部署三個服務traefik-ui,grafana,prometheus,並經過traefik 反向代理。node
service | namespaces | domain name | https |
---|---|---|---|
traefik-ui | traefik | traefik.qyd.com | Y |
grafana | kube-system | grafana.dfb.com | N |
prometheus | kube-system | prometheus.qyd.com | Y |
相關資源ymlgit
建立traefik 這個命名空間,使用configmap 掛載配置。github
kubectl create cm -n traefik traefik-config --from-file=traefik.toml
apiVersion: v1 items: - apiVersion: v1 data: traefik.toml: | graceTimeOut = 10 traefikLogsFile = "/log/traefik.log" accessLogsFile = "/log/access.log" logLevel = "INFO" MaxIdleConnsPerHost = 60 InsecureSkipVerify = true defaultEntryPoints = ["https","http"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] regex = "^http://(.*).qyd.com/(.*)" replacement = "https://$1.qyd.com/$2" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/ssl/qyd/tls.crt" keyFile = "/ssl/qyd/tls.key" [[entryPoints.https.tls.certificates]] certFile = "/ssl/dfb/tls.crt" keyFile = "/ssl/dfb/tls.key" [metrics] [metrics.prometheus] entryPoint = "traefik" kind: ConfigMap metadata: name: traefik-config namespace: traefik kind: List metadata: resourceVersion: "" selfLink: ""
獲取 qyd.com 和dfb.com 兩個域名的證書,並建立secret。web
kubectl create secret generic dfb-tls-cert --from-file=dfb/tls.crt --from-file=dfb/tls.key -n traefik kubectl create secret generic qyd-tls-cert --from-file=qyd/tls.crt --from-file=qyd/tls.key -n traefik
部署traefik-ingreess-controllerdocker
kubectl app -f rbac.yml
--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses/status verbs: - update --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: traefik --- apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress-controller namespace: traefik
kubectl apply -f deployment.yml
apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-controller namespace: traefik spec: replicas: 1 selector: matchLabels: k8s-app: traefik-ingress-lb strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: containers: - args: - --configFile=/etc/traefik/traefik.yml - --api - --kubernetes image: itanony.com/repository/docker-hosted/test/treafik:v1.7.10 imagePullPolicy: IfNotPresent name: traefik-ingress-lb ports: - containerPort: 80 hostPort: 80 name: http protocol: TCP - containerPort: 8080 hostPort: 8080 name: admin protocol: TCP - containerPort: 443 hostPort: 443 name: https protocol: TCP resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/traefik/ name: config - mountPath: /ssl/qyd/ name: qyd-cert - mountPath: /ssl/dfb/ name: dfb-cert - mountPath: /log/ name: logs dnsPolicy: ClusterFirst hostNetwork: true nodeSelector: cpu: high restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: traefik-ingress-controller serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 volumes: - name: qyd-cert secret: defaultMode: 420 secretName: qyd-tls-cert - name: dfb-cert secret: defaultMode: 420 secretName: dfb-tls-cert - configMap: defaultMode: 420 name: traefik-config name: config - hostPath: path: /var/log/traefik type: "" name: logs
注意deployment.yml 中修改images地址。另外由於是測試,故採用nodeselector 只部署到一臺固定的node節點,採用宿主機網絡模式。ingress controller 的高可用留在之後研究。
查看pod 狀態api
kubectl get pods -n traefik
traefik 啓動後會監控一個8080 的端口提供一個管理的web-ui,能夠查看frontend 和backend 的對應關係,及一些基本的監控數據
咱們建立一個ClusterIP 的service,並建立ingress,經過traefik 使用traefik.qyd.com 域名來反向代理瀏覽器
kubectl apply -f traefik-web-ui.yml
apiVersion: v1 kind: Service metadata: name: traefik-web-ui namespace: traefik spec: selector: k8s-app: traefik-ingress-lb ports: - name: web port: 80 targetPort: 8080 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-web-ui namespace: traefik spec: rules: - host: traefik.qyd.com http: paths: - path: / backend: serviceName: traefik-web-ui servicePort: web
在本機hosts中添加 traefik.qyd.com 的hosts 記錄解析到traefik 部署的node節點。
經過瀏覽器訪問。頁面正常顯示,而且使用http 訪問時會自動跳轉到https。網絡
這裏只討論經過traefik-ingres 代理prometheus 和grafan。部署過程請Google。app
建立prometheus 和 grafana 的ingress 。 經過traefik 分別使用 prometheus.yd.com 和grafana.dfb.com 反向代理。frontend
注意yml 中namespace,serviceName,servicePort 與本身集羣中服務的名稱一致。
kubectl apply -f grafana-ingress.yml kubectl apply -f prometheus-ingress.yml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: grafana namespace: kube-system spec: rules: - host: grafana.dfb.com http: paths: - backend: serviceName: monitoring-grafana servicePort: 80 path: / --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: prometheus namespace: kube-system spec: rules: - host: prometheus.qyd.com http: paths: - backend: serviceName: prometheus servicePort: prometheus path: /
一樣在本機hosts 中添加兩個域名的解析記錄。經過瀏覽器訪問正常,prometheus.qyd.com訪問http 會rewrite到https,grafana.dfb.com不會作rewrite。至此部署部分結束
多域名 配置https,咱們不須要對每個域名指定證書, 只須要在entrypoints 中指定證書路徑。traefik 會自動根據請求中的主機頭和證書中的CN進行匹配。
生產中可能遇到同一個反向代理下。 有的域名須要啓用https 的強制rewrite。 有些則不能作強制rewrite。traefik 提供entryPoints.http.redirect 經過正則來對須要rewrite 的域名進行正則匹配。 這裏感受有點不靈活。 也可能還有更好的方式。