k8s 部署 traefik1.7

1. 创建 traefik secret tls 证书，注意不是 secret generic，每一个namespace都要创建

kubectl create secret tls traefik-cert --key /tmp/traefik/cinyi.com.key --cert /tmp/traefik/cinyi.com.cer -n kube-system

2. 创建traefik.toml文件，并且引入到configmap中

[root@master1 traefik]# cat traefik.toml 
insecureSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      # 默认路径，勿修改
      certFile = "/ssl/tls.crt"
      keyFile = "/ssl/tls.key

创建 configmap

kubectl create configmap traefik-conf --from-file=/tmp/traefik/traefik.toml -n kube-system

3. rbac授权

[root@master1 traefik]# cat traefik-rbac.yaml 
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - extensions
    resources:
    - ingresses/status
    verbs:
    - update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

4. traefik 采用deaemonset 模式部署，挂载secret 和 configmap资源，添加了https 端口，args 添加了 --configfile=/config/traefik.toml 参数

[root@master1 traefik]# cat traefik-rbac.yaml 
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - extensions
    resources:
    - ingresses/status
    verbs:
    - update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system
[root@master1 traefik]# cat traefik-ds.yaml 
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
      name: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      containers:
      - image: 172.16.230.84/source/traefik:v1.7
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8080
          hostPort: 18080
        - name: https
          containerPort: 443
          hostPort: 443
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --configfile=/config/traefik.toml
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
    - protocol: TCP
      port: 443
      name: https

5. Ingress without TLS

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hipempifefrontend80
  namespace: senyint
spec:
  rules:
  - host: hip.cinyi.com
    http:
      paths:
      - path: /
        backend:
          serviceName: hipempifefrontend
          servicePort: 80

6. Ingress TLS

[root@master1 traefik]# cat hipempifefrontend_443.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hipempifefrontend-web
  namespace: senyint
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  tls:
  - secretName: traefik-cert
  rules:
  - host: fengjian.cinyi.com
    http:
      paths:
      - backend:
          serviceName: hipempifefrontend
          servicePort: 80

参考

https://docs.traefik.io/v1.7/user-guide/kubernetes/#add-a-tls-certificate-to-the-ingress?tdsourcetag=s_pctim_aiomsg

k8s-docker

k8s 部署 traefik1.7

相关

标签