kubernetes 部署 traefik2.5
零、前言
本文不涉及Gateway API,因为仍然是实验功能。
traefik 相关基础知识都在之前的文章写了,本文只关注新装2.5版本,以及在不同k8s版本安装的差异性进行备注
一、系统环境
Traefik版本: 2.5.6Kubernetes版本:1.19
二、helm 安装
2.1 系统环境
Kubernetes1.14+Helm3.x
2.2 安装
添加Traefik chart 仓库
helm repo add traefik https://helm.traefik.io/traefik更新仓库
helm repo update使用helm 安装
helm install traefik traefik/traefik其他个性化配置查看values.yaml
helm安装官方文档
三、手动安装
3.1 创建CRD
这里要注意你的k8s版本,从k8s 1.16开始废弃apiextensions.k8s.io/v1beta1,1.22完全删除。
对于k8s 1.16 以上版本,使用apiextensions.k8s.io/v1
00-traefik-v2.5-crd.yaml
---
apiVersionapiextensions.k8s.io/v1
kindCustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/versionv0.6.2
creationTimestampnull
nameingressroutes.traefik.containo.us
spec
grouptraefik.containo.us
names
kindIngressRoute
listKindIngressRouteList
pluralingressroutes
singularingressroute
scopeNamespaced
versions
namev1alpha1
schema
openAPIV3Schema
descriptionIngressRoute is an Ingress CRD specification.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
typestring
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
typestring
metadata
typeobject
spec
descriptionIngressRouteSpec is a specification for a IngressRouteSpec
resource.
properties
entryPoints
items
typestring
typearray
routes
items
descriptionRoute contains the set of routes.
properties
kind
enum
Rule
typestring
match
typestring
middlewares
items
descriptionMiddlewareRef is a ref to the Middleware resources.
properties
name
typestring
namespace
typestring
required
name
typeobject
typearray
priority
typeinteger
services
items
descriptionService defines an upstream to proxy traffic.
properties
kind
enum
Service
TraefikService
typestring
name
descriptionName is a reference to a Kubernetes Service
object (for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The
differentiation between the two is specified in the
Kind field.
typestring
namespace
typestring
passHostHeader
typeboolean
port
anyOf
typeinteger
typestring
x-kubernetes-int-or-stringtrue
responseForwarding
descriptionResponseForwarding holds configuration for
the forward of the response.
properties
flushInterval
typestring
typeobject
scheme
typestring
serversTransport
typestring
sticky
descriptionSticky holds the sticky configuration.
properties
cookie
descriptionCookie holds the sticky configuration
based on cookie.
properties
httpOnly
typeboolean
name
typestring
sameSite
typestring
secure
typeboolean
typeobject
typeobject
strategy
typestring
weight
descriptionWeight should only be specified when Name
references a TraefikService object (and to be precise,
one that embeds a Weighted Round Robin).
typeinteger
required
name
typeobject
typearray
required
kind
match
typeobject
typearray
tls
description"TLS contains the TLS certificates configuration of the
routes. To enable Let's Encrypt, use an empty TLS struct, e.g. in
YAML\n \t tls # inline format \n \t tls: \t secretName:
# block format"
properties
certResolver
typestring
domains
items
descriptionDomain holds a domain name with SANs.
properties
main
typestring
sans
items
typestring
typearray
typeobject
typearray
options
descriptionOptions is a reference to a TLSOption, that specifies
the parameters of the TLS connection.
properties
name
typestring
namespace
typestring
required
name
typeobject
secretName
descriptionSecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
typestring
store
descriptionStore is a reference to a TLSStore, that specifies
the parameters of the TLS store.
properties
name
typestring
namespace
typestring
required
name
typeobject
typeobject
required
routes
typeobject
required
metadata
spec
typeobject
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersionapiextensions.k8s.io/v1
kindCustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/versionv0.6.2
creationTimestampnull
nameingressroutetcps.traefik.containo.us
spec
grouptraefik.containo.us
names
kindIngressRouteTCP
listKindIngressRouteTCPList
pluralingressroutetcps
singularingressroutetcp
scopeNamespaced
versions
namev1alpha1
schema
openAPIV3Schema
descriptionIngressRouteTCP is an Ingress CRD specification.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
typestring
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
typestring
metadata
typeobject
spec
descriptionIngressRouteTCPSpec is a specification for a IngressRouteTCPSpec
resource.
properties
entryPoints
items
typestring
typearray
routes
items
descriptionRouteTCP contains the set of routes.
properties
match
typestring
middlewares
descriptionMiddlewares contains references to MiddlewareTCP
resources.
items
descriptionObjectReference is a generic reference to a Traefik
resource.
properties
name
typestring
namespace
typestring
required
name
typeobject
typearray
services
items
descriptionServiceTCP defines an upstream to proxy traffic.
properties
name
typestring
namespace
typestring
port
anyOf
typeinteger
typestring
x-kubernetes-int-or-stringtrue
proxyProtocol
descriptionProxyProtocol holds the ProxyProtocol configuration.
properties
version
typeinteger
typeobject
terminationDelay
typeinteger
weight
typeinteger
required
name
port
typeobject
typearray
required
match
typeobject
typearray
tls
description"TLSTCP contains the TLS certificates configuration of
the routes. To enable Let's Encrypt, use an empty TLS struct, e.g.
in YAML\n \t tls # inline format \n \t tls: \t secretName:
# block format"
properties
certResolver
typestring
domains
items
descriptionDomain holds a domain name with SANs.
properties
main
typestring
sans
items
typestring
typearray
typeobject
typearray
options
descriptionOptions is a reference to a TLSOption, that specifies
the parameters of the TLS connection.
properties
name
typestring
namespace
typestring
required
name
typeobject
passthrough
typeboolean
secretName
descriptionSecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
typestring
store
descriptionStore is a reference to a TLSStore, that specifies
the parameters of the TLS store.
properties
name
typestring
namespace
typestring
required
name
typeobject
typeobject
required
routes
typeobject
required
metadata
spec
typeobject
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersionapiextensions.k8s.io/v1
kindCustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/versionv0.6.2
creationTimestampnull
nameingressrouteudps.traefik.containo.us
spec
grouptraefik.containo.us
names
kindIngressRouteUDP
listKindIngressRouteUDPList
pluralingressrouteudps
singularingressrouteudp
scopeNamespaced
versions
namev1alpha1
schema
openAPIV3Schema
descriptionIngressRouteUDP is an Ingress CRD specification.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
typestring
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
typestring
metadata
typeobject
spec
descriptionIngressRouteUDPSpec is a specification for a IngressRouteUDPSpec
resource.
properties
entryPoints
items
typestring
typearray
routes
items
descriptionRouteUDP contains the set of routes.
properties
services
items
descriptionServiceUDP defines an upstream to proxy traffic.
properties
name
typestring
namespace
typestring
port
anyOf
typeinteger
typestring
x-kubernetes-int-or-stringtrue
weight
typeinteger
required
name
port
typeobject
typearray
typeobject
typearray
required
routes
typeobject
required
metadata
spec
typeobject
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersionapiextensions.k8s.io/v1
kindCustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/versionv0.6.2
creationTimestampnull
namemiddlewares.traefik.containo.us
spec
grouptraefik.containo.us
names
kindMiddleware
listKindMiddlewareList
pluralmiddlewares
singularmiddleware
scopeNamespaced
versions
namev1alpha1
schema
openAPIV3Schema
descriptionMiddleware is a specification for a Middleware resource.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
typestring
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
typestring
metadata
typeobject
spec
descriptionMiddlewareSpec holds the Middleware configuration.
properties
addPrefix
descriptionAddPrefix holds the AddPrefix configuration.
properties
prefix
typestring
typeobject
basicAuth
descriptionBasicAuth holds the HTTP basic authentication configuration.
properties
headerField
typestring
realm
typestring
removeHeader
typeboolean
secret
typestring
typeobject
buffering
descriptionBuffering holds the request/response buffering configuration.
properties
maxRequestBodyBytes
formatint64
typeinteger
maxResponseBodyBytes
formatint64
typeinteger
memRequestBodyBytes
formatint64
typeinteger
memResponseBodyBytes
formatint64
typeinteger
retryExpression
typestring
typeobject
chain
descriptionChain holds a chain of middlewares.
properties
middlewares
items
descriptionMiddlewareRef is a ref to the Middleware resources.
properties
name
typestring
namespace
typestring
required
name
typeobject
typearray
typeobject
circuitBreaker
descriptionCircuitBreaker holds the circuit breaker configuration.
properties
expression
typestring
typeobject
compress
descriptionCompress holds the compress configuration.
properties
excludedContentTypes
items
typestring
typearray
typeobject
contentType
descriptionContentType middleware - or rather its unique `autoDetect`
option - specifies whether to let the `Content-Type` header, if
it has not been set by the backend, be automatically set to a value
derived from the contents of the response. As a proxy, the default
behavior should be to leave the header alone, regardless of what
the backend did with it. However, the historic default was to always
auto-detect and set the header if it was nil, and it is going to
be kept that way in order to support users currently relying on
it. This middleware exists to enable the correct behavior until
at least the default one can be changed in a future version.
properties
autoDetect
typeboolean
typeobject
digestAuth
descriptionDigestAuth holds the Digest HTTP authentication configuration.
properties
headerField
typestring
realm
typestring
removeHeader
typeboolean
secret
typestring
typeobject
errors
descriptionErrorPage holds the custom error page configuration.
properties
query
typestring
service
descriptionService defines an upstream to proxy traffic.
properties
kind
enum
Service
TraefikService
typestring
name
descriptionName is a reference to a Kubernetes Service object
(for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
typestring
namespace
typestring
passHostHeader
typeboolean
port
anyOf
typeinteger
typestring
x-kubernetes-int-or-stringtrue
responseForwarding
descriptionResponseForwarding holds configuration for the
forward of the response.
properties
flushInterval
typestring
typeobject
scheme
typestring
serversTransport
typestring
sticky
descriptionSticky holds the sticky configuration.
properties
cookie
descriptionCookie holds the sticky configuration based
on cookie.
properties
httpOnly
typeboolean
name
typestring
sameSite
typestring
secure
typeboolean
typeobject
typeobject
strategy
typestring
weight
descriptionWeight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
typeinteger
required
name
typeobject
status
items
typestring
typearray
typeobject
forwardAuth
descriptionForwardAuth holds the http forward authentication configuration.
properties
address
typestring
authRequestHeaders
items
typestring
typearray
authResponseHeaders
items
typestring
typearray
authResponseHeadersRegex
typestring
tls
descriptionClientTLS holds TLS specific configurations as client.
properties
caOptional
typeboolean
caSecret
typestring
certSecret
typestring
insecureSkipVerify
typeboolean
typeobject
trustForwardHeader
typeboolean
typeobject
headers
descriptionHeaders holds the custom header configuration.
properties
accessControlAllowCredentials
descriptionAccessControlAllowCredentials is only valid if true.
false is ignored.
typeboolean
accessControlAllowHeaders
descriptionAccessControlAllowHeaders must be used in response
to a preflight request with Access-Control-Request-Headers set.
items
typestring
typearray
accessControlAllowMethods
descriptionAccessControlAllowMethods must be used in response
to a preflight request with Access-Control-Request-Method set.
items
typestring
typearray
accessControlAllowOriginList
descriptionAccessControlAllowOriginList is a list of allowable
origins. Can also be a wildcard origin "*".
items
typestring
typearray
accessControlAllowOriginListRegex
descriptionAccessControlAllowOriginListRegex is a list of allowable
origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
items
typestring
typearray
accessControlExposeHeaders
descriptionAccessControlExposeHeaders sets valid headers for
the response.
items
typestring
typearray
accessControlMaxAge
descriptionAccessControlMaxAge sets the time that a preflight
request may be cached.
formatint64
typeinteger
addVaryHeader
descriptionAddVaryHeader controls if the Vary header is automatically
added/updated when the AccessControlAllowOriginList is set.
typeboolean
allowedHosts
items
typestring
typearray
browserXssFilter
typeboolean
contentSecurityPolicy
typestring
contentTypeNosniff
typeboolean
customBrowserXSSValue
typestring
customFrameOptionsValue
typestring
customRequestHeaders
additionalProperties
typestring
typeobject
customResponseHeaders
additionalProperties
typestring
typeobject
featurePolicy
description'Deprecated: use PermissionsPolicy instead.'
typestring
forceSTSHeader
typeboolean
frameDeny
typeboolean
hostsProxyHeaders
items
typestring
typearray
isDevelopment
typeboolean
permissionsPolicy
typestring
publicKey
typestring
referrerPolicy
typestring
sslForceHost
description'Deprecated: use RedirectRegex instead.'
typeboolean
sslHost
description'Deprecated: use RedirectRegex instead.'
typestring
sslProxyHeaders
additionalProperties
typestring
typeobject
sslRedirect
description'Deprecated: use EntryPoint redirection or RedirectScheme
instead.'
typeboolean
sslTemporaryRedirect
description'Deprecated: use EntryPoint redirection or RedirectScheme
instead.'
typeboolean
stsIncludeSubdomains
typeboolean
stsPreload
typeboolean
stsSeconds
formatint64
typeinteger
typeobject
inFlightReq
descriptionInFlightReq limits the number of requests being processed
and served concurrently.
properties
amount
formatint64
typeinteger
sourceCriterion
descriptionSourceCriterion defines what criterion is used to
group requests as originating from a common source. If none
are set, the default is to use the request's remote address
field. All fields are mutually exclusive.
properties
ipStrategy
descriptionIPStrategy holds the ip strategy configuration.
properties
depth
typeinteger
excludedIPs
items
typestring
typearray
typeobject
requestHeaderName
typestring
requestHost
typeboolean
typeobject
typeobject
ipWhiteList
descriptionIPWhiteList holds the ip white list configuration.
properties
ipStrategy
descriptionIPStrategy holds the ip strategy configuration.
properties
depth
typeinteger
excludedIPs
items
typestring
typearray
typeobject
sourceRange
items
typestring
typearray
typeobject
passTLSClientCert
descriptionPassTLSClientCert holds the TLS client cert headers configuration.
properties
info
descriptionTLSClientCertificateInfo holds the client TLS certificate
info configuration.
properties
issuer
descriptionTLSClientCertificateDNInfo holds the client TLS
certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
properties
commonName
typeboolean
country
typeboolean
domainComponent
typeboolean
locality
typeboolean
organization
typeboolean
province
typeboolean
serialNumber
typeboolean
typeobject
notAfter
typeboolean
notBefore
typeboolean
sans
typeboolean
serialNumber
typeboolean
subject
descriptionTLSClientCertificateDNInfo holds the client TLS
certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
properties
commonName
typeboolean
country
typeboolean
domainComponent
typeboolean
locality
typeboolean
organization
typeboolean
province
typeboolean
serialNumber
typeboolean
typeobject
typeobject
pem
typeboolean
typeobject
plugin
additionalProperties
x-kubernetes-preserve-unknown-fieldstrue
typeobject
rateLimit
descriptionRateLimit holds the rate limiting configuration for a
given router.
properties
average
formatint64
typeinteger
burst
formatint64
typeinteger
period
anyOf
typeinteger
typestring
x-kubernetes-int-or-stringtrue
sourceCriterion
descriptionSourceCriterion defines what criterion is used to
group requests as originating from a common source. If none
are set, the default is to use the request's remote address
field. All fields are mutually exclusive.
properties
ipStrategy
descriptionIPStrategy holds the ip strategy configuration.
properties
depth
typeinteger
excludedIPs
items
typestring
typearray
typeobject
requestHeaderName
typestring
requestHost
typeboolean
typeobject
typeobject
redirectRegex
descriptionRedirectRegex holds the redirection configuration.
properties
permanent
typeboolean
regex
typestring
replacement
typestring
typeobject
redirectScheme
descriptionRedirectScheme holds the scheme redirection configuration.
properties
permanent
typeboolean
port
typestring
scheme
typestring
typeobject
replacePath
descriptionReplacePath holds the ReplacePath configuration.
properties
path
typestring
typeobject
replacePathRegex
descriptionReplacePathRegex holds the ReplacePathRegex configuration.
properties
regex
typestring
replacement
typestring
typeobject
retry
descriptionRetry holds the retry configuration.
properties
attempts
typeinteger
initialInterval
anyOf
typeinteger
typestring
x-kubernetes-int-or-stringtrue
typeobject
stripPrefix
descriptionStripPrefix holds the StripPrefix configuration.
properties
forceSlash
typeboolean
prefixes
items
typestring
typearray
typeobject
stripPrefixRegex
descriptionStripPrefixRegex holds the StripPrefixRegex configuration.
properties
regex
items
typestring
typearray
typeobject
typeobject
required
metadata
spec
typeobject
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersionapiextensions.k8s.io/v1
kindCustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/versionv0.6.2
creationTimestampnull
namemiddlewaretcps.traefik.containo.us
spec
grouptraefik.containo.us
names
kindMiddlewareTCP
listKindMiddlewareTCPList
pluralmiddlewaretcps
singularmiddlewaretcp
scopeNamespaced
versions
namev1alpha1
schema
openAPIV3Schema
descriptionMiddlewareTCP is a specification for a MiddlewareTCP resource.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
typestring
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
typestring
metadata
typeobject
spec
descriptionMiddlewareTCPSpec holds the MiddlewareTCP configuration.
properties
ipWhiteList
descriptionTCPIPWhiteList holds the TCP ip white list configuration.
properties
sourceRange
items
typestring
typearray
typeobject
typeobject
required
metadata
spec
typeobject
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersionapiextensions.k8s.io/v1
kindCustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/versionv0.6.2
creationTimestampnull
nameserverstransports.traefik.containo.us
spec
grouptraefik.containo.us
names
kindServersTransport
listKindServersTransportList
pluralserverstransports
singularserverstransport
scopeNamespaced
versions
namev1alpha1
schema
openAPIV3Schema
descriptionServersTransport is a specification for a ServersTransport resource.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
typestring
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
typestring
metadata
typeobject
spec
descriptionServersTransportSpec options to configure communication between
Traefik and the servers.
properties
certificatesSecrets
descriptionCertificates for mTLS.
items
typestring
typearray
disableHTTP2
descriptionDisable HTTP/2 for connections with backend servers.
typeboolean
forwardingTimeouts
descriptionTimeouts for requests forwarded to the backend servers.
properties
dialTimeout
anyOf
typeinteger
typestring
descriptionThe amount of time to wait until a connection to
a backend server can be established. If zero, no timeout exists.
x-kubernetes-int-or-stringtrue
idleConnTimeout
anyOf
typeinteger
typestring
descriptionThe maximum period for which an idle HTTP keep-alive
connection will remain open before closing itself.
x-kubernetes-int-or-stringtrue
responseHeaderTimeout
anyOf
typeinteger
typestring
descriptionThe amount of time to wait for a server's response
headers after fully writing the request (including its body,
if any). If zero, no timeout exists.
x-kubernetes-int-or-stringtrue
typeobject
insecureSkipVerify
descriptionDisable SSL certificate verification.
typeboolean
maxIdleConnsPerHost
descriptionIf non-zero, controls the maximum idle (keep-alive) to
keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.
typeinteger
peerCertURI
descriptionURI used to match against SAN URI during the peer certificate
verification.
typestring
rootCAsSecrets
descriptionAdd cert file for self-signed certificate.
items
typestring
typearray
serverName
descriptionServerName used to contact the server.
typestring
typeobject
required
metadata
spec
typeobject
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersionapiextensions.k8s.io/v1
kindCustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/versionv0.6.2
creationTimestampnull
nametlsoptions.traefik.containo.us
spec
grouptraefik.containo.us
names
kindTLSOption
listKindTLSOptionList
pluraltlsoptions
singulartlsoption
scopeNamespaced
versions
namev1alpha1
schema
openAPIV3Schema
descriptionTLSOption is a specification for a TLSOption resource.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
typestring
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
typestring
metadata
typeobject
spec
descriptionTLSOptionSpec configures TLS for an entry point.
properties
alpnProtocols
items
typestring
typearray
cipherSuites
items
typestring
typearray
clientAuth
descriptionClientAuth defines the parameters of the client authentication
part of the TLS connection, if any.
properties
clientAuthType
descriptionClientAuthType defines the client authentication
type to apply.
enum
NoClientCert
RequestClientCert
RequireAnyClientCert
VerifyClientCertIfGiven
RequireAndVerifyClientCert
typestring
secretNames
descriptionSecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
items
typestring
typearray
typeobject
curvePreferences
items
typestring
typearray
maxVersion
typestring
minVersion
typestring
preferServerCipherSuites
typeboolean
sniStrict
typeboolean
typeobject
required
metadata
spec
typeobject
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersionapiextensions.k8s.io/v1
kindCustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/versionv0.6.2
creationTimestampnull
nametlsstores.traefik.containo.us
spec
grouptraefik.containo.us
names
kindTLSStore
listKindTLSStoreList
pluraltlsstores
singulartlsstore
scopeNamespaced
versions
namev1alpha1
schema
openAPIV3Schema
descriptionTLSStore is a specification for a TLSStore resource.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
typestring
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
typestring
metadata
typeobject
spec
descriptionTLSStoreSpec configures a TLSStore resource.
properties
defaultCertificate
descriptionDefaultCertificate holds a secret name for the TLSOption
resource.
properties
secretName
descriptionSecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
typestring
required
secretName
typeobject
required
defaultCertificate
typeobject
required
metadata
spec
typeobject
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersionapiextensions.k8s.io/v1
kindCustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/versionv0.6.2
creationTimestampnull
nametraefikservices.traefik.containo.us
spec
grouptraefik.containo.us
names
kindTraefikService
listKindTraefikServiceList
pluraltraefikservices
singulartraefikservice
scopeNamespaced
versions
namev1alpha1
schema
openAPIV3Schema
descriptionTraefikService is the specification for a service (that an IngressRoute
refers to) that is usually not a terminal service (i.e. not a pod of servers),
as opposed to a Kubernetes Service. That is to say, it usually refers to
other (children) services, which themselves can be TraefikServices or Services.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
typestring
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More infohttps//git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
typestring
metadata
typeobject
spec
descriptionServiceSpec defines whether a TraefikService is a load-balancer
of services or a mirroring service.
properties
mirroring
descriptionMirroring defines a mirroring service, which is composed
of a main load-balancer, and a list of mirrors.
properties
kind
enum
Service
TraefikService
typestring
maxBodySize
formatint64
typeinteger
mirrors
items
descriptionMirrorService defines one of the mirrors of a Mirroring
service.
properties
kind
enum
Service
TraefikService
typestring
name
descriptionName is a reference to a Kubernetes Service
object (for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
typestring
namespace
typestring
passHostHeader
typeboolean
percent
typeinteger
port
anyOf
typeinteger
typestring
x-kubernetes-int-or-stringtrue
responseForwarding
descriptionResponseForwarding holds configuration for
the forward of the response.
properties
flushInterval
typestring
typeobject
scheme
typestring
serversTransport
typestring
sticky
descriptionSticky holds the sticky configuration.
properties
cookie
descriptionCookie holds the sticky configuration based
on cookie.
properties
httpOnly
typeboolean
name
typestring
sameSite
typestring
secure
typeboolean
typeobject
typeobject
strategy
typestring
weight
descriptionWeight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
typeinteger
required
name
typeobject
typearray
name
descriptionName is a reference to a Kubernetes Service object
(for a load-balancer of servers), or to a TraefikService object
(service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
typestring
namespace
typestring
passHostHeader
typeboolean
port
anyOf
typeinteger
typestring
x-kubernetes-int-or-stringtrue
responseForwarding
descriptionResponseForwarding holds configuration for the forward
of the response.
properties
flushInterval
typestring
typeobject
scheme
typestring
serversTransport
typestring
sticky
descriptionSticky holds the sticky configuration.
properties
cookie
descriptionCookie holds the sticky configuration based on
cookie.
properties
httpOnly
typeboolean
name
typestring
sameSite
typestring
secure
typeboolean
typeobject
typeobject
strategy
typestring
weight
descriptionWeight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
typeinteger
required
name
typeobject
weighted
descriptionWeightedRoundRobin defines a load-balancer of services.
properties
services
items
descriptionService defines an upstream to proxy traffic.
properties
kind
enum
Service
TraefikService
typestring
name
descriptionName is a reference to a Kubernetes Service
object (for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
typestring
namespace
typestring
passHostHeader
typeboolean
port
anyOf
typeinteger
typestring
x-kubernetes-int-or-stringtrue
responseForwarding
descriptionResponseForwarding holds configuration for
the forward of the response.
properties
flushInterval
typestring
typeobject
scheme
typestring
serversTransport
typestring
sticky
descriptionSticky holds the sticky configuration.
properties
cookie
descriptionCookie holds the sticky configuration based
on cookie.
properties
httpOnly
typeboolean
name
typestring
sameSite
typestring
secure
typeboolean
typeobject
typeobject
strategy
typestring
weight
descriptionWeight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
typeinteger
required
name
typeobject
typearray
sticky
descriptionSticky holds the sticky configuration.
properties
cookie
descriptionCookie holds the sticky configuration based on
cookie.
properties
httpOnly
typeboolean
name
typestring
sameSite
typestring
secure
typeboolean
typeobject
typeobject
typeobject
typeobject
required
metadata
spec
typeobject
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersionsCRD官方文档
3.2 创建RBAC
在官方配置的基础上加了namespace kube-system和serviceaccount,这2块配置可以自行设置
01-traefik-v2.5-rbac.yaml
apiVersionrbac.authorization.k8s.io/v1
kindClusterRole
metadata
nametraefik-ingress-controller
rules
apiGroups
""
resources
services
endpoints
secrets
verbs
get
list
watch
apiGroups
extensions
networking.k8s.io
resources
ingresses
ingressclasses
verbs
get
list
watch
apiGroups
extensions
resources
ingresses/status
verbs
update
apiGroups
traefik.containo.us
resources
middlewares
middlewaretcps
ingressroutes
traefikservices
ingressroutetcps
ingressrouteudps
tlsoptions
tlsstores
serverstransports
verbs
get
list
watch
---
apiVersionrbac.authorization.k8s.io/v1
kindClusterRoleBinding
metadata
nametraefik-ingress-controller
roleRef
apiGrouprbac.authorization.k8s.io
kindClusterRole
nametraefik-ingress-controller
subjects
kindServiceAccount
nametraefik-ingress-controller
namespacekube-system
---
apiVersionv1
kindServiceAccount
metadata
nametraefik-ingress-controller
namespacekube-systemRBAC官方文档
3.3 创建Traefik 配置文件
用configmap来配置,常用参数已注释说明
添加了2个providers,以及ingressclass
02-traefik-v2.5-config-cm.yaml
kindConfigMap
apiVersionv1
metadata
nametraefik-config
namespacekube-system
data
traefik.yaml-
serversTransport
insecureSkipVerifytrue ## Traefik 忽略验证代理服务的 TLS 证书
api
insecuretrue ## 允许 HTTP 方式访问 API
dashboardtrue ## 启用 Dashboard
debugfalse ## 启用 Debug 调试模式
metrics
prometheus## 配置 Prometheus 监控指标数据,并使用默认配置
entryPointmetrics
entryPoints
web
address":80" ## 配置 80 端口,并设置入口名称为 web
websecure
address":443" ## 配置 443 端口,并设置入口名称为 websecure
traefik
address":8090" ## 配置 8090 端口,并设置入口名称为 dashboard
metrics
address":8082" ## 配置 8082 端口,作为metrics收集入口
tcp
address":8379" ## 配置 8379 端口,作为tcp访问入口
providers
kubernetesCRD## 启用 Kubernetes CRD 方式来配置路由规则
ingressClasstraefik-gs-v2.5
kubernetesIngress## 启动 Kubernetes Ingress 方式来配置路由规则
ingressClasstraefik-gs-v2.5
log
filePath"/etc/traefik/logs/traefik.log" ## 设置调试日志文件存储路径,如果为空则输出到控制台
levelerror ## 设置调试日志级别
format"common" ## 设置调试日志格式
accessLog
filePath"/etc/traefik/logs/access.log" ## 设置访问日志文件存储路径,如果为空则输出到控制台
format"common" ## 设置访问调试日志格式
bufferingSize0 ## 设置访问日志缓存行数
filters
#statusCodes: ["200"] ## 设置只保留指定状态码范围内的访问日志
retryAttemptstrue ## 设置代理访问重试失败时,保留访问日志
minDuration20 ## 设置保留请求时间超过指定持续时间的访问日志
fields## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
defaultModekeep ## 设置默认保留访问日志字段
names## 针对访问日志特别字段特别配置保留模式
ClientUsernamedrop
headers## 设置 Header 中字段是否保留
defaultModekeep ## 设置默认保留 Header 中字段
names## 针对 Header 中特别字段特别配置保留模式
#User-Agent: redact ## 可以针对指定agent
Authorizationdrop
Content-Typekeep3.4 部署Traefik
使用Daemonset部署,使用本地网络。避免使用pod网络造成网络性能损耗
根据node label来指定部署节点
03-traefik-v2.5-ds.yaml
apiVersionv1
kindService
metadata
nametraefik-v2
namespacekube-system
spec
ports
nameweb
port80
namewebsecure
port443
nameadmin
port8090
selector
apptraefik-v2
---
apiVersionapps/v1
kindDaemonSet
metadata
nametraefik-ingress-controller-v2
namespacekube-system
labels
apptraefik-v2
spec
selector
matchLabels
apptraefik-v2
template
metadata
annotations
prometheus.io/path/metrics
prometheus.io/port"8082"
prometheus.io/scrape"true"
nametraefik-v2
labels
apptraefik-v2
spec
serviceAccountNametraefik-ingress-controller
terminationGracePeriodSeconds1
containers
imageharbor.foxchan.com/traefik/traefikv2.5.6
nametraefik-ingress-lb-v2
ports
nameweb
containerPort80
hostPort80 ## 将容器端口绑定所在服务器的 80 端口
namewebsecure
containerPort443
hostPort443 ## 将容器端口绑定所在服务器的 443 端口
nameadmin
containerPort8090 ## Traefik Dashboard 端口
securityContext
capabilities
drop
ALL
add
NET_BIND_SERVICE
args
--configfile=/config/traefik.yaml
volumeMounts
mountPath"/config"
name"config"
mountPath/etc/traefik/logs
namelogdir
mountPath/etc/localtime
nametimezone
readOnlytrue
volumes
nameconfig
configMap
nametraefik-config
namelogdir
hostPath
path/data/traefik/logs
type"DirectoryOrCreate"
nametimezone
hostPath
path/etc/localtime
typeFile
tolerations## 设置容忍所有污点,防止节点被设置污点
operator"Exists"
hostNetworktrue ## 开启host网络,提高网络入口的网络性能
nodeSelector## 设置node筛选器,在特定label的节点上启动
IngressProxy"traefik2"四、其他小需求
4.1 日志轮询
官方没有日志轮询的功能,只说收到USR1 信号会重建日志文件,这里通过logrotate实现
- 在/etc/logrotate.d创建下层目录,当然也可以在非/etc/logrotate.d/下创建此目录
mkdir -p /etc/logrotate.d/traefik- 配置logrotate文件
/data/traefik/logs/*.log {
daily
rotate 15
missingok
notifempty
compress
dateext
dateyesterday
dateformat .%Y-%m-%d
create 0644 root root
postrotate
docker kill --signal="USR1" $(docker ps | grep traefik |grep -v pause| awk '{print $1}')
endscript
}- 添加crontab计划任务,
sudo echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.d/traefik/traefikLogrotate >/dev/null 2>&1" > /etc/crontab
4.2 时区设置
本文通过挂载时区文件实现
volumeMounts:
- mountPath: /etc/localtime
name: timezone
readOnly: true
volumes:
- name: timezone
hostPath:
path: /etc/localtime
type: File
`4.3 低版本升级
大概写个升级备注,后面专门开贴记录升级步骤
v2.4 to v2.5
kubernetes CRD
从v2.5开始,Traefik CRDS 开始支持新的API version apiextensions.k8s.io/v1,升级时候要注意
kubernetes Ingress
从v2.5开始 支持kubernetes v1.22,最低只支持 v1.14+。所以注意下api version 版本
extensions/v1beta1 替换为 networking.k8s.io/v1beta1或者networking.k8s.io/v1 (Kubernetes v1.19+)
Kubernetes v1.22将会放弃networking.k8s.io/v1beta1
- ### Headers middleware: ssl redirect options
从v2.5开始放弃以下参数sslRedirect, sslTemporaryRedirect, sslHost and sslForceHost
- ### Headers middleware: accessControlAllowOrigin
从v2.5开始不再支持accessControlAllowOrigin
官方小版本升级文档
参考文档
- kubernetes 部署 traefik2.3
- k8s部署官方文档
