traefik安装 · Kubernetes

[TOC] # 二进制安装 ## 下载traefik包 ```shell curl -L -o /usr/local/src/traefik_v2.10.4_linux_amd64.tar.gz https://github.com/traefik/traefik/releases/download/v2.10.4/traefik_v2.10.4_linux_amd64.tar.gz ``` ## 解压traefik ```shell mkdir -p /app/traefik/{config/{dynamic,k8s-crd-rbac},pki,logs} tar xvf /usr/local/src/traefik_v2.10.4_linux_amd64.tar.gz -C /app/traefik/ ``` ## 可选：k8s创建crd及rbac资源 >[info] 说明: `traefik` 自动发现(providers) `kubernetesIngress` 和 `Kubernetes IngressRoute(kubernetesCRD)` 有配置才需要执行以下步骤 ```bash cd /app/traefik/config/k8s-crd-rbac curl -O https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml curl -O https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml kubectl apply -f ./kubernetes-crd-definition-v1.yml kubectl apply -f ./kubernetes-crd-rbac.yml kubectl create sa traefik-ingress-controller kubectl describe secret `kubectl describe sa traefik-ingress-controller | awk '/Tokens/ {print $2}'` ``` ## traefik 配置文件 ```yaml # 全局配置 global: checkNewVersion: true sendAnonymousUsage: true # Entrypoints 配置 # web，webSecurity 是Entrypoints名称，可以自定义名称。推荐使用 web，webSecurity # 注意：traefik, metrics 是内建Entrypoints名称。 entryPoints: web: address: ":80" webSecurity: address: ":443" traefik: address: ":9000" metrics: address: ":9100" # traefik日志设置 # https://doc.traefik.io/traefik/observability/logs/ log: filePath: "/app/traefik/logs/traefik.log" format: json level: DEBUG # 业务访问日志设置 # https://doc.traefik.io/traefik/observability/access-logs/ accessLog: filePath: "/app/traefik/logs/access.log" # 异步写入日志，Traefik 在将日志行写入所选输出之前将保留在内存中的数量 bufferingSize: 100 format: json fields: defaultMode: keep names: StartUTC: drop # ClientAddr: drop # traefik动态发现的提供商 # https://doc.traefik.io/traefik/providers/overview/ providers: file: directory: "/app/traefik/config/dynamic" watch: true kubernetesIngress: endpoint: "https://192.168.32.182:6443" certAuthFilePath: "/app/traefik/pki/ca.crt" # 使用 kubernetes 根证书 token: "" # 上面创建的sa对应的token值 kubernetesCRD: endpoint: "https://192.168.32.182:6443" certAuthFilePath: "/app/traefik/pki/ca.crt" # 使用 kubernetes 根证书 token: "" # 上面创建的sa对应的token值 api: # 启动dashboard页面 dashboard: true # 非安全访问 dashboard 页面，生产环境不建议开启 # insecure: true # 健康检查 ping: true # traefik metrics数据 metrics: prometheus: entryPoint: metrics ``` ## 创建 systemd 服务文件 ```shell cat <<'EOF' | sudo tee /usr/lib/systemd/system/traefik.service >> /dev/null [Unit] Description=traefik Server Documentation=https://doc.traefik.io/traefik/ Wants=network.service After=network.service [Service] Type=simple ExecStart=/app/traefik/traefik --configfile /app/traefik/config/traefik.yml Restart=on-failure [Install] WantedBy=multi-user.target EOF ``` ## 启动traefik服务 ```shell systemctl daemon-reload systemctl start traefik.service ``` ## 访问 dashboard 页面 ### 非安全访问 1. 在 traefik 配置文件中，`api` 字段下添加一对 `insecure: true` 的配置。 2. 重启 traefik 服务。 3. 使用 http://{traefik ip}:{traefik port} 访问，{traefik port} 默认是 `8080` 端口 ![](https://img.kancloud.cn/b5/ed/b5edf7a479ba5b3b4177ccb8b4103c32_1920x903.png) ### 安全访问 1. 在 k8s 集群添加 `IngressRoute` 资源 ```yaml cat <<- 'EOF' | kubectl apply -f - apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: dashboard spec: entryPoints: - web routes: - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) kind: Rule services: - name: api@internal kind: TraefikService EOF ``` 2. 访问 `http://{traefik web}:{traefik web port}/dashboard/` 地址 >[danger] 注意：path路径必须是 `/dashboard/` , 否则抛出 `404 page not found` 异常 ![](https://img.kancloud.cn/3c/66/3c661e08a1bc1123004202517f36e294_1920x908.png) # helm 安装