/examples/k8s/ui.yaml
2.更改DaemonSet文件中的端口
#cattraefik-ds.yaml---apiVersion:v1kind:ServiceAccountmetadata:name:traefik-ingress-controllernamespace:kube-system---kind:DaemonSetapiVersion:extensions/v1beta1metadata:name:traefik-ingress-controllernamespace:kube-systemlabels:k8s-app:traefik-ingress-lbspec:template:metadata:labels:k8s-app:traefik-ingress-lbname:traefik-ingress-lbspec:serviceAccountName:traefik-ingress-controllerterminationGracePeriodSeconds:60hostNetwork:truecontainers:-image:192.168.100.100/traefik/traefik:1.6.2name:traefik-ingress-lbports:-name:httpcontainerPort:80hostPort:80-name:admincontainerPort:8081securityContext:capabilities:drop:-ALLadd:-NET_BIND_SERVICEargs:#---api---web.address=:8081---kubernetes---logLevel=INFO---kind:ServiceapiVersion:v1metadata:name:traefik-ingress-servicenamespace:kube-systemspec:selector:k8s-app:traefik-ingress-lbports:-protocol:TCPport:80name:web-protocol:TCPport:8081name:admintype:NodePort
注:由于我的master节点同时也是node,而8080端口是kube-apiserver的端口,这产生了冲突,这里我将该端口改为8081端口。
同时去掉- --api选项并添加- --web.address=:8081选项。
3.更改镜像为私有镜像仓库(根据情况配置)并配置Tr?fik Web UI域名
#sed-i"s/image:traefik/image:192.168.100.100\/traefik\/traefik:1.6.2/g"traefik-ds.yaml#sed-i"s/traefik-ui.minikube/traefik-ui.io/g"ui.yaml
4.运行yaml文件并查看
#kubectlcreate-f.serviceaccount"traefik-ingress-controller"createddaemonset"traefik-ingress-controller"createdservice"traefik-ingress-service"createdclusterrole"traefik-ingress-controller"createdclusterrolebinding"traefik-ingress-controller"createdservice"traefik-web-ui"createdingress"traefik-web-ui"created#kubectlgetpod-nkube-system|greptraefiktraefik-ingress-controller-sjmp21/1Running03dtraefik-ingress-controller-t5rgg1/1Running03dtraefik-ingress-controller-tltvm1/1Running03d#kubectlexec-ittraefik-ingress-controller-sjmp2-nkube-system/traefikversionVersion:v1.6.2Codename:tetedemoineGoversion:go1.10.2Built:2018-05-22_03:19:06PMOS/Arch:linux/amd64
4.登陆Tr?fik Web UI
#kubectlgetservice-nkube-system|greptraefiktraefik-ingress-serviceNodePort10.244.46.110<none>80:29484/TCP,8081:13879/TCP3dtraefik-web-uiClusterIP10.244.87.207<none>80/TCP3d#kubectlgeting-nkube-systemNAMEHOSTSADDRESSPORTSAGEtraefik-web-uitraefik-ui.io803d
注:
80 对应服务端口,8080 对应 UI 端口
浏览器登陆http://<node_ip>:<node_port>访问Tr?fik
这里我们在客户端添加相应host来访问Tr?fik Web UI,如:
192.168.100.103 traefik-ui.io
现在我们可以使用traefik-ui.io来登陆查看
5.配置访问Prometheus
#catprom.yamlapiVersion:extensions/v1beta1kind:Ingressmetadata:name:grafananamespace:monitoring##根据情况配置namespacespec:rules:-host:prom.zhi.io##替换为您集群默认的服务访问域名http:paths:-path:backend:serviceName:grafanaservicePort:3000#kubectlgeting-nmonitoringNAMEHOSTSADDRESSPORTSAGEgrafanaprom.zhi.io803d
查看Traefik Web UI
配置hosts后使用相应域名登陆Prometheus
三、配置Basic身份验证
1.使用htpasswd创建一个包含用户名和MD5密码文件
#yum-yinstallhttpd#htpasswd-cauthadmin###创建秘钥文件auth并添加用户adminNewpassword:Re-typenewpassword:Addingpasswordforuseradmin#catauthadmin:$apr1$h0.DZ9TF$6JN.FSka4Wdy5eUL4t1ut0
2.创建secret
#kubectlcreatesecretgenericmysecret--from-fileauth--namespace=monitoringsecret"mysecret"created
3.将下面的注释附加到Ingress对象:
kubernetes.io/ingress.class: traefik ----->声明ingress后端采用traefik实现
ingress.kubernetes.io/auth-type: "basic" ----->声明认证模式为basic模式
ingress.kubernetes.io/auth-secret: "mysecret" ----->声明namespace里对应的secret
4.配置运行并确认
#catprom.yamlapiVersion:extensions/v1beta1kind:Ingressmetadata:name:grafananamespace:monitoringannotations:kubernetes.io/ingress.class:traefikingress.kubernetes.io/auth-type:"basic"ingress.kubernetes.io/auth-secret:"mysecret"spec:rules:-host:prom.zhi.iohttp:paths:-path:backend:serviceName:grafanaservicePort:3000#kubectlapply-fprom.yamlingress"grafana"configured
浏览器输入prom.zhi.io,弹出身份验证窗口,这里输入htpasswd命令创建的用户名和密码登录
输入用户名和密码并点击登录后即可进入该域名
四、Tr?fik添加TLS认证
1.使用openssl生成证书和密钥
#opensslreq-x509-nodes-days3650-newkeyrsa:2048-keyouttls.key-outtls.crt-subj"/CN=traefik-ui.io"Generatinga2048bitRSAprivatekey.................+++................................................................+++writingnewprivatekeyto'tls.key'-----#lstls*tls.crttls.key
2.创建Secret
#kubectl-nkube-systemcreatesecrettlstraefik-ui-tls-cert--key=tls.key--cert=tls.crtsecret"traefik-ui-tls-cert"created#kubectlgetsecret-nkube-systemtraefik-ui-tls-certNAMETYPEDATAAGEtraefik-ui-tls-certkubernetes.io/tls21h
3.配置Entrypoints
Entrypoints是Tr?f?k的网络入口。它们可以通过以下方式来定义:
a.一个端口 (80, 443...)
b.SSL (证书, 密钥, 由受信任的CA签名的客户端证书的身份验证...)
c.重定向到其他的入口点 (重定向 HTTP 到 HTTPS)
#cattraefik.tomldefaultEntryPoints=["http","https"]insecureskipverify=true[entryPoints][entryPoints.http]address=":80"[entryPoints.http.redirect]entryPoint="https"[entryPoints.https]address=":443"[entryPoints.https.tls][[entryPoints.https.tls.certificates]]CertFile="/ssl/tls.crt"KeyFile="/ssl/tls.key"
注:
a.如上定义了两个入口点,http 和 https
b.http 监听 80 端口, https 监听 443 端口
c.通过提供一个证书和一个密钥在 https 中开启SSL
d.转发所有的 http 入口点请求到 https 入口点
e.insecureSkipVerify:
如果设置为true,则后端将接受无效的SSL证书。
这将禁用中间人×××的检测,因此只能用于安全的后端网络。
由于这里我希望traefik能代理Kubernetes dashboard(启用了https),所以启用了该选项
4.创建ConfigMap
#kubectl-nkube-systemcreateconfigmaptraefik--from-file=traefik.tomlconfigmap"traefik"created#kubectlgetconfigmap-nkube-systemtraefikNAMEDATAAGEtraefik11h#kubectlgetconfigmap-nkube-systemtraefik-oyamlapiVersion:v1data:traefik.toml:|+defaultEntryPoints=["http","https"]insecureskipverify=true[entryPoints][entryPoints.http]address=":80"[entryPoints.http.redirect]entryPoint="https"[entryPoints.https]address=":443"[entryPoints.https.tls][[entryPoints.https.tls.certificates]]certFile="/ssl/tls.crt"keyFile="/ssl/tls.key"kind:ConfigMapmetadata:creationTimestamp:2018-06-04T05:55:44Zname:traefiknamespace:kube-systemresourceVersion:"10549957"selfLink:/api/v1/namespaces/kube-system/configmaps/traefikuid:eb9b845a-67bb-11e8-b7ff-000c297aff5d
5.配置DaemonSet
#cattraefik-ds.yaml---apiVersion:v1kind:ServiceAccountmetadata:name:traefik-ingress-controllernamespace:kube-system---kind:DaemonSetapiVersion:extensions/v1beta1metadata:name:traefik-ingress-controllernamespace:kube-systemlabels:k8s-app:traefik-ingress-lbspec:template:metadata:labels:k8s-app:traefik-ingress-lbname:traefik-ingress-lbspec:serviceAccountName:traefik-ingress-controllerterminationGracePeriodSeconds:60hostNetwork:truevolumes:-name:sslsecret:secretName:traefik-ui-tls-cert-name:configconfigMap:name:traefikcontainers:-image:192.168.100.100/traefik/traefik:1.6.2name:traefik-ingress-lbvolumeMounts:-mountPath:"/ssl"name:"ssl"-mountPath:"/config"name:"config"ports:-name:httpcontainerPort:80hostPort:80-name:httpscontainerPort:443hostPort:443-name:admincontainerPort:8081securityContext:capabilities:drop:-ALLadd:-NET_BIND_SERVICEargs:#---api---configfile=/config/traefik.toml---web.address=:8081---kubernetes---logLevel=INFO---kind:ServiceapiVersion:v1metadata:name:traefik-ingress-servicenamespace:kube-systemspec:selector:k8s-app:traefik-ingress-lbports:-protocol:TCPport:80name:web-protocol:TCPport:8081name:admintype:NodePort#kubectlcreate-ftraefik-ds.yamlserviceaccount"traefik-ingress-controller"createddaemonset"traefik-ingress-controller"createdservice"traefik-ingress-service"created
6.配置UI
#catui.yaml---apiVersion:v1kind:Servicemetadata:name:traefik-web-uinamespace:kube-systemspec:selector:k8s-app:traefik-ingress-lbports:-name:webport:80targetPort:8081---apiVersion:extensions/v1beta1kind:Ingressmetadata:name:traefik-web-uinamespace:kube-systemannotations:kubernetes.io/ingress.class:traefikspec:rules:-host:traefik-ui.iohttp:paths:-path:/backend:serviceName:traefik-web-uiservicePort:webtls:-secretName:traefik-ui-tls-cert#kubectlcreate-fui.yamlservice"traefik-web-ui"createdingress"traefik-web-ui"created#kubectlgeting-nkube-systemtraefik-web-uiNAMEHOSTSADDRESSPORTSAGEtraefik-web-uitraefik-ui.io80,4431h
7.进行测试
浏览器输入traefik-ui.io会自动跳转至https://traefik-ui.io
浏览器输入prom.zhi.io自动跳转至https://prom.zhi.io,输入用户名、密码即可进入
8.配置traefik代理kubernetes dashboard
a.配置并运行ingress
#catk8s.yamlapiVersion:extensions/v1beta1kind:Ingressmetadata:name:kubernetes-dashboardnamespace:kube-systemannotations:kubernetes.io/ingress.class:traefikspec:rules:-host:"k8s.zhi.io"http:paths:-backend:serviceName:kubernetes-dashboardservicePort:443#kubectlcreate-fk8s.yamlingress"kubernetes-dashboard"created#kubectl-nkube-systemgetingkubernetes-dashboardNAMEHOSTSADDRESSPORTSAGEkubernetes-dashboardk8s.zhi.io806m
b.进行测试
注:
a.在配置TLS中我参考了该篇博文:https://www.cnblogs.com/ericnie/p/8856339.html
b.在配置中可参考官方文档:https://docs.traefik.io
kubernetes使用Tr?fik代理服务
原文地址:http://blog.51cto.com/wangzhijian/2125520