kubernetes 以 DaemonSet 模式部署 Traefik
如果是跨云/跨境/跨账号部署集群,在所有节点都运行
Traefik
实例,可以充分利用每个节点的外网IP
,对特定流量进行分组,避免通过LB
转发数据浪费带宽及流量。
# 证书邮箱
export [email protected]
# 创建命名空间
cat <<EOF | kubectl apply -f -
kind: Namespace
apiVersion: v1
metadata:
name: traefik-system
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: traefik-ingress-controller
namespace: traefik-system
EOF
# 创建 RBAC 授权
wget -qO- https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml | \
sed 's/\(^metadata:\)/\1\n namespace: traefik-system/g' | \
sed 's/namespace: default/namespace: traefik-system/g' | \
kubectl apply -f -
# 创建自定义资源
wget -qO- https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml | \
sed 's/\(^metadata:\)/\1\n namespace: traefik-system/g' | \
sed 's/namespace: default/namespace: traefik-system/g' | \
kubectl apply -f -
# 部署服务(使用主机网络)
cat <<EOF | kubectl apply -f -
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: traefik-system
labels:
app: traefik
spec:
selector:
matchLabels:
app: traefik
template:
metadata:
namespace: traefik-system
labels:
app: traefik
spec:
hostNetwork: true
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.9
args:
- --api=true
- --api.insecure=true
- --api.dashboard=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.Address=:443
- --certificatesresolvers.default.acme.tlschallenge
- --certificatesresolvers.default.acme.storage=/data/acme.json
- --certificatesresolvers.default.acme.email=$MY_ACME_EMAIL
- --providers.kubernetesingress
- --providers.kubernetescrd
- --log.level=ERROR
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
hostPath:
type: DirectoryOrCreate
path: /var/lib/traefik
EOF
执行完上述命令,已经可以使用
IP:8080
来访问控制面板。不过,为了安全,我们还是应该使用防火墙禁用8080
端口,并设置为通过自定义域名的方式访问控制面板。
# 访问域名
export MY_TRAEFIK_HOST=traefik.example.org
# 认证信息
export MY_AUTH_USERNAME=admin
export MY_AUTH_PASSWORD=PASSW0RD
# 生成密钥
export MY_SECRET_CODE=`echo $MY_AUTH_USERNAME:$(echo $MY_AUTH_PASSWORD | openssl passwd -stdin -apr1) | base64`
# 应用变更
cat <<EOF | kubectl apply -f -
kind: Secret
apiVersion: v1
metadata:
name: basic-auth
namespace: traefik-system
data:
auth: $MY_SECRET_CODE
---
kind: Middleware
apiVersion: traefik.containo.us/v1alpha1
metadata:
name: basic-auth
namespace: traefik-system
spec:
basicAuth:
secret: basic-auth
---
apiVersion: v1
kind: Service
metadata:
name: dashboard-service
namespace: traefik-system
spec:
ports:
- name: dashboard
port: 8080
selector:
app: traefik
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: dashboard-ingress
namespace: traefik-system
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.ingress.kubernetes.io/router.middlewares: traefik-system-basic-auth@kubernetescrd
spec:
rules:
- host: $MY_TRAEFIK_HOST
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dashboard-service
port:
name: dashboard
EOF