TonyChyi

我在那一角落患过抽风

调教 Traefik 的记录
2019年12月23日
 

 

今天又把网站折腾了一遍,K3s 升级至最新版本,顺带发现 Traefik 已经 2.1.1 版本了,就顺手折腾了一把

更新原有版本的配置文件

apiVersion: v1
data:
  traefik.toml: |
    # traefik.toml

    [global]
      checkNewVersion = true
    [entryPoints]
      [entryPoints.http]
        address = ":80"
      [entryPoints.https]
        address = ":443"
      [entryPoints.traefik]
        address = ":8080"
    [providers]
      providersThrottleDuration = "2s"
      [providers.kubernetesCRD]
      [providers.kubernetesIngress]
        throttleDuration = "0s"
        [providers.kubernetesIngress.ingressEndpoint]
          hostname = "wetofu.top"
          publishedService = "kube-system/traefik"
    [certificatesResolvers]  # 定义证书解析器,此处定义名为 default 的域名解析器

      [certificatesResolvers.default.acme]
        email = "邮箱地址"
        storage = "/acme/acme-v2.json"
        [certificatesResolvers.default.acme.dnsChallenge]
          provider = "cloudflare"
          resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
    [api]
      insecure = true
      dashboard = true
    [metrics]
      [metrics.prometheus]
        entryPoint = "traefik"
    [ping]
      entryPoint = "http"
    [log]
      level = "info"
      format = "json"
kind: ConfigMap
metadata:
  labels:
    app: traefik
    chart: traefik-1.77.1
    heritage: Tiller
    release: traefik
  name: traefik
  namespace: kube-system

更新 Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik
    chart: traefik-1.77.1
    heritage: Tiller
    release: traefik
  name: traefik
  namespace: kube-system
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: traefik
      release: traefik
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        checksum/config: 5072e2b9911158c04b7b76568f0c4f477d59793d52d6a44d35a4910b5e15527c
      creationTimestamp: null
      labels:
        app: traefik
        chart: traefik-1.77.1
        heritage: Tiller
        release: traefik
    spec:
      containers:
        - args:
            - --configfile=/config/traefik.toml
          env:
            - name: CLOUDFLARE_EMAIL
              valueFrom:
                secretKeyRef:
                  key: CLOUDFLARE_EMAIL
                  name: traefik-dnsprovider-config
            - name: CLOUDFLARE_API_KEY
              valueFrom:
                secretKeyRef:
                  key: CLOUDFLARE_API_KEY
                  name: traefik-dnsprovider-config
          image: traefik:2.1.1  # 修改成新版本

          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /ping
              port: 80
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          name: traefik
          ports:
            - containerPort: 80
              name: http
              protocol: TCP
            - containerPort: 8880
              name: httpn
              protocol: TCP
            - containerPort: 443
              name: https
              protocol: TCP
            - containerPort: 8080
              name: dash
              protocol: TCP
          readinessProbe:
            failureThreshold: 1
            httpGet:
              path: /ping
              port: 80
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /config
              name: config
            - mountPath: /acme
              name: acme
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik
      serviceAccountName: traefik
      terminationGracePeriodSeconds: 60
      volumes:
        - configMap:
            defaultMode: 420
            name: traefik
          name: config
        - hostPath:
            path: /app/tls
            type: Directory
          name: acme

修改 RBAC 权限

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: traefik
rules:
  # 增加 traefik.containo.us 组的配置

  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - ingressroutes
      - ingressroutetcps
      - tlsoptions
      - traefikservices
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - pods
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update

加入自定义的资源定义

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced

增加中间件(Middleware)

# 权限验证的中间件,使用 basic auth.

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-auth
spec:
  basicAuth:
    secret: traefik-users
---
apiVersion: v1
kind: Secret
metadata:
  name: traefik-users
data:
  users: |
    base64 编码的 htpasswd 文件

# 启用 gzip 压缩

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: site-compress
spec:
  compress: {}
# 强制跳转 https

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-to-https
spec:
  redirectScheme:
    scheme: https
    permanent: true

特殊的 Ingress 规则

# 不使用官方的 Ingress,而使用 traefik 的 IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: wetofu-top
  namespace: default
spec:
  entryPoints:
    - https
  routes:
    - match: PathPrefix(`/`)  # 如需匹配域名,可以使用 Host(`your.domain1.com`, `your.domain2.com`),支持 && 和 || 算符

      kind: Rule
      middlewares:
        - name: redirect-to-https
        - name: site-compress
      services:
        - name: wetofu-top-svc
          port: 80
  tls:
    # 配置文件里定义了 default 的证书解析器

    domains:
      # 配置好域名

      - main: "*.your.domain"
        sans:
        - "your.domain"
    certResolver: default

Traefik 支持自动域名续期。

有关配置的详细信息,可以参考 Traefik 的文档

Tags: #K3s · #Traefik

 

TonyChyi © 2020 GPLv2