大家好,欢迎来到IT知识分享网。
一、traefik简介
Traefik是一个功能强大的负载均衡工具,它支持4层和7层的基本负载均衡操作,通过IngressRoute、IngressRouteTCP、IngressRouteUDP资源即可轻松实现。为了满足更复杂的负载均衡需求,Traefik还抽象出了TraefikService资源,允许实现加权轮询、流量复制等高级操作。整体流量走向为:外部流量首先通过entryPoints端口进入Traefik,然后由IngressRoute/IngressRouteTCP/IngressRouteUDP进行匹配,进入TraefikService进行高级负载均衡处理,最后将请求转发至Kubernetes的service。除此之外,Traefik还支持7层的粘性会话、健康检查、传递请求头、响应转发、故障转移等丰富功能,为微服务架构提供全面的负载均衡和流量管理能力。
二、安装traefik
# 添加repo [root@k8s-master traefik]# helm repo add traefik https://helm.traefik.io/traefik # 更新repo仓库资源 [root@k8s-master traefik]# helm repo update # 查看repo仓库traefik [root@k8s-master traefik]# helm search repo traefik # 创建traefik名称空间 [root@k8s-master traefik]# kubectl create ns traefik # 安装traefik [root@k8s-master traefik]# helm install --namespace=traefik traefik traefik/traefik # 查看helm列表 [root@k8s-master traefik]# helm list -n traefik # 查看pod资源信息 [root@k8s-master traefik]# kubectl get pod -n traefik 域名访问dashboard服务
使用helm部署的traefik默认使用LoadBalancer暴露服务,如果想使用此方式访问,首先要部署MetalLB才能分配到EXTERNAL-IP
Kubernetes LoadBalancer系列|MetalLB配置部署
kubectl get svc -n traefik apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: dashboard namespace: traefik spec: entryPoints: - web routes: - match: Host(`traefik.zgh.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) kind: Rule services: - name: api@internal kind: TraefikService 
三、traefik使用
IngressRoute
部署myapp1实例
apiVersion: apps/v1 kind: Deployment metadata: name: myapp1 spec: selector: matchLabels: app: myapp1 template: metadata: labels: app: myapp1 spec: containers: - name: myapp1 image: ikubernetes/myapp:v1 resources: limits: memory: "128Mi" cpu: "500m" ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: myapp1 spec: type: ClusterIP selector: app: myapp1 ports: - port: 80 targetPort: 80 部署myapp2实例
apiVersion: apps/v1 kind: Deployment metadata: name: myapp2 spec: selector: matchLabels: app: myapp2 template: metadata: labels: app: myapp2 spec: containers: - name: myapp2 image: ikubernetes/myapp:v2 resources: limits: memory: "128Mi" cpu: "500m" ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: myapp2 spec: type: ClusterIP selector: app: myapp2 ports: - port: 80 targetPort: 80 创建资源并访问测试
[root@k8s-master ingress]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp1-795d947b45-9lsm6 1/1 Running 0 2m18s
myapp2-6ffd54f76-ljkr9 1/1 Running 0 66s
[root@k8s-master ingress]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) 44h
myapp1 ClusterIP 10.104.91.200 <none> 80/TCP 2m26s
myapp2 ClusterIP 10.111.245.32 <none> 80/TCP 100s
[root@k8s-master ingress]# curl 10.104.91.200
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master ingress]# curl 10.111.245.32
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
HTTP域名路由
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: myapp1 spec: entryPoints: - web routes: - match: Host(`myapp1.test.com`) # 域名 kind: Rule services: - name: myapp1 # 与svc的name一致 port: 80 # 与svc的port一致 创建资源
[root@k8s-master ingress]# kubectl apply -f myapp1-ingress.yaml ingressroute.traefik.containo.us/myapp1 created [root@k8s-master ingress]# kubectl get ingressroute dashboard myapp1 [root@k8s-master ingress]# kubectl get ingressroute NAME AGE dashboard 4h26m myapp1 20s apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: amq namespace: activemq-artemis-operator spec: entryPoints: - web routes: - match: Host(`amq.test.com`) # 域名 kind: Rule services: - name: amq # 与svc的name一致 port: 8161 # 与svc的port一致 HTTPS域名路由(自有证书)
公网服务的话,可以在云厂商那里购买证书。内部服务的话,就直接用 openssl 来创建一个自签名的证书即可,要注意证书文件名称必须是 tls.crt 和 tls.key。接下来演示自签证书的配置。
创建自签证书
root@k8s-master ingress]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=myapp2.test.com" 创建Secret资源来引用证书文件
[root@k8s-master ingress]# kubectl create secret tls myapp2-tls --cert=tls.crt --key=tls.key secret/myapp2-tls created [root@k8s-master ingress]# kubectl describe secrets myapp2-tls Name: myapp2-tls Namespace: default Labels: <none> Annotations: <none> Type: kubernetes.io/tls Data ==== tls.crt: 1131 bytes tls.key: 1704 bytes 创建IngressRouter规则文件,集群外部用户通过访问https://myapp2.test.com域名时,将请求代理至myapp2应用。
[root@k8s-master ingress]# cat myapp2-ingress.yaml [root@k8s-master ingress]# cat myapp2-ingress.yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: myapp2 spec: entryPoints: - websecure # 监听 websecure 这个入口点,也就是通过 443 端口来访问 routes: - match: Host(`myapp2.test.com`) kind: Rule services: - name: myapp2 port: 80 tls: secretName: myapp2-tls # 指定tls证书名称 [root@k8s-master ingress]# kubectl apply -f myapp2-ingress.yaml ingressroute.traefik.containo.us/myapp2 created [root@k8s-master ingress]# kubectl get ingressroute NAME AGE dashboard 5h11m myapp1 45m myapp2 2m55s 免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://haidsoft.com/116907.html
