在阿里云ACK使用Traefik Ingress并通过已有的SLB负载均衡公开应用

2023年1月1日16:50:57 发表评论 1,379 ℃

阿里云的ACK默认只提供了3个Ingress Controller组件的自动安装,分别是ALB Ingress Controller、MSE Ingress Controller和Nginx Ingress Controller。

在阿里云ACK使用Traefik Ingress并通过已有的SLB负载均衡公开应用

当我们想使用Traefik Ingress Controller时,只能自己手动部署。

Traefik 官方文档也提供了安装方法,通过Helm Chart方式部署到Kubernetes集群,安装步骤:

要求

Kubernetes 1.16+

安装了Helm 版本 3.9+

将 Traefik Labs 图表存储库添加到 Helm:

helm repo add traefik https://traefik.github.io/charts

您可以通过运行以下命令来更新图表存储库:

helm repo update

helm并使用命令行安装它:

helm install traefik traefik/traefik

当然实际安装的时候,还需要根据自己的需求设置参数。

这种方式是比较简单的,但是对于我们需要更深入的了解Traefik Ingress Controller的人来说,可能这种方式太过简单。

所以我这里采用CRD的方式安装配置Traefik Ingress Controller

Traefik的路由方式有两种,一种是传统的Ingress一种是IngressRoute,这里部署让两种方式都支持。

1、部署crd,由于文件比较大,这里直接使用GitHub的文件连接

kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

2、部署rbac

kubectl apply -f rbac.yaml

rbac.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
    verbs:
      - get
      - list
      - watch
---
# 为 Traefik 创建一个专用服务帐户
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: traefik-account
---
# 将角色绑定到帐户上 将权限和规则应用到帐户上
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-account
    namespace: default

3、部署IngressClass(可选)

kubectl apply -f ingressClass.yaml

ingressClass.yaml:

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: traefik-lb
spec:
  controller: traefik.io/ingress-controller

4、部署traefik,这里采用DaemonSet,也可以采用Deployment

kubectl apply -f traefik-daemonset.yaml

traefik-daemonset.yaml:

---
apiVersion: v1
kind: Service
metadata:
  name: traefik-ingress-lb
  labels:
    app: traefik
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: lb-xxxxx   # 阿里云slb id,需要提前创建一个
    service.beta.kubernetes.io/alicloud-loadbalancer-force-override-listeners: 'true' #创建监听
spec:
#  type: NodePort
  type: LoadBalancer
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
#      nodePort: 30080  #NodePort方式时,建议固定端口
    - name: https
      port: 443
      targetPort: 443
#      nodePort: 30433
      protocol: TCP
  selector:
    app: traefik
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
  namespace: default
  name: traefik-ingress-controller
  labels:
    app: traefik
spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
          image: traefik:v2.9
          args:
            - --api.insecure
            - --accesslog
            - --entrypoints.web.Address=:80
            - --entrypoints.websecure.Address=:443
            - --providers.kubernetescrd=true
            - --providers.kubernetesingress=true
            - --providers.kubernetesingress.ingressclass=traefik-lb
            - --providers.kubernetesingress.ingressendpoint.ip=xx.xx.xx.xx
#            - --providers.kubernetesingress.ingressendpoint.hostname=alb-xxxx.cn-chengdu.alb.aliyuncs.com
            - --certificatesresolvers.default.acme.tlschallenge
            - --certificatesresolvers.default.acme.email=foo@you.com
            - --certificatesresolvers.default.acme.storage=acme.json
            - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
          ports:
            - name: web
              containerPort: 80
            - name: websecure
              containerPort: 443
            - name: admin
              containerPort: 8080
          resources:
            limits:
              cpu: 1000m
              memory: 512Mi
            requests:
              cpu: 50m
              memory: 128Mi
          readinessProbe:
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 1
            failureThreshold: 5
            tcpSocket:
              port: 80
          livenessProbe:
            initialDelaySeconds: 120
            periodSeconds: 5
            timeoutSeconds: 2
            failureThreshold: 3
            tcpSocket:
              port: 80

5、公开traefik dashboard,实际使用中,建议加上登录认证。

kubectl apply -f traefik-admin.yaml

traefik-admin.yaml:

---
apiVersion: v1
kind: Service
metadata:
  name: traefik-admin
spec:
  ports:
    - protocol: TCP
      name: admin
      port: 80
      targetPort: 8080
  selector:
    app: traefik
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: admin-ingress
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  ingressClassName: traefik-lb
  rules:
  - host: dashboard.amd5.cn
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: traefik-admin
            port:
              number: 80

6、部署官方的whoami服务,验证IngressRoute路由。

kubectl apply -f whoami.yaml

whoami.yaml:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoami
  labels:
    app: whoami
spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami
          ports:
            - name: web
              containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
spec:
  selector:
    app: whoami
  ports:
    - name: web
      port: 80
      targetPort: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`whoami.amd5.cn`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: whoami
          port: 80

7、部署两个nginx服务,验证Ingress路由。

kubectl apply -f nginx.yaml

nginx.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: coffee
spec:
  replicas: 2
  selector:
    matchLabels:
      app: coffee
  template:
    metadata:
      labels:
        app: coffee
    spec:
      containers:
      - name: coffee
        image: registry.cn-hangzhou.aliyuncs.com/acs-sample/nginxdemos:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: coffee-svc
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
  selector:
    app: coffee
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tea
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tea
  template:
    metadata:
      labels:
        app: tea
    spec:
      containers:
      - name: tea
        image: registry.cn-hangzhou.aliyuncs.com/acs-sample/nginxdemos:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: tea-svc
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
  selector:
    app: tea
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: coffee-ingress
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  ingressClassName: "traefik-lb"
  rules:
  - host: coffee.amd5.cn
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: coffee-svc
            port:
              number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tea-ingress
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  ingressClassName: "traefik-lb"
  rules:
  - host: tea.amd5.cn
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: tea-svc
            port:
              number: 80

查看部署结果:

在阿里云ACK使用Traefik Ingress并通过已有的SLB负载均衡公开应用

测试访问dashboard:

在阿里云ACK使用Traefik Ingress并通过已有的SLB负载均衡公开应用

测试访问whoami:

在阿里云ACK使用Traefik Ingress并通过已有的SLB负载均衡公开应用

测试访问nginx:

在阿里云ACK使用Traefik Ingress并通过已有的SLB负载均衡公开应用

在阿里云ACK使用Traefik Ingress并通过已有的SLB负载均衡公开应用

【腾讯云】云服务器、云数据库、COS、CDN、短信等云产品特惠热卖中

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: