摘 要
Traefik支持丰富的annotations配置,可配置众多出色的特性,例如:自动熔断、负载均衡策略、黑名单、白名单。所以 Traefik对于微服务来说简直就是一神器。
利用Traefik,并结合京东云Kubernetes集群及其他云服务(RDS,NAS,OSS,块存储等) , 可快速构建弹性扩展的微服务集群。
Traefik是一个为了让部署微服务更加便捷而诞生的现代HTTP反向代理、负载均衡工具。它支持多种后台(Kubernetes,Docker,Swarm,Marathon,Mesos,Consul,Etcd,Zookeeper等)。
本文大致步骤如下:
-
Kubernetes权限配置(RBAC);
-
Traefik部署;
-
创建三个实例服务;
-
生成Ingress规则,并通过PATH测试通过Traefik访问各个服务;
-
Traefik配置域名及TLS证书,并实现HTTP重定向到HTTS。
本文部署Traefik使用到的Yaml文件均基于Traefik官方实例,并为适配京东云Kubernetes集群做了相关修改:
https://github.com/containous/traefik/tree/master/examples/k8s
基本概念
Ingress边界路由
虽然Kubernetes集群内部署的pod、server都有自己的IP,但是却无法提供外网访问,虽然我们可以通过监听NodePort的方式暴露服务,但是这种方式并不灵活,生产环境也不建议使用。
Ingresss是k8s集群中的一个API资源对象,扮演边缘路由器(edge router)的角色,也可以理解为集群防火墙、集群网关,我们可以自定义路由规则来转发、管理、暴露服务(一组Pod),非常灵活,生产环境建议使用这种方式。
在Kubernetes中,Service和Pod的IP地址仅可以在集群网络内部使用,对于集群外的应用是不可见的。为了使外部的应用能够访问集群内的服务,在Kubernetes中可以通过NodePort和LoadBalancer这两种类型的Service,或者使用Ingress。
Ingress本质是通过http代理服务器将外部的http请求转发到集群内部的后端服务。通过Ingress,外部应用访问群集内容服务的过程如下所示:
I ngress 就是为进入集群的请求提供路由规则的集合。
Ingress 可以给 Service 提供集群外部访问的URL、负载均衡、SSL终止、HTTP路由等。为了配置这些 Ingress 规则,集群管理员需要部署一个 Ingress controller,它监听 Ingress 和 Service 的变化,并根据规则配置负载均衡并提供访问入口。
Traefik是什么?
Traefik在Github上Star数超19K:
https://github.com/containous/traefik
Traefik is a modern HTTP reverse proxy and load balancer designed for deploying microservices.
Traefik是一个为了让部署微服务更加便捷而诞生的现代HTTP反向代理、负载均衡工具。
Traefik是一个用Golang开发的轻量级的Http反向代理和负载均衡器,虽然相比于Nginx,它是后起之秀,但是它天然拥抱Kubernetes,直接与集群K8s的Api Server通信,反应非常迅速,同时还提供了友好的控制面板和监控界面,不仅可以方便地查看Traefik根据Ingress生成的路由配置信息,还可以查看统计的一些性能指标数据,如:总响应时间、平均响应时间、不同的响应码返回的总次数等。
不仅如此,Traefik还支持丰富的annotations配置,可配置众多出色的特性,例如:自动熔断、负载均衡策略、黑名单、白名单。所以Traefik对于微服务来说简直就是一神器。
Traefik User Guide for Kubernetes:
https://docs.traefik.io/user-guide/kubernetes/
京东云Kubernetes集群
京东云Kubernetes整合京东云虚拟化、存储和网络能力,提供高性能可伸缩的容器应用管理能力,简化集群的搭建和扩容等工作,让用户专注于容器化的应用的开发与管理。
用户可以在京东云创建一个安全高可用的 Kubernetes 集群,并由京东云完全托管 Kubernetes 服务,并保证集群的稳定性和可靠性。让用户可以方便地在京东云上使用 Kubernetes 管理容器应用。
京东云Kubernetes集群:
https://3.cn/C5KdrKa
前置条件
创建京东云Kubernetes集群
创建Kubernetes集群
请参考:
https://docs.jdcloud.com/cn/jcs-for-kubernetes/create-to-cluster
Kubernetes客户端配置
集群创建完成后,需要配置kubectl客户端以连接Kubernetes集群。
请参考:
https://docs.jdcloud.com/cn/jcs-for-kubernetes/connect-to-cluster
Traefik部署
权限配置
创建响应的Cluster Role和Cluster Role Binding,以赋予Traefik足够的权限。
Yaml文件如下:
1
$ cat traefik-rbac.yaml
2
---
3
kind: ClusterRole
4
apiVersion: rbac.authorization.k8s.io/v1beta1
5
metadata:
6
name: traefik-ingress-controller
7
rules:
8
- apiGroups:
9
-
""
10
resources:
11
- services
12
- endpoints
13
- secrets
14
verbs:
15
- get
16
- list
17
- watch
18
- apiGroups:
19
- extensions
20
resources:
21
- ingresses
22
verbs:
23
- get
24
- list
25
- watch
26
---
27
kind: ClusterRoleBinding
28
apiVersion: rbac.authorization.k8s.io/v1beta1
29
metadata:
30
name: traefik-ingress-controller
31
roleRef:
32
apiGroup: rbac.authorization.k8s.io
33
kind: ClusterRole
34
name: traefik-ingress-controller
35
subjects:
36
- kind: ServiceAccount
37
name: traefik-ingress-controller
38
namespace: kube-system
开始创建
1
$ kubectl create -f traefik-rbac.yaml
2
clusterrole
"traefik-ingress-controller"
created
3
clusterrolebinding
"traefik-ingress-controller"
created
创建成功
1
$ kubectl get clusterrole -n kube-
system
|
grep
traefik
2
traefik-ingress-controller
25
s
3
4
$ kubectl get clusterrolebinding -n kube-
system
|
grep
traefik
5
traefik-ingress-controller
35
s
部署Traefik
本文选择使用Deployment部署Traefik。除此之外,Traefik还提供了DaemonSet的部署方式:
https://github.com/containous/traefik/blob/master/examples/k8s/traefik-ds.yaml
Traefik的80端口为接收HTTP请求,8080端口为Dashboard访问端口;通过Load Balancer类型的Service创建京东云负载均衡SLB,来作为K8s集群的统一入口。
Yaml文件如下:
1
$ cat traefik-deployment.yaml
2
---
3
apiVersion: v1
4
kind: ServiceAccount
5
metadata:
6
name: traefik-ingress-controller
7
namespace: kube-system
8
---
9
kind: Deployment
10
apiVersion: extensions/v1beta1
11
metadata:
12
name: traefik-ingress-controller
13
namespace: kube-system
14
labels:
15
k8s-app: traefik-ingress-lb
16
spec:
17
replicas: 1
18
selector:
19
matchLabels:
20
k8s-app: traefik-ingress-lb
21
template:
22
metadata:
23
labels:
24
k8s-app: traefik-ingress-lb
25
name: traefik-ingress-lb
26
spec:
27
serviceAccountName: traefik-ingress-controller
28
terminationGracePeriodSeconds: 60
29
containers:
30
- image: traefik
31
name: traefik-ingress-lb
32
ports:
33
- name: http
34
containerPort: 80
35
- name: admin
36
containerPort: 8080
37
args:
38
- --api
39
- --kubernetes
40
- --logLevel=INFO
41
---
42
kind: Service
43
apiVersion: v1
44
metadata:
45
name: traefik-ingress-service
46
namespace: kube-system
47
spec:
48
selector:
49
k8s-app: traefik-ingress-lb
50
ports:
51
- protocol: TCP
52
port: 80
53
name: web
54
- protocol: TCP
55
port: 8080
56
name: admin
57
type: LoadBalancer
开始创建
1 $ kubectl create -f traefik-deployment.yaml
2 serviceaccount "traefik-ingress-controller" created
3 deployment "traefik-ingress-controller" created
4 service "traefik-ingress-service" created
Pod正常运行
1 $ kubectl get pod -n kube- system | grep traefik
2 traefik-ingress-controller- 668679 b744-jvmbg 1 / 1 Running 57 s
查看Pod日志
1
$ kubectl logs traefik-ingress-controller
-668679
b744-jvmbg -n kube-system
2
time
=
"2018-12-15T16:58:49Z"
level=info msg=
"Traefik version v1.7.6 built on 2018-12-14_06:43:37AM"
3
time
=
"2018-12-15T16:58:49Z"
level=info msg=
"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
4
time
=
"2018-12-15T16:58:49Z"
level=info msg=
"Preparing server http &{Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0005f9e20} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
5
time
=
"2018-12-15T16:58:49Z"
level=info msg=
"Preparing server traefik &{Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0005f9e40} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
6
time
=
"2018-12-15T16:58:49Z"
level=info msg=
"Starting provider configuration.ProviderAggregator {}"
7
time
=
"2018-12-15T16:58:49Z"
level=info msg=
"Starting server on :80"
8
time
=
"2018-12-15T16:58:49Z"
level=info msg=
"Starting server on :8080"
9
time
=
"2018-12-15T16:58:49Z"
level=info msg=
"Starting provider *kubernetes.Provider {\"
Watch\
":true,\"
Filename\
":\"
\
",\"
Constraints\
":[],\"
Trace\
":false,\"
TemplateVersion\
":0,\"
DebugLogGeneratedTemplate\
":false,\"
Endpoint\
":\"
\
",\"
Token\
":\"
\
",\"
CertAuthFilePath\
":\"
\
",\"
DisablePassHostHeaders\
":false,\"
EnablePassTLSCert\
":false,\"
Namespaces\
":null,\"
LabelSelector\
":\"
\
",\"
IngressClass\
":\"
\
",\"
IngressEndpoint\
":null}"
10
time
=
"2018-12-15T16:58:49Z"
level=info msg=
"ingress label selector is: \"
\
""
11
time
=
"2018-12-15T16:58:49Z"
level=info msg=
"Creating in-cluster Provider client"
12
time
=
"2018-12-15T16:58:50Z"
level=info msg=
"Server configuration reloaded on :80"
13
time
=
"2018-12-15T16:58:50Z"
level=info msg=
"Server configuration reloaded on :8080"
查看Traefik对应的SLB Service
1
$ kubectl get svc/traefik-ingress-service -n kube-system
2
NAME
TYPE
CLUSTER-IP
EXTERNAL
-IP PORT(S) AGE
3
traefik-ingress-service LoadBalancer
10.0
.
58.175
114.67
.
95.167
80
:
30331
/TCP,
8080
:
30232
/TCP
2
m
京东云负载均衡的公网IP为114.67.95.167。
如果需要通过域名访问K8s内的服务,则可以通过将域名解析至该公网IP。
此时,通过“公网IP:8080”便可以访问Traefik的Dashboard。
Traefik使用示例
创建3个Deployment对外提供HTTP服务,分别名为:Stilton、Cheddar、Wensleydale。
1
$ cat cheese-deployments.yaml
2
---
3
kind: Deployment
4
apiVersion: extensions/v1beta1
5
metadata:
6
name: stilton
7
labels:
8
app: cheese
9
cheese: stilton
10
spec:
11
replicas: 2
12
selector:
13
matchLabels:
14
app: cheese
15
task: stilton
16
template:
17
metadata:
18
labels:
19
app: cheese
20
task: stilton
21
version: v0.0.1
22
spec:
23
containers:
24
- name: cheese
25
image: errm/cheese:stilton
26
resources:
27
requests:
28
cpu: 100m
29
memory: 50Mi
30
limits:
31
cpu: 100m
32
memory: 50Mi
33
ports:
34
- containerPort: 80
35
---
36
kind: Deployment
37
apiVersion: extensions/v1beta1
38
metadata:
39
name: cheddar
40
labels:
41
app: cheese
42
cheese: cheddar
43
spec:
44
replicas: 2
45
selector:
46
matchLabels:
47
app: cheese
48
task: cheddar
49
template:
50
metadata:
51
labels:
52
app: cheese
53
task: cheddar
54
version: v0.0.1
55
spec:
56
containers:
57
- name: cheese
58
image: errm/cheese:cheddar
59
resources:
60
requests:
61
cpu: 100m
62
memory: 50Mi
63
limits:
64
cpu: 100m
65
memory: 50Mi
66
ports:
67
- containerPort: 80
68
---
69
kind: Deployment
70
apiVersion: extensions/v1beta1
71
metadata:
72
name: wensleydale
73
labels:
74
app: cheese
75
cheese: wensleydale
76
spec:
77
replicas: 2
78
selector:
79
matchLabels:
80
app: cheese
81
task: wensleydale
82
template:
83
metadata:
84
labels:
85
app: cheese
86
task: wensleydale
87
version: v0.0.1
88
spec:
89
containers:
90
- name: cheese
91
image: errm/cheese:wensleydale
92
resources:
93
requests:
94
cpu: 100m
95
memory: 50Mi
96
limits:
97
cpu: 100m
98
memory: 50Mi
99
ports:
100
- containerPort: 80
1
$ kubectl create -f cheese-deployments.yaml
2
deployment
"stilton"
created
3
deployment
"cheddar"
created
4
deployment
"wensleydale"
created
对应的Service
1
$ cat cheese-services.yaml
2
---
3
apiVersion: v1
4
kind: Service
5
metadata:
6
name: stilton
7
spec:
8
ports:
9
- name: http
10
targetPort: 80
11
port: 80
12
selector:
13
app: cheese
14
task: stilton
15
---
16
apiVersion: v1
17
kind: Service
18
metadata:
19
name: cheddar
20
spec:
21
ports:
22
- name: http
23
targetPort: 80
24
port: 80
25
selector:
26
app: cheese
27
task: cheddar
28
---
29
apiVersion: v1
30
kind: Service
31
metadata:
32
name: wensleydale
33
spec:
34
ports:
35
- name: http
36
targetPort: 80
37
port: 80
38
selector:
39
app: cheese
40
task: wensleydale
1
$ kubectl create -f cheese-services.yaml
2
service
"stilton"
created
3
service
"cheddar"
created
4
service
"wensleydale"
created
Ingress Yaml文件如下:
1
$ cat my-cheeses-ingress.yaml
2
apiVersion: extensions/v1beta1
3
kind: Ingress
4
metadata:
5
name: cheeses
6
annotations:
7
traefik.frontend.rule.type: PathPrefixStrip
8
spec:
9
rules:
10
- host: www.<your-domain-name>.com
11
http:
12
paths:
13
- path: /stilton
14
backend:
15
serviceName: stilton
16
servicePort: http
17
- path: /cheddar
18
backend:
19
serviceName: cheddar
20
servicePort: http
21
- path: /wensleydale
22
backend:
23
serviceName: wensleydale
24
servicePort: http
创建Ingress
1
$ kubectl create -f
my
-cheeses-ingress.yaml
2
ingress
"cheeses"
created
创建成功
1
$ kubectl
describe
ingress/cheeses
2
Name
: cheeses
3
Namespace:
default
4
Address:
5
Default
backend:
default
-
http
-backend:
80
(<
none
>)
6
Rules
:
7
Host
Path
Backends
8
---- ---- --------
9
www.<your-
domain
-
name
>.com
10
/stilton stilton:
http
(<
none
>)
11
/cheddar cheddar:
http
(<
none
>)
12
/wensleydale wensleydale:
http
(<
none
>)
13
Annotations:
14
Events
: <
none
>
直接通过ELB IP+PATH访问:
1
$ curl
114.67
.
95.167
/stilton
2
404
page
not
found
访问失败,因为Ingress规则里指定了host。
请求Header中指定host:
1
$ curl -H "Host:www.
<
your-domain-name
>
.com" 114.67.95.167/stilton
2
<
html
>
3
<
head
>
4
<
style
>
5
html
{
6
background
:
url
(./bg.png) no-repeat center center fixed;
7
-webkit-background-size
: cover;
8
-moz-background-size
: cover;
9
-o-background-size
: cover;
10
background-size
: cover;
11
}
12
13
h1
{
14
font-family
: Arial, Helvetica, sans-serif;
15
background
:
rgba
(187, 187, 187, 0.5);
16
width
:
3em
;
17
padding
:
0.5em
1em
;
18
margin
:
1em
;
19
}
20
</
style
>
21
</
head
>
22
<
body
>
23
<
h1
>
Stilton
</
h1
>
24
</
body
>
25
</
html
>
访问成功。
但是由于域名未备案,这种方式会被京东云拦截。
两种方式:
一 、Ingress里移除指定host;
二、 注册域名,并绑定证书及私钥。
将host字段注释掉:
1
$ cat my-cheeses-ingress.yaml
2
apiVersion: extensions/v1beta1
3
kind: Ingress
4
metadata:
5
name: cheeses
6
annotations:
7
traefik.frontend.rule.type: PathPrefixStrip
8
spec:
9
rules:
10
# - host: www.<your-domain-name>.com
11
- http:
12
paths:
13
- path: /stilton
14
backend:
15
serviceName: stilton
16
servicePort: http
17
- path: /cheddar
18
backend:
19
serviceName: cheddar
20
servicePort: http
21
- path: /wensleydale
22
backend:
23
serviceName: wensleydale
24
servicePort: http
重建Ingress
1
$ kubectl
replace
-f my-cheeses-ingress.yaml
2
ingress
"cheeses"
replaced
3
$ kubectl
get
ingress
4
NAME
HOSTS
ADDRESS PORTS AGE
5
cheeses *
80
18
m
Ingress更新成功,通过公网IP+PATH访问。
Stilton服务
1
$ curl -I 114.67.95.167/stilton
2
HTTP/1.1 200 OK
3
Accept-Ranges: bytes
4
Content-Length: 517
5
Content-Type: text/html
6
Date: Thu, 20 Dec 2018 06:19:15 GMT
7
Etag: "5784f6c9-205"
8
Last-Modified: Tue, 12 Jul 2016 13:55:21 GMT
9
Server: nginx/1.11.1
Cheddar服务
1
$ curl -I 114.67.95.167/cheddar
2
HTTP/1.1 200 OK
3
Accept-Ranges: bytes
4
Content-Length: 517
5
Content-Type: text/html
6
Date: Thu, 20 Dec 2018 06:19:54 GMT
7
Etag: "5784f6e1-205"
8
Last-Modified: Tue, 12 Jul 2016 13:55:45 GMT
9
Server: nginx/1.11.1
Wensleydale服务
1 $ curl -I 114.67.95.167/wensleydale
2 HTTP/1.1 200 OK
3 Accept-Ranges: bytes
4 Content-Length: 521
5 Content-Type: text/html
6 Date: Thu, 20 Dec 2018 06:20:00 GMT
7 Etag: "5784f6fb-209"
8 Last-Modified: Tue, 12 Jul 2016 13:56:11 GMT
9 Server: nginx/1.11.1
三个服务均可通过/正常访问。
申请域名:.com,并在京东云上备案,并解析到SLB公网IP:114.67.95.167
证书和私钥
1
$ ll *.pem
2
-rw-r--r-- 1 pmo_jd_a pmo_jd_a 3554 Dec 20 16:04 fullchain.pem
3
-rw------- 1 pmo_jd_a pmo_jd_a 1708 Dec 20 16:04 privkey.pem
创建Secret保存证书和私钥:
1
$ kubectl create secret generic traefik-cert --
from
-file=fullchain.pem --
from
-file=privkey.pem -n kube-system
2
secret
"traefik-cert"
created
Traefik配置文件(HTTP访问重定向到HTTPS,证书及私钥存放在/ssl/目录下,需要Secret挂载到该目录以供Traefik读取):
1
# cat traefik.toml
2
defaultEntryPoints = [
"http"
,
"https"
]
3
[
entryPoints
]
4
[
entryPoints.http
]
5
address =
":80"
6
[
entryPoints.http.redirect
]
7
entryPoint =
"https"
8
[
entryPoints.https
]
9
address =
":443"
10
[
entryPoints.https.tls
]
11
[
[entryPoints.https.tls.certificates
]]
12
CertFile =
"/ssl/fullchain.pem"
13
KeyFile =
"/ssl/privkey.pem"
创建ConfigMap用于保存配置文件traefik.toml:
1 $ kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
2 configmap "traefik-conf" created
需要重新部署Traefik,新的Yaml文件如下:
1 $ cat traefik-deployment-new.yaml
2 kind: Deployment
3 apiVersion: extensions/v1beta1
4 metadata:
5 name: traefik-ingress-controller
6 namespace: kube-system
7 labels:
8 k8s-app: traefik-ingress-lb
9 spec:
10 replicas: 1
11 selector:
12 matchLabels:
13 k8s-app: traefik-ingress-lb
14 template:
15 metadata:
16 labels:
17 k8s-app: traefik-ingress-lb
18 name: traefik-ingress-lb
19 spec:
20 serviceAccountName: traefik-ingress-controller
21 terminationGracePeriodSeconds: 60
22 containers:
23 - image: traefik
24 name: traefik-ingress-lb
25 ports:
26 - name: http
27 containerPort: 80
28 - name: admin
29 containerPort: 8080
30 args:
31 - --api
32 - --kubernetes
33 - --logLevel=INFO
34 - --configfile=/config/traefik.toml
35 volumeMounts:
36 - mountPath: "/ssl"
37 name: "ssl"
38 - mountPath: "/config"
39 name: "config"
40 volumes:
41 - name: ssl
42 secret:
43 secretName: traefik-cert
44 - name: config
45 configMap:
46 name: traefik-conf
重新部署:
1
$ kubectl replace -f traefik-deployment-
new
.yaml
2
deployment
"traefik-ingress-controller"
replaced
3
$ kubectl get pod -n kube-system | grep traefik
4
traefik-ingress-controller
-668679
b744-jvmbg
/
1
Terminating
4d
5
traefik-ingress-controller
-7d
6cd769c9
-2
p57t
/
1
ContainerCreating
3s
6
$ kubectl get pod -n kube-system | grep traefik
7
traefik-ingress-controller
-7d
6cd769c9
-2
p57t
1
/
1
Running
19s
重新部署的Pod正常running。
查看Pod日志
1
$ kubectl logs traefik-ingress-controller
-7
d6cd769c9
-2
p57t -n kube-system
2
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Preparing server traefik &{Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc00072dbc0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
3
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Preparing server http &{Address::80 TLS:<nil> Redirect:0xc00059de40 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc00072db80} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
4
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Preparing server https &{Address::443 TLS:0xc000216c60 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc00072dba0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
5
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Starting provider configuration.ProviderAggregator {}"
6
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Starting server on :8080"
7
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Starting server on :80"
8
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Starting server on :443"
9
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Starting provider *kubernetes.Provider {\"
Watch\
":true,\"
Filename\
":\"
\
",\"
Constraints\
":[],\"
Trace\
":false,\"
TemplateVersion\
":0,\"
DebugLogGeneratedTemplate\
":false,\"
Endpoint\
":\"
\
",\"
Token\
":\"
\
",\"
CertAuthFilePath\
":\"
\
",\"
DisablePassHostHeaders\
":false,\"
EnablePassTLSCert\
":false,\"
Namespaces\
":null,\"
LabelSelector\
":\"
\
",\"
IngressClass\
":\"
\
",\"
IngressEndpoint\
":null}"
10
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"ingress label selector is: \"
\
""
11
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Creating in-cluster Provider client"
12
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Server configuration reloaded on :8080"
13
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Server configuration reloaded on :80"
14
time
=
"2018-12-20T09:29:30Z"
level=info msg=
"Server configuration reloaded on :443"
更新Ingress
1
$ cat my-cheeses-ingress.yaml
2
apiVersion: extensions/v1beta1
3
kind: Ingress
4
metadata:
5
name: cheeses
6
annotations:
7
traefik.frontend.rule.type: PathPrefixStrip
8
spec:
9
rules:
10
- host: www.<your-domain-name>.com
11
http:
12
paths:
13
- path: /stilton
14
backend:
15
serviceName: stilton
16
servicePort: http
17
- path: /cheddar
18
backend:
19
serviceName: cheddar
20
servicePort: http
21
- path: /wensleydale
22
backend:
23
serviceName: wensleydale
24
servicePort: http
重建Ingress
1
$ kubectl replace -f
my
-cheeses-ingress.yaml
更新Traefik Service,开放443端口:
1
$ cat traefik-service.yaml
2
kind: Service
3
apiVersion: v1
4
metadata:
5
name
: traefik-ingress-service
6
namespace: kube-system
7
spec:
8
selector:
9
k8s-app: traefik-ingress-lb
10
ports:
11
- protocol: TCP
12
port:
80
13
name
: web
14
- protocol: TCP
15
port:
8080
16
name
: admin
17
- protocol: TCP
18
port:
443
19
name
: tls
20
type
: LoadBalancer
应用Service更新:
1
$ kubectl apply -f traefik-service.yaml -n kube-system
2
Warning: kubectl apply should be used
on
resource created
by
either kubectl create --save-config
or
kubectl apply
3
service
"traefik-ingress-service"
configured
HTTPS访问:
https://www.your-domain-name.com/stilton
以及HTTP:
http://www.your-domain-name.com/stilton
均可正常访问,且HTTP访问会被重定向到HTTPS。
本文仅测试了traefik的路由分发,当然traefik的功能远远不止于此,其大致特性如下:
-
它非常快~~~
-
无需安装其他依赖,通过Go语言编写的单一可执行文件
-
支持 Rest API
-
多种后台支持:Docker, Swarm, Kubernetes, Marathon, Mesos, Consul, Etcd, 并且还会更多
-
后台监控, 可以监听后台变化进而自动化应用新的配置文件设置
-
配置文件热更新,无需重启进程
-
正常结束http连接
-
后端断路器
-
轮询,rebalancer 负载均衡
-
Rest Metrics
-
支持最小化 官方 docker 镜像
-
后台支持SSL
-
前台支持SSL(包括SNI)
-
清爽的AngularJS前端页面
-
支持Websocket
-
支持HTTP/2
-
网络错误重试
-
支持Let’s Encrypt (自动更新HTTPS证书)
-
高可用集群模式
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/69912185/viewspace-2638320/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/69912185/viewspace-2638320/