资源配置清单

CRD 自定义资源二次开发能力来扩展 Kubernetes API,通过 CRD 我们可以向 Kubernetes API 中增加新资源类型,而不需要修改 Kubernetes 源码来创建自定义的 API server,该功能大大提高了 Kubernetes 的扩展能力

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVer  sion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressrouteudps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteUDP
    plural: ingressrouteudps
    singular: ingressrouteudp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsstores.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSStore
    plural: tlsstores
    singular: tlsstore
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: serverstransports.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: ServersTransport
    plural: serverstransports
    singular: serverstransport
  scope: Namespaced
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
    verbs:
      - get
      - list
      - watch

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: kube-system
kind: ConfigMap
apiVersion: v1
metadata:
  name: traefik-config
  namespace: kube-system
data:
  traefik.yaml: |-
    ping: ""                    # 启用 Ping          
    serversTransport:    
      insecureSkipVerify: true  # Traefik 忽略验证代理服务的 TLS 证书
    api:
      insecure: true            # 允许 HTTP 方式访问 API
      dashboard: true           # 启用 Dashboard
      debug: false              # 启用 Debug 调试模式
    metrics:
      prometheus: ""            # 配置 Prometheus 监控指标数据,并使用默认配置
    entryPoints:
      web:
        address: ":80"          # 配置 80 端口,并设置入口名称为 web
      websecure:
        address: ":443"         # 配置 443 端口,并设置入口名称为 websecure
    certificatesResolvers:      # 配置证书解析器
      myresolver:               # 解析器名称
        acme:                   # 启用acme,acme可以自动创建证书
          email: weiqun_h@163.com  # 用于注册的电子邮件地址
          storage: acme.json       # 用于证书存储的文件或密钥
          httpChallenge:           # 通过在HTTP-01众所周知的URI下配置HTTP资源,使用质询来生成和更新ACME证书
            entryPoint: web
    providers:
      kubernetesCRD: ""         # 启用 Kubernetes CRD 方式来配置路由规则
      kubernetesIngress: ""     # 启动 Kubernetes Ingress 方式来配置路由规则
    log:
      filePath: ""              # 设置调试日志文件存储路径,如果为空则输出到控制台
      level: error              # 设置调试日志级别
      format: json              # 设置调试日志格式
    accessLog:
      filePath: ""              # 设置访问日志文件存储路径,如果为空则输出到控制台
      format: json              
      bufferingSize: 0          # 设置访问日志缓存行数
      filters:
        retryAttempts: true     # 设置代理访问重试失败时,保留访问日志
        minDuration: 20         
      fields:                   # 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
        defaultMode: keep       
        names:                  # 针对访问日志特别字段特别配置保留模式
          ClientUsername: drop  
        headers:                # 设置 Header 中字段是否保留
          defaultMode: keep     
          names:                
            User-Agent: redact
            Authorization: drop
            Content-Type: keep
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    app: traefik
spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      name: traefik
      labels:
        app: traefik
      annotations:
        prometheus_io_scheme: "traefik"
        prometheus_io_path: "/metrics"
        prometheus_io_port: "8080"
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 1
      containers:
        - image: traefik:v2.4.0
          name: traefik-ingress-lb
          ports:
            - name: web
              containerPort: 80
              hostPort: 80         # 将容器端口绑定所在服务器的 80 端口
            - name: websecure
              containerPort: 443
              hostPort: 443        # 将容器端口绑定所在服务器的 443 端口
            - name: admin
              containerPort: 8080  # Traefik Dashboard 端口
          resources:
            limits:
              cpu: 2000m
              memory: 1024Mi
            requests:
              cpu: 1000m
              memory: 1024Mi
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
          args:
            - --configfile=/config/traefik.yaml
          volumeMounts:
            - mountPath: "/config"
              name: "config"
      volumes:
        - name: config
          configMap:
            name: traefik-config
      tolerations:              
        - operator: "Exists"           # 设置容忍所有污点,防止节点被设置污点
      nodeSelector:            
        IngressProxy: "true"           # 设置node筛选器,在特定label的节点上启动

这里配置的声明了一个名为redirectSchemea的中间件,该中间件可以将我们的请求跳转到另外的 scheme 请求,然后将该中间件配置到 HTTP 请求的服务上面

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
  namespace: kube-system
spec:
  redirectScheme:   # 重定向中间件
    scheme: https
apiVersion: v1
kind: Service
metadata:
  name: traefik
  namespace: kube-system
spec:
  ports:
    - name: web
      port: 80
      targetPort: 80
    - name: websecure
      port: 443
      targetPort: 443
    - name: admin
      port: 8080
      targetPort: 8080
  selector:
    app: traefik
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-ui-http
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`traefik.shisu.com`)
    kind: Rule
    services:
    - name: traefik
      port: 8080
    middlewares:      # 重定向中间件
    - name: redirect-https      
---    
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-ui-https
  namespace: kube-system
spec:
  entryPoints:
    - websecure     # 注意这里是websecure这个entryPoint,监控443端口
  routes:
  - match: Host(`traefik.shisu.com`)
    kind: Rule
    services:
    - name: traefik
      port: 8080
  tls:           # 使用配置文件里定义的解析器
    certResolver: myresolver

应用资源配置清单

配置主机标签

# kubectl label nodes k8s-node01 IngressProxy=true
# kubectl apply -f crd.yaml
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressrouteudps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsstores.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/traefikservices.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/serverstransports.traefik.containo.us created

# kubectl apply -f rbac.yaml
serviceaccount/traefik-ingress-controller unchanged
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created

# kubectl apply -f config.yaml
configmap/traefik-config created

# kubectl apply -f middleware.yaml
middleware.traefik.containo.us/redirect-https created

# kubectl apply -f daemonset.yaml
daemonset.apps/traefik-ingress-controller created

# kubectl apply -f svc.yaml
service/traefik created

# kubectl apply -f ingress-http.yaml
ingressroute.traefik.containo.us/traefik-ui-http created

# kubectl apply -f ingress-https.yaml
ingressroute.traefik.containo.us/traefik-ui-https created