kubernetes 部署 traefik2.5
零、前言
本文不涉及Gateway API
,因为仍然是实验功能。
traefik
相关基础知识都在之前的文章写了,本文只关注新装2.5版本,以及在不同k8s版本安装的差异性进行备注
一、系统环境
Traefik
版本: 2.5.6Kubernetes
版本:1.19
二、helm 安装
2.1 系统环境
Kubernetes
1.14+Helm
3.x
2.2 安装
添加Traefik chart
仓库
helm repo add traefik https://helm.traefik.io/traefik
更新仓库
helm repo update
使用helm
安装
helm install traefik traefik/traefik
其他个性化配置查看values.yaml
helm安装官方文档
三、手动安装
3.1 创建CRD
这里要注意你的k8s版本,从k8s 1.16开始废弃apiextensions.k8s.io/v1beta1
,1.22完全删除。
对于k8s 1.16 以上版本,使用apiextensions.k8s.io/v1
00-traefik-v2.5-crd.yaml
---
apiVersion apiextensions.k8s.io/v1
kind CustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/version v0.6.2
creationTimestamp null
name ingressroutes.traefik.containo.us
spec
group traefik.containo.us
names
kind IngressRoute
listKind IngressRouteList
plural ingressroutes
singular ingressroute
scope Namespaced
versions
name v1alpha1
schema
openAPIV3Schema
description IngressRoute is an Ingress CRD specification.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type string
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type string
metadata
type object
spec
description IngressRouteSpec is a specification for a IngressRouteSpec
resource.
properties
entryPoints
items
type string
type array
routes
items
description Route contains the set of routes.
properties
kind
enum
Rule
type string
match
type string
middlewares
items
description MiddlewareRef is a ref to the Middleware resources.
properties
name
type string
namespace
type string
required
name
type object
type array
priority
type integer
services
items
description Service defines an upstream to proxy traffic.
properties
kind
enum
Service
TraefikService
type string
name
description Name is a reference to a Kubernetes Service
object (for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The
differentiation between the two is specified in the
Kind field.
type string
namespace
type string
passHostHeader
type boolean
port
anyOf
type integer
type string
x-kubernetes-int-or-stringtrue
responseForwarding
description ResponseForwarding holds configuration for
the forward of the response.
properties
flushInterval
type string
type object
scheme
type string
serversTransport
type string
sticky
description Sticky holds the sticky configuration.
properties
cookie
description Cookie holds the sticky configuration
based on cookie.
properties
httpOnly
type boolean
name
type string
sameSite
type string
secure
type boolean
type object
type object
strategy
type string
weight
description Weight should only be specified when Name
references a TraefikService object (and to be precise,
one that embeds a Weighted Round Robin).
type integer
required
name
type object
type array
required
kind
match
type object
type array
tls
description"TLS contains the TLS certificates configuration of the
routes. To enable Let's Encrypt, use an empty TLS struct, e.g. in
YAML \n \t tls # inline format \n \t tls: \t secretName:
# block format"
properties
certResolver
type string
domains
items
description Domain holds a domain name with SANs.
properties
main
type string
sans
items
type string
type array
type object
type array
options
description Options is a reference to a TLSOption, that specifies
the parameters of the TLS connection.
properties
name
type string
namespace
type string
required
name
type object
secretName
description SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type string
store
description Store is a reference to a TLSStore, that specifies
the parameters of the TLS store.
properties
name
type string
namespace
type string
required
name
type object
type object
required
routes
type object
required
metadata
spec
type object
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersion apiextensions.k8s.io/v1
kind CustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/version v0.6.2
creationTimestamp null
name ingressroutetcps.traefik.containo.us
spec
group traefik.containo.us
names
kind IngressRouteTCP
listKind IngressRouteTCPList
plural ingressroutetcps
singular ingressroutetcp
scope Namespaced
versions
name v1alpha1
schema
openAPIV3Schema
description IngressRouteTCP is an Ingress CRD specification.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type string
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type string
metadata
type object
spec
description IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec
resource.
properties
entryPoints
items
type string
type array
routes
items
description RouteTCP contains the set of routes.
properties
match
type string
middlewares
description Middlewares contains references to MiddlewareTCP
resources.
items
description ObjectReference is a generic reference to a Traefik
resource.
properties
name
type string
namespace
type string
required
name
type object
type array
services
items
description ServiceTCP defines an upstream to proxy traffic.
properties
name
type string
namespace
type string
port
anyOf
type integer
type string
x-kubernetes-int-or-stringtrue
proxyProtocol
description ProxyProtocol holds the ProxyProtocol configuration.
properties
version
type integer
type object
terminationDelay
type integer
weight
type integer
required
name
port
type object
type array
required
match
type object
type array
tls
description"TLSTCP contains the TLS certificates configuration of
the routes. To enable Let's Encrypt, use an empty TLS struct, e.g.
in YAML \n \t tls # inline format \n \t tls: \t secretName:
# block format"
properties
certResolver
type string
domains
items
description Domain holds a domain name with SANs.
properties
main
type string
sans
items
type string
type array
type object
type array
options
description Options is a reference to a TLSOption, that specifies
the parameters of the TLS connection.
properties
name
type string
namespace
type string
required
name
type object
passthrough
type boolean
secretName
description SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type string
store
description Store is a reference to a TLSStore, that specifies
the parameters of the TLS store.
properties
name
type string
namespace
type string
required
name
type object
type object
required
routes
type object
required
metadata
spec
type object
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersion apiextensions.k8s.io/v1
kind CustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/version v0.6.2
creationTimestamp null
name ingressrouteudps.traefik.containo.us
spec
group traefik.containo.us
names
kind IngressRouteUDP
listKind IngressRouteUDPList
plural ingressrouteudps
singular ingressrouteudp
scope Namespaced
versions
name v1alpha1
schema
openAPIV3Schema
description IngressRouteUDP is an Ingress CRD specification.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type string
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type string
metadata
type object
spec
description IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec
resource.
properties
entryPoints
items
type string
type array
routes
items
description RouteUDP contains the set of routes.
properties
services
items
description ServiceUDP defines an upstream to proxy traffic.
properties
name
type string
namespace
type string
port
anyOf
type integer
type string
x-kubernetes-int-or-stringtrue
weight
type integer
required
name
port
type object
type array
type object
type array
required
routes
type object
required
metadata
spec
type object
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersion apiextensions.k8s.io/v1
kind CustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/version v0.6.2
creationTimestamp null
name middlewares.traefik.containo.us
spec
group traefik.containo.us
names
kind Middleware
listKind MiddlewareList
plural middlewares
singular middleware
scope Namespaced
versions
name v1alpha1
schema
openAPIV3Schema
description Middleware is a specification for a Middleware resource.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type string
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type string
metadata
type object
spec
description MiddlewareSpec holds the Middleware configuration.
properties
addPrefix
description AddPrefix holds the AddPrefix configuration.
properties
prefix
type string
type object
basicAuth
description BasicAuth holds the HTTP basic authentication configuration.
properties
headerField
type string
realm
type string
removeHeader
type boolean
secret
type string
type object
buffering
description Buffering holds the request/response buffering configuration.
properties
maxRequestBodyBytes
format int64
type integer
maxResponseBodyBytes
format int64
type integer
memRequestBodyBytes
format int64
type integer
memResponseBodyBytes
format int64
type integer
retryExpression
type string
type object
chain
description Chain holds a chain of middlewares.
properties
middlewares
items
description MiddlewareRef is a ref to the Middleware resources.
properties
name
type string
namespace
type string
required
name
type object
type array
type object
circuitBreaker
description CircuitBreaker holds the circuit breaker configuration.
properties
expression
type string
type object
compress
description Compress holds the compress configuration.
properties
excludedContentTypes
items
type string
type array
type object
contentType
description ContentType middleware - or rather its unique `autoDetect`
option - specifies whether to let the `Content-Type` header, if
it has not been set by the backend, be automatically set to a value
derived from the contents of the response. As a proxy, the default
behavior should be to leave the header alone, regardless of what
the backend did with it. However, the historic default was to always
auto-detect and set the header if it was nil, and it is going to
be kept that way in order to support users currently relying on
it. This middleware exists to enable the correct behavior until
at least the default one can be changed in a future version.
properties
autoDetect
type boolean
type object
digestAuth
description DigestAuth holds the Digest HTTP authentication configuration.
properties
headerField
type string
realm
type string
removeHeader
type boolean
secret
type string
type object
errors
description ErrorPage holds the custom error page configuration.
properties
query
type string
service
description Service defines an upstream to proxy traffic.
properties
kind
enum
Service
TraefikService
type string
name
description Name is a reference to a Kubernetes Service object
(for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
type string
namespace
type string
passHostHeader
type boolean
port
anyOf
type integer
type string
x-kubernetes-int-or-stringtrue
responseForwarding
description ResponseForwarding holds configuration for the
forward of the response.
properties
flushInterval
type string
type object
scheme
type string
serversTransport
type string
sticky
description Sticky holds the sticky configuration.
properties
cookie
description Cookie holds the sticky configuration based
on cookie.
properties
httpOnly
type boolean
name
type string
sameSite
type string
secure
type boolean
type object
type object
strategy
type string
weight
description Weight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
type integer
required
name
type object
status
items
type string
type array
type object
forwardAuth
description ForwardAuth holds the http forward authentication configuration.
properties
address
type string
authRequestHeaders
items
type string
type array
authResponseHeaders
items
type string
type array
authResponseHeadersRegex
type string
tls
description ClientTLS holds TLS specific configurations as client.
properties
caOptional
type boolean
caSecret
type string
certSecret
type string
insecureSkipVerify
type boolean
type object
trustForwardHeader
type boolean
type object
headers
description Headers holds the custom header configuration.
properties
accessControlAllowCredentials
description AccessControlAllowCredentials is only valid if true.
false is ignored.
type boolean
accessControlAllowHeaders
description AccessControlAllowHeaders must be used in response
to a preflight request with Access-Control-Request-Headers set.
items
type string
type array
accessControlAllowMethods
description AccessControlAllowMethods must be used in response
to a preflight request with Access-Control-Request-Method set.
items
type string
type array
accessControlAllowOriginList
description AccessControlAllowOriginList is a list of allowable
origins. Can also be a wildcard origin "*".
items
type string
type array
accessControlAllowOriginListRegex
description AccessControlAllowOriginListRegex is a list of allowable
origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
items
type string
type array
accessControlExposeHeaders
description AccessControlExposeHeaders sets valid headers for
the response.
items
type string
type array
accessControlMaxAge
description AccessControlMaxAge sets the time that a preflight
request may be cached.
format int64
type integer
addVaryHeader
description AddVaryHeader controls if the Vary header is automatically
added/updated when the AccessControlAllowOriginList is set.
type boolean
allowedHosts
items
type string
type array
browserXssFilter
type boolean
contentSecurityPolicy
type string
contentTypeNosniff
type boolean
customBrowserXSSValue
type string
customFrameOptionsValue
type string
customRequestHeaders
additionalProperties
type string
type object
customResponseHeaders
additionalProperties
type string
type object
featurePolicy
description'Deprecated: use PermissionsPolicy instead.'
type string
forceSTSHeader
type boolean
frameDeny
type boolean
hostsProxyHeaders
items
type string
type array
isDevelopment
type boolean
permissionsPolicy
type string
publicKey
type string
referrerPolicy
type string
sslForceHost
description'Deprecated: use RedirectRegex instead.'
type boolean
sslHost
description'Deprecated: use RedirectRegex instead.'
type string
sslProxyHeaders
additionalProperties
type string
type object
sslRedirect
description'Deprecated: use EntryPoint redirection or RedirectScheme
instead.'
type boolean
sslTemporaryRedirect
description'Deprecated: use EntryPoint redirection or RedirectScheme
instead.'
type boolean
stsIncludeSubdomains
type boolean
stsPreload
type boolean
stsSeconds
format int64
type integer
type object
inFlightReq
description InFlightReq limits the number of requests being processed
and served concurrently.
properties
amount
format int64
type integer
sourceCriterion
description SourceCriterion defines what criterion is used to
group requests as originating from a common source. If none
are set, the default is to use the request's remote address
field. All fields are mutually exclusive.
properties
ipStrategy
description IPStrategy holds the ip strategy configuration.
properties
depth
type integer
excludedIPs
items
type string
type array
type object
requestHeaderName
type string
requestHost
type boolean
type object
type object
ipWhiteList
description IPWhiteList holds the ip white list configuration.
properties
ipStrategy
description IPStrategy holds the ip strategy configuration.
properties
depth
type integer
excludedIPs
items
type string
type array
type object
sourceRange
items
type string
type array
type object
passTLSClientCert
description PassTLSClientCert holds the TLS client cert headers configuration.
properties
info
description TLSClientCertificateInfo holds the client TLS certificate
info configuration.
properties
issuer
description TLSClientCertificateDNInfo holds the client TLS
certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
properties
commonName
type boolean
country
type boolean
domainComponent
type boolean
locality
type boolean
organization
type boolean
province
type boolean
serialNumber
type boolean
type object
notAfter
type boolean
notBefore
type boolean
sans
type boolean
serialNumber
type boolean
subject
description TLSClientCertificateDNInfo holds the client TLS
certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
properties
commonName
type boolean
country
type boolean
domainComponent
type boolean
locality
type boolean
organization
type boolean
province
type boolean
serialNumber
type boolean
type object
type object
pem
type boolean
type object
plugin
additionalProperties
x-kubernetes-preserve-unknown-fieldstrue
type object
rateLimit
description RateLimit holds the rate limiting configuration for a
given router.
properties
average
format int64
type integer
burst
format int64
type integer
period
anyOf
type integer
type string
x-kubernetes-int-or-stringtrue
sourceCriterion
description SourceCriterion defines what criterion is used to
group requests as originating from a common source. If none
are set, the default is to use the request's remote address
field. All fields are mutually exclusive.
properties
ipStrategy
description IPStrategy holds the ip strategy configuration.
properties
depth
type integer
excludedIPs
items
type string
type array
type object
requestHeaderName
type string
requestHost
type boolean
type object
type object
redirectRegex
description RedirectRegex holds the redirection configuration.
properties
permanent
type boolean
regex
type string
replacement
type string
type object
redirectScheme
description RedirectScheme holds the scheme redirection configuration.
properties
permanent
type boolean
port
type string
scheme
type string
type object
replacePath
description ReplacePath holds the ReplacePath configuration.
properties
path
type string
type object
replacePathRegex
description ReplacePathRegex holds the ReplacePathRegex configuration.
properties
regex
type string
replacement
type string
type object
retry
description Retry holds the retry configuration.
properties
attempts
type integer
initialInterval
anyOf
type integer
type string
x-kubernetes-int-or-stringtrue
type object
stripPrefix
description StripPrefix holds the StripPrefix configuration.
properties
forceSlash
type boolean
prefixes
items
type string
type array
type object
stripPrefixRegex
description StripPrefixRegex holds the StripPrefixRegex configuration.
properties
regex
items
type string
type array
type object
type object
required
metadata
spec
type object
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersion apiextensions.k8s.io/v1
kind CustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/version v0.6.2
creationTimestamp null
name middlewaretcps.traefik.containo.us
spec
group traefik.containo.us
names
kind MiddlewareTCP
listKind MiddlewareTCPList
plural middlewaretcps
singular middlewaretcp
scope Namespaced
versions
name v1alpha1
schema
openAPIV3Schema
description MiddlewareTCP is a specification for a MiddlewareTCP resource.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type string
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type string
metadata
type object
spec
description MiddlewareTCPSpec holds the MiddlewareTCP configuration.
properties
ipWhiteList
description TCPIPWhiteList holds the TCP ip white list configuration.
properties
sourceRange
items
type string
type array
type object
type object
required
metadata
spec
type object
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersion apiextensions.k8s.io/v1
kind CustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/version v0.6.2
creationTimestamp null
name serverstransports.traefik.containo.us
spec
group traefik.containo.us
names
kind ServersTransport
listKind ServersTransportList
plural serverstransports
singular serverstransport
scope Namespaced
versions
name v1alpha1
schema
openAPIV3Schema
description ServersTransport is a specification for a ServersTransport resource.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type string
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type string
metadata
type object
spec
description ServersTransportSpec options to configure communication between
Traefik and the servers.
properties
certificatesSecrets
description Certificates for mTLS.
items
type string
type array
disableHTTP2
description Disable HTTP/2 for connections with backend servers.
type boolean
forwardingTimeouts
description Timeouts for requests forwarded to the backend servers.
properties
dialTimeout
anyOf
type integer
type string
description The amount of time to wait until a connection to
a backend server can be established. If zero, no timeout exists.
x-kubernetes-int-or-stringtrue
idleConnTimeout
anyOf
type integer
type string
description The maximum period for which an idle HTTP keep-alive
connection will remain open before closing itself.
x-kubernetes-int-or-stringtrue
responseHeaderTimeout
anyOf
type integer
type string
description The amount of time to wait for a server's response
headers after fully writing the request (including its body,
if any). If zero, no timeout exists.
x-kubernetes-int-or-stringtrue
type object
insecureSkipVerify
description Disable SSL certificate verification.
type boolean
maxIdleConnsPerHost
description If non-zero, controls the maximum idle (keep-alive) to
keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.
type integer
peerCertURI
description URI used to match against SAN URI during the peer certificate
verification.
type string
rootCAsSecrets
description Add cert file for self-signed certificate.
items
type string
type array
serverName
description ServerName used to contact the server.
type string
type object
required
metadata
spec
type object
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersion apiextensions.k8s.io/v1
kind CustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/version v0.6.2
creationTimestamp null
name tlsoptions.traefik.containo.us
spec
group traefik.containo.us
names
kind TLSOption
listKind TLSOptionList
plural tlsoptions
singular tlsoption
scope Namespaced
versions
name v1alpha1
schema
openAPIV3Schema
description TLSOption is a specification for a TLSOption resource.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type string
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type string
metadata
type object
spec
description TLSOptionSpec configures TLS for an entry point.
properties
alpnProtocols
items
type string
type array
cipherSuites
items
type string
type array
clientAuth
description ClientAuth defines the parameters of the client authentication
part of the TLS connection, if any.
properties
clientAuthType
description ClientAuthType defines the client authentication
type to apply.
enum
NoClientCert
RequestClientCert
RequireAnyClientCert
VerifyClientCertIfGiven
RequireAndVerifyClientCert
type string
secretNames
description SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
items
type string
type array
type object
curvePreferences
items
type string
type array
maxVersion
type string
minVersion
type string
preferServerCipherSuites
type boolean
sniStrict
type boolean
type object
required
metadata
spec
type object
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersion apiextensions.k8s.io/v1
kind CustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/version v0.6.2
creationTimestamp null
name tlsstores.traefik.containo.us
spec
group traefik.containo.us
names
kind TLSStore
listKind TLSStoreList
plural tlsstores
singular tlsstore
scope Namespaced
versions
name v1alpha1
schema
openAPIV3Schema
description TLSStore is a specification for a TLSStore resource.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type string
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type string
metadata
type object
spec
description TLSStoreSpec configures a TLSStore resource.
properties
defaultCertificate
description DefaultCertificate holds a secret name for the TLSOption
resource.
properties
secretName
description SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type string
required
secretName
type object
required
defaultCertificate
type object
required
metadata
spec
type object
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
---
apiVersion apiextensions.k8s.io/v1
kind CustomResourceDefinition
metadata
annotations
controller-gen.kubebuilder.io/version v0.6.2
creationTimestamp null
name traefikservices.traefik.containo.us
spec
group traefik.containo.us
names
kind TraefikService
listKind TraefikServiceList
plural traefikservices
singular traefikservice
scope Namespaced
versions
name v1alpha1
schema
openAPIV3Schema
description TraefikService is the specification for a service (that an IngressRoute
refers to) that is usually not a terminal service (i.e. not a pod of servers),
as opposed to a Kubernetes Service. That is to say, it usually refers to
other (children) services, which themselves can be TraefikServices or Services.
properties
apiVersion
description'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type string
kind
description'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info https //git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type string
metadata
type object
spec
description ServiceSpec defines whether a TraefikService is a load-balancer
of services or a mirroring service.
properties
mirroring
description Mirroring defines a mirroring service, which is composed
of a main load-balancer, and a list of mirrors.
properties
kind
enum
Service
TraefikService
type string
maxBodySize
format int64
type integer
mirrors
items
description MirrorService defines one of the mirrors of a Mirroring
service.
properties
kind
enum
Service
TraefikService
type string
name
description Name is a reference to a Kubernetes Service
object (for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
type string
namespace
type string
passHostHeader
type boolean
percent
type integer
port
anyOf
type integer
type string
x-kubernetes-int-or-stringtrue
responseForwarding
description ResponseForwarding holds configuration for
the forward of the response.
properties
flushInterval
type string
type object
scheme
type string
serversTransport
type string
sticky
description Sticky holds the sticky configuration.
properties
cookie
description Cookie holds the sticky configuration based
on cookie.
properties
httpOnly
type boolean
name
type string
sameSite
type string
secure
type boolean
type object
type object
strategy
type string
weight
description Weight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
type integer
required
name
type object
type array
name
description Name is a reference to a Kubernetes Service object
(for a load-balancer of servers), or to a TraefikService object
(service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
type string
namespace
type string
passHostHeader
type boolean
port
anyOf
type integer
type string
x-kubernetes-int-or-stringtrue
responseForwarding
description ResponseForwarding holds configuration for the forward
of the response.
properties
flushInterval
type string
type object
scheme
type string
serversTransport
type string
sticky
description Sticky holds the sticky configuration.
properties
cookie
description Cookie holds the sticky configuration based on
cookie.
properties
httpOnly
type boolean
name
type string
sameSite
type string
secure
type boolean
type object
type object
strategy
type string
weight
description Weight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
type integer
required
name
type object
weighted
description WeightedRoundRobin defines a load-balancer of services.
properties
services
items
description Service defines an upstream to proxy traffic.
properties
kind
enum
Service
TraefikService
type string
name
description Name is a reference to a Kubernetes Service
object (for a load-balancer of servers), or to a TraefikService
object (service load-balancer, mirroring, etc). The differentiation
between the two is specified in the Kind field.
type string
namespace
type string
passHostHeader
type boolean
port
anyOf
type integer
type string
x-kubernetes-int-or-stringtrue
responseForwarding
description ResponseForwarding holds configuration for
the forward of the response.
properties
flushInterval
type string
type object
scheme
type string
serversTransport
type string
sticky
description Sticky holds the sticky configuration.
properties
cookie
description Cookie holds the sticky configuration based
on cookie.
properties
httpOnly
type boolean
name
type string
sameSite
type string
secure
type boolean
type object
type object
strategy
type string
weight
description Weight should only be specified when Name references
a TraefikService object (and to be precise, one that embeds
a Weighted Round Robin).
type integer
required
name
type object
type array
sticky
description Sticky holds the sticky configuration.
properties
cookie
description Cookie holds the sticky configuration based on
cookie.
properties
httpOnly
type boolean
name
type string
sameSite
type string
secure
type boolean
type object
type object
type object
type object
required
metadata
spec
type object
servedtrue
storagetrue
status
acceptedNames
kind""
plural""
conditions
storedVersions
CRD官方文档
3.2 创建RBAC
在官方配置的基础上加了namespace kube-system
和serviceaccount,这2块配置可以自行设置
01-traefik-v2.5-rbac.yaml
apiVersion rbac.authorization.k8s.io/v1
kind ClusterRole
metadata
name traefik-ingress-controller
rules
apiGroups
""
resources
services
endpoints
secrets
verbs
get
list
watch
apiGroups
extensions
networking.k8s.io
resources
ingresses
ingressclasses
verbs
get
list
watch
apiGroups
extensions
resources
ingresses/status
verbs
update
apiGroups
traefik.containo.us
resources
middlewares
middlewaretcps
ingressroutes
traefikservices
ingressroutetcps
ingressrouteudps
tlsoptions
tlsstores
serverstransports
verbs
get
list
watch
---
apiVersion rbac.authorization.k8s.io/v1
kind ClusterRoleBinding
metadata
name traefik-ingress-controller
roleRef
apiGroup rbac.authorization.k8s.io
kind ClusterRole
name traefik-ingress-controller
subjects
kind ServiceAccount
name traefik-ingress-controller
namespace kube-system
---
apiVersion v1
kind ServiceAccount
metadata
name traefik-ingress-controller
namespace kube-system
RBAC官方文档
3.3 创建Traefik
配置文件
用configmap
来配置,常用参数已注释说明
添加了2个providers
,以及ingressclass
02-traefik-v2.5-config-cm.yaml
kind ConfigMap
apiVersion v1
metadata
name traefik-config
namespace kube-system
data
traefik.yaml -
serversTransport
insecureSkipVerify true ## Traefik 忽略验证代理服务的 TLS 证书
api
insecure true ## 允许 HTTP 方式访问 API
dashboard true ## 启用 Dashboard
debug false ## 启用 Debug 调试模式
metrics
prometheus## 配置 Prometheus 监控指标数据,并使用默认配置
entryPoint metrics
entryPoints
web
address":80" ## 配置 80 端口,并设置入口名称为 web
websecure
address":443" ## 配置 443 端口,并设置入口名称为 websecure
traefik
address":8090" ## 配置 8090 端口,并设置入口名称为 dashboard
metrics
address":8082" ## 配置 8082 端口,作为metrics收集入口
tcp
address":8379" ## 配置 8379 端口,作为tcp访问入口
providers
kubernetesCRD## 启用 Kubernetes CRD 方式来配置路由规则
ingressClass traefik-gs-v2.5
kubernetesIngress## 启动 Kubernetes Ingress 方式来配置路由规则
ingressClass traefik-gs-v2.5
log
filePath"/etc/traefik/logs/traefik.log" ## 设置调试日志文件存储路径,如果为空则输出到控制台
level error ## 设置调试日志级别
format"common" ## 设置调试日志格式
accessLog
filePath"/etc/traefik/logs/access.log" ## 设置访问日志文件存储路径,如果为空则输出到控制台
format"common" ## 设置访问调试日志格式
bufferingSize 0 ## 设置访问日志缓存行数
filters
#statusCodes: ["200"] ## 设置只保留指定状态码范围内的访问日志
retryAttempts true ## 设置代理访问重试失败时,保留访问日志
minDuration 20 ## 设置保留请求时间超过指定持续时间的访问日志
fields## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
defaultMode keep ## 设置默认保留访问日志字段
names## 针对访问日志特别字段特别配置保留模式
ClientUsername drop
headers## 设置 Header 中字段是否保留
defaultMode keep ## 设置默认保留 Header 中字段
names## 针对 Header 中特别字段特别配置保留模式
#User-Agent: redact ## 可以针对指定agent
Authorization drop
Content-Type keep
3.4 部署Traefik
使用Daemonset
部署,使用本地网络。避免使用pod网络造成网络性能损耗
根据node label
来指定部署节点
03-traefik-v2.5-ds.yaml
apiVersion v1
kind Service
metadata
name traefik-v2
namespace kube-system
spec
ports
name web
port80
name websecure
port443
name admin
port8090
selector
app traefik-v2
---
apiVersion apps/v1
kind DaemonSet
metadata
name traefik-ingress-controller-v2
namespace kube-system
labels
app traefik-v2
spec
selector
matchLabels
app traefik-v2
template
metadata
annotations
prometheus.io/path /metrics
prometheus.io/port"8082"
prometheus.io/scrape"true"
name traefik-v2
labels
app traefik-v2
spec
serviceAccountName traefik-ingress-controller
terminationGracePeriodSeconds1
containers
image harbor.foxchan.com/traefik/traefik v2.5.6
name traefik-ingress-lb-v2
ports
name web
containerPort80
hostPort 80 ## 将容器端口绑定所在服务器的 80 端口
name websecure
containerPort443
hostPort 443 ## 将容器端口绑定所在服务器的 443 端口
name admin
containerPort 8090 ## Traefik Dashboard 端口
securityContext
capabilities
drop
ALL
add
NET_BIND_SERVICE
args
--configfile=/config/traefik.yaml
volumeMounts
mountPath"/config"
name"config"
mountPath /etc/traefik/logs
name logdir
mountPath /etc/localtime
name timezone
readOnlytrue
volumes
name config
configMap
name traefik-config
name logdir
hostPath
path /data/traefik/logs
type"DirectoryOrCreate"
name timezone
hostPath
path /etc/localtime
type File
tolerations## 设置容忍所有污点,防止节点被设置污点
operator"Exists"
hostNetwork true ## 开启host网络,提高网络入口的网络性能
nodeSelector## 设置node筛选器,在特定label的节点上启动
IngressProxy"traefik2"
四、其他小需求
4.1 日志轮询
官方没有日志轮询的功能,只说收到USR1
信号会重建日志文件,这里通过logrotate
实现
- 在/etc/logrotate.d创建下层目录,当然也可以在非/etc/logrotate.d/下创建此目录
mkdir -p /etc/logrotate.d/traefik
- 配置logrotate文件
/data/traefik/logs/*.log {
daily
rotate 15
missingok
notifempty
compress
dateext
dateyesterday
dateformat .%Y-%m-%d
create 0644 root root
postrotate
docker kill --signal="USR1" $(docker ps | grep traefik |grep -v pause| awk '{print $1}')
endscript
}
- 添加crontab计划任务,
sudo echo "0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.d/traefik/traefikLogrotate >/dev/null 2>&1" > /etc/crontab
4.2 时区设置
本文通过挂载时区文件实现
volumeMounts:
- mountPath: /etc/localtime
name: timezone
readOnly: true
volumes:
- name: timezone
hostPath:
path: /etc/localtime
type: File
`
4.3 低版本升级
大概写个升级备注,后面专门开贴记录升级步骤
v2.4 to v2.5
kubernetes CRD
从v2.5开始,Traefik CRDS
开始支持新的API version apiextensions.k8s.io/v1
,升级时候要注意
kubernetes Ingress
从v2.5开始 支持kubernetes v1.22
,最低只支持 v1.14+。所以注意下api version 版本
extensions/v1beta1
替换为 networking.k8s.io/v1beta1
或者networking.k8s.io/v1
(Kubernetes v1.19+)
Kubernetes v1.22
将会放弃networking.k8s.io/v1beta1
- ### Headers middleware: ssl redirect options
从v2.5开始放弃以下参数sslRedirect
, sslTemporaryRedirect
, sslHost
and sslForceHost
- ### Headers middleware: accessControlAllowOrigin
从v2.5开始不再支持accessControlAllowOrigin
官方小版本升级文档
参考文档
- kubernetes 部署 traefik2.3
- k8s部署官方文档