阿里云的ACK默认只提供了3个Ingress Controller组件的自动安装,分别是ALB Ingress Controller、MSE Ingress Controller和Nginx Ingress Controller。
当我们想使用Traefik Ingress Controller时,只能自己手动部署。
Traefik 官方文档也提供了安装方法,通过Helm Chart方式部署到Kubernetes集群,安装步骤:
要求
Kubernetes 1.16+
安装了Helm 版本 3.9+
将 Traefik Labs 图表存储库添加到 Helm:
helm repo add traefik https://traefik.github.io/charts
您可以通过运行以下命令来更新图表存储库:
helm repo update
helm并使用命令行安装它:
helm install traefik traefik/traefik
当然实际安装的时候,还需要根据自己的需求设置参数。
这种方式是比较简单的,但是对于我们需要更深入的了解Traefik Ingress Controller的人来说,可能这种方式太过简单。
所以我这里采用CRD的方式安装配置Traefik Ingress Controller
Traefik的路由方式有两种,一种是传统的Ingress一种是IngressRoute,这里部署让两种方式都支持。
1、部署crd,由于文件比较大,这里直接使用GitHub的文件连接
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
2、部署rbac
kubectl apply -f rbac.yaml
rbac.yaml:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us resources: - middlewares - middlewaretcps - ingressroutes - traefikservices - ingressroutetcps - ingressrouteudps - tlsoptions - tlsstores - serverstransports verbs: - get - list - watch --- # 为 Traefik 创建一个专用服务帐户 apiVersion: v1 kind: ServiceAccount metadata: namespace: default name: traefik-account --- # 将角色绑定到帐户上 将权限和规则应用到帐户上 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-account namespace: default
3、部署IngressClass(可选)
kubectl apply -f ingressClass.yaml
ingressClass.yaml:
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: traefik-lb spec: controller: traefik.io/ingress-controller
4、部署traefik,这里采用DaemonSet,也可以采用Deployment
kubectl apply -f traefik-daemonset.yaml
traefik-daemonset.yaml:
--- apiVersion: v1 kind: Service metadata: name: traefik-ingress-lb labels: app: traefik annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: lb-xxxxx # 阿里云slb id,需要提前创建一个 service.beta.kubernetes.io/alicloud-loadbalancer-force-override-listeners: 'true' #创建监听 spec: # type: NodePort type: LoadBalancer ports: - name: http protocol: TCP port: 80 targetPort: 80 # nodePort: 30080 #NodePort方式时,建议固定端口 - name: https port: 443 targetPort: 443 # nodePort: 30433 protocol: TCP selector: app: traefik --- kind: DaemonSet apiVersion: apps/v1 metadata: namespace: default name: traefik-ingress-controller labels: app: traefik spec: selector: matchLabels: app: traefik template: metadata: labels: app: traefik spec: serviceAccountName: traefik-account containers: - name: traefik image: traefik:v2.9 args: - --api.insecure - --accesslog - --entrypoints.web.Address=:80 - --entrypoints.websecure.Address=:443 - --providers.kubernetescrd=true - --providers.kubernetesingress=true - --providers.kubernetesingress.ingressclass=traefik-lb - --providers.kubernetesingress.ingressendpoint.ip=xx.xx.xx.xx # - --providers.kubernetesingress.ingressendpoint.hostname=alb-xxxx.cn-chengdu.alb.aliyuncs.com - --certificatesresolvers.default.acme.tlschallenge - --certificatesresolvers.default.acme.email=foo@you.com - --certificatesresolvers.default.acme.storage=acme.json - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory ports: - name: web containerPort: 80 - name: websecure containerPort: 443 - name: admin containerPort: 8080 resources: limits: cpu: 1000m memory: 512Mi requests: cpu: 50m memory: 128Mi readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 1 failureThreshold: 5 tcpSocket: port: 80 livenessProbe: initialDelaySeconds: 120 periodSeconds: 5 timeoutSeconds: 2 failureThreshold: 3 tcpSocket: port: 80
5、公开traefik dashboard,实际使用中,建议加上登录认证。
kubectl apply -f traefik-admin.yaml
traefik-admin.yaml:
--- apiVersion: v1 kind: Service metadata: name: traefik-admin spec: ports: - protocol: TCP name: admin port: 80 targetPort: 8080 selector: app: traefik --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: admin-ingress annotations: traefik.ingress.kubernetes.io/router.entrypoints: web spec: ingressClassName: traefik-lb rules: - host: dashboard.amd5.cn http: paths: - path: / pathType: Prefix backend: service: name: traefik-admin port: number: 80
6、部署官方的whoami服务,验证IngressRoute路由。
kubectl apply -f whoami.yaml
whoami.yaml:
kind: Deployment apiVersion: apps/v1 metadata: name: whoami labels: app: whoami spec: replicas: 2 selector: matchLabels: app: whoami template: metadata: labels: app: whoami spec: containers: - name: whoami image: traefik/whoami ports: - name: web containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: whoami spec: selector: app: whoami ports: - name: web port: 80 targetPort: 80 --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: whoami spec: entryPoints: - web routes: - match: Host(`whoami.amd5.cn`) && PathPrefix(`/`) kind: Rule services: - name: whoami port: 80
7、部署两个nginx服务,验证Ingress路由。
kubectl apply -f nginx.yaml
nginx.yaml:
apiVersion: apps/v1 kind: Deployment metadata: name: coffee spec: replicas: 2 selector: matchLabels: app: coffee template: metadata: labels: app: coffee spec: containers: - name: coffee image: registry.cn-hangzhou.aliyuncs.com/acs-sample/nginxdemos:latest ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: coffee-svc spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: app: coffee --- apiVersion: apps/v1 kind: Deployment metadata: name: tea spec: replicas: 1 selector: matchLabels: app: tea template: metadata: labels: app: tea spec: containers: - name: tea image: registry.cn-hangzhou.aliyuncs.com/acs-sample/nginxdemos:latest ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: tea-svc spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: app: tea --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: coffee-ingress annotations: traefik.ingress.kubernetes.io/router.entrypoints: web spec: ingressClassName: "traefik-lb" rules: - host: coffee.amd5.cn http: paths: - path: / pathType: Prefix backend: service: name: coffee-svc port: number: 80 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tea-ingress annotations: traefik.ingress.kubernetes.io/router.entrypoints: web spec: ingressClassName: "traefik-lb" rules: - host: tea.amd5.cn http: paths: - path: / pathType: Prefix backend: service: name: tea-svc port: number: 80
查看部署结果:
测试访问dashboard:
测试访问whoami:
测试访问nginx: