资源配置清单

CRD 自定义资源二次开发能力来扩展 Kubernetes API,通过 CRD 我们可以向 Kubernetes API 中增加新资源类型,而不需要修改 Kubernetes 源码来创建自定义的 API server,该功能大大提高了 Kubernetes 的扩展能力

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us

spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us

spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced

---
apiVer sion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us

spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressrouteudps.traefik.containo.us

spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteUDP
plural: ingressrouteudps
singular: ingressrouteudp
scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us

spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsstores.traefik.containo.us

spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSStore
plural: tlsstores
singular: tlsstore
scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: traefikservices.traefik.containo.us

spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TraefikService
plural: traefikservices
singular: traefikservice
scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: serverstransports.traefik.containo.us

spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: ServersTransport
plural: serverstransports
singular: serverstransport
scope: Namespaced
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
verbs:
- get
- list
- watch

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller

roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config
namespace: kube-system
data:
traefik.yaml: |-
ping: "" # 启用 Ping
serversTransport:
insecureSkipVerify: true # Traefik 忽略验证代理服务的 TLS 证书
api:
insecure: true # 允许 HTTP 方式访问 API
dashboard: true # 启用 Dashboard
debug: false # 启用 Debug 调试模式
metrics:
prometheus: "" # 配置 Prometheus 监控指标数据,并使用默认配置
entryPoints:
web:
address: ":80" # 配置 80 端口,并设置入口名称为 web
websecure:
address: ":443" # 配置 443 端口,并设置入口名称为 websecure
certificatesResolvers: # 配置证书解析器
myresolver: # 解析器名称
acme: # 启用acme,acme可以自动创建证书
email: weiqun_h@163.com # 用于注册的电子邮件地址
storage: acme.json # 用于证书存储的文件或密钥
httpChallenge: # 通过在HTTP-01众所周知的URI下配置HTTP资源,使用质询来生成和更新ACME证书
entryPoint: web
providers:
kubernetesCRD: "" # 启用 Kubernetes CRD 方式来配置路由规则
kubernetesIngress: "" # 启动 Kubernetes Ingress 方式来配置路由规则
log:
filePath: "" # 设置调试日志文件存储路径,如果为空则输出到控制台
level: error # 设置调试日志级别
format: json # 设置调试日志格式
accessLog:
filePath: "" # 设置访问日志文件存储路径,如果为空则输出到控制台
format: json
bufferingSize: 0 # 设置访问日志缓存行数
filters:
retryAttempts: true # 设置代理访问重试失败时,保留访问日志
minDuration: 20
fields: # 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
defaultMode: keep
names: # 针对访问日志特别字段特别配置保留模式
ClientUsername: drop
headers: # 设置 Header 中字段是否保留
defaultMode: keep
names:
User-Agent: redact
Authorization: drop
Content-Type: keep
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
app: traefik
spec:
selector:
matchLabels:
app: traefik
template:
metadata:
name: traefik
labels:
app: traefik
annotations:
prometheus_io_scheme: "traefik"
prometheus_io_path: "/metrics"
prometheus_io_port: "8080"
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 1
containers:
- image: traefik:v2.4.0
name: traefik-ingress-lb
ports:
- name: web
containerPort: 80
hostPort: 80 # 将容器端口绑定所在服务器的 80 端口
- name: websecure
containerPort: 443
hostPort: 443 # 将容器端口绑定所在服务器的 443 端口
- name: admin
containerPort: 8080 # Traefik Dashboard 端口
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 1000m
memory: 1024Mi
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --configfile=/config/traefik.yaml
volumeMounts:
- mountPath: "/config"
name: "config"
volumes:
- name: config
configMap:
name: traefik-config
tolerations:
- operator: "Exists" # 设置容忍所有污点,防止节点被设置污点
nodeSelector:
IngressProxy: "true" # 设置node筛选器,在特定label的节点上启动

这里配置的声明了一个名为redirectSchemea的中间件,该中间件可以将我们的请求跳转到另外的 scheme 请求,然后将该中间件配置到 HTTP 请求的服务上面

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: kube-system
spec:
redirectScheme: # 重定向中间件
scheme: https
apiVersion: v1
kind: Service
metadata:
name: traefik
namespace: kube-system
spec:
ports:
- name: web
port: 80
targetPort: 80
- name: websecure
port: 443
targetPort: 443
- name: admin
port: 8080
targetPort: 8080
selector:
app: traefik
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-ui-http
namespace: kube-system
spec:
entryPoints:
- web
routes:
- match: Host(`traefik.shisu.com`)
kind: Rule
services:
- name: traefik
port: 8080
middlewares: # 重定向中间件
- name: redirect-https
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-ui-https
namespace: kube-system
spec:
entryPoints:
- websecure # 注意这里是websecure这个entryPoint,监控443端口
routes:
- match: Host(`traefik.shisu.com`)
kind: Rule
services:
- name: traefik
port: 8080
tls: # 使用配置文件里定义的解析器
certResolver: myresolver

应用资源配置清单

配置主机标签

# kubectl label nodes k8s-node01 IngressProxy=true
# kubectl apply -f crd.yaml
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressrouteudps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsstores.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/traefikservices.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/serverstransports.traefik.containo.us created

# kubectl apply -f rbac.yaml
serviceaccount/traefik-ingress-controller unchanged
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created

# kubectl apply -f config.yaml
configmap/traefik-config created

# kubectl apply -f middleware.yaml
middleware.traefik.containo.us/redirect-https created

# kubectl apply -f daemonset.yaml
daemonset.apps/traefik-ingress-controller created

# kubectl apply -f svc.yaml
service/traefik created

# kubectl apply -f ingress-http.yaml
ingressroute.traefik.containo.us/traefik-ui-http created

# kubectl apply -f ingress-https.yaml
ingressroute.traefik.containo.us/traefik-ui-https created