Traefik & Kubernetes

Kubernetes入口控制器,自定义资源方式.

Configuration Examples

配置KubernetesCRD和部署/公开服务
# All resources definition must be declared
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressrouteudps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteUDP
    plural: ingressrouteudps
    singular: ingressrouteudp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsstores.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSStore
    plural: tlsstores
    singular: tlsstore
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
    verbs:
      - get
      - list
      - watch

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: default
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik
  labels:
    app: traefik

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.2
          args:
            - --log.level=DEBUG
            - --api
            - --api.insecure
            - --entrypoints.web.address=:80
            - --entrypoints.tcpep.address=:8000
            - --entrypoints.udpep.address=:9000/udp
            - --providers.kubernetescrd
          ports:
            - name: web
              containerPort: 80
            - name: admin
              containerPort: 8080
            - name: tcpep
              containerPort: 8000
            - name: udpep
              containerPort: 9000

---
apiVersion: v1
kind: Service
metadata:
  name: traefik
spec:
  type: LoadBalancer
  selector:
    app: traefik
  ports:
    - protocol: TCP
      port: 80
      name: web
      targetPort: 80
    - protocol: TCP
      port: 8080
      name: admin
      targetPort: 8080
    - protocol: TCP
      port: 8000
      name: tcpep
      targetPort: 8000

---
apiVersion: v1
kind: Service
metadata:
  name: traefikudp
spec:
  type: LoadBalancer
  selector:
    app: traefik
  ports:
    - protocol: UDP
      port: 9000
      name: udpep
      targetPort: 9000
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: myingressroute
  namespace: default

spec:
  entryPoints:
    - web

  routes:
  - match: Host(`foo`) && PathPrefix(`/bar`)
    kind: Rule
    services:
    - name: whoami
      port: 80

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroute.tcp
  namespace: default

spec:
  entryPoints:
    - tcpep
  routes:
  - match: HostSNI(`bar`)
    kind: Rule
    services:
      - name: whoamitcp
        port: 8080

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: ingressroute.udp
  namespace: default

spec:
  entryPoints:
    - fooudp
  routes:
  - kind: Rule
    services:
      - name: whoamiudp
        port: 8080
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoami
  namespace: default
  labels:
    app: containous
    name: whoami

spec:
  replicas: 2
  selector:
    matchLabels:
      app: containous
      task: whoami
  template:
    metadata:
      labels:
        app: containous
        task: whoami
    spec:
      containers:
        - name: containouswhoami
          image: containous/whoami
          ports:
            - containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: containous
    task: whoami

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoamitcp
  namespace: default
  labels:
    app: containous
    name: whoamitcp

spec:
  replicas: 2
  selector:
    matchLabels:
      app: containous
      task: whoamitcp
  template:
    metadata:
      labels:
        app: containous
        task: whoamitcp
    spec:
      containers:
        - name: containouswhoamitcp
          image: containous/whoamitcp
          ports:
            - containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: whoamitcp
  namespace: default

spec:
  ports:
    - protocol: TCP
      port: 8080
  selector:
    app: containous
    task: whoamitcp

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoamiudp
  namespace: default
  labels:
    app: containous
    name: whoamiudp

spec:
  replicas: 2
  selector:
    matchLabels:
      app: containous
      task: whoamiudp
  template:
    metadata:
      labels:
        app: containous
        task: whoamiudp
    spec:
      containers:
        - name: containouswhoamiudp
          image: containous/whoamiudp:dev
          ports:
            - containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: whoamiudp
  namespace: default

spec:
  ports:
    - port: 8080
  selector:
    app: containous
    task: whoamiudp

Routing Configuration

Custom Resource Definition (CRD)

  • 您可以在参考页中找到根据Traefik的源代码生成的自定义资源及其属性的详尽列表.
  • 在使用Traefik自定义资源之前,请验证是否满足先决条件 .
  • Traefik CRD是构建模块,您可以根据需要进行组装.

您可以在下表中找到可用的自定义资源的摘录:

Kind Purpose 背后的概念
IngressRoute HTTP路由 HTTP router
Middleware 在将HTTP请求发送到您的服务之前对其进行调整 HTTP Middlewares
TraefikService HTTP负载平衡/镜像的抽象 HTTP service
IngressRouteTCP TCP路由 TCP router
IngressRouteUDP UDP路由 UDP router
TLSOptions 允许配置TLS连接的一些参数 TLSOptions
TLSStores 允许配置默认的TLS存储 TLSStores

Kind: IngressRoute

IngressRouteTraefik HTTP路由器的CRD实现.

在创建IngressRoute对象之前,请在Kubernetes集群中注册IngressRoute 类型 .

IngressRoute属性

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: foo
  namespace: bar
spec:
  entryPoints:                      # [1]
    - foo
  routes:                           # [2]
  - kind: Rule
    match: Host(`test.example.com`) # [3]
    priority: 10                    # [4]
    middlewares:                    # [5]
    - name: middleware1             # [6]
      namespace: default            # [7]
    services:                       # [8]
    - kind: Service
      name: foo
      namespace: default
      passHostHeader: true
      port: 80
      responseForwarding:
        flushInterval: 1ms
      scheme: https
      sticky:
        cookie:
          httpOnly: true
          name: cookie
          secure: true
          sameSite: none
      strategy: RoundRobin
      weight: 10
  tls:                              # [9]
    secretName: supersecret         # [10]
    options:                        # [11]
      name: opt                     # [12]
      namespace: default            # [13]
    certResolver: foo               # [14]
    domains:                        # [15]
    - main: example.net             # [16]
      sans:                         # [17]
      - a.example.net
      - b.example.net
Ref Attribute Purpose
[1] entryPoints 入口点名称列表
[2] routes 路线清单
[3] routes[n].match 定义与基础路由器相对应的规则 .
[4] routes[n].priority 长度相同的歧义规则,用于路由匹配
[5] routes[n].middlewares 中间件参考清单
[6] middlewares[n].name 定义中间件名称
[7] middlewares[n].namespace 定义中间件名称空间
[8] routes[n].services TraefikService和对Kubernetes服务的引用的任意组合的列表(有关ExternalName Service设置,请参见下文)
[9] tls 定义TLS证书配置
[10] tls.secretName 定义用于存储证书的秘密名称(在IngressRoute名称空间中)
[11] tls.options 定义对TLSOption的引用
[12] options.name 定义TLSOption名称
[13] options.namespace 定义TLSOption名称空间
[14] tls.certResolver 定义对CertResolver的引用
[15] tls.domains 列表
[16] domains[n].main 定义主域名
[17] domains[n].sans SAN列表(备用域)
声明一个IngressRoute
# All resources definition must be declared
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: testName
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - kind: Rule
    match: Host(`test.example.com`)
    middlewares:
    - name: middleware1
      namespace: default
    priority: 10
    services:
    - kind: Service
      name: foo
      namespace: default
      passHostHeader: true
      port: 80
      responseForwarding:
        flushInterval: 1ms
      scheme: https
      sticky:
        cookie:
          httpOnly: true
          name: cookie
          secure: true
      strategy: RoundRobin
      weight: 10
  tls:
    certResolver: foo
    domains:
    - main: example.net
      sans:
      - a.example.net
      - b.example.net
    options:
      name: opt
      namespace: default
    secretName: supersecret
# All resources definition must be declared
# Prefixing with /foo
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: middleware1
  namespace: default
spec:
  addPrefix:
    prefix: /foo
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: opt
  namespace: default

spec:
  minVersion: VersionTLS12
apiVersion: v1
kind: Secret
metadata:
  name: supersecret

data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

配置后端协议

有3种方法配置后端协议以在Traefik和您的Pod之间进行通信:

  • 明确设置方案(http / https / h2c)
  • 配置kubernetes服务端口的名称以https(https)开头
  • 将kubernetes服务端口设置为使用端口443(https)

如果您未配置上述内容,则Traefik将采用http连接.

使用Kubernetes ExternalName服务

创建Traefik后端需要设置端口,但是可以定义Kubernetes ExternalName Service而不使用任何端口. 因此,Traefik支持以两种方式定义端口:

  • 仅在IngressRoute服务上
  • 在两侧,如果端口不匹配,则会警告您,并且使用了IngressRoute服务端口

因此,在两侧端口定义的情况下,Traefik期望端口之间匹配.

Examples
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

Kind: Middleware

MiddlewareTraefik中间件的CRD实现.

在创建Middleware对象或在IngressRoute对象中引用中间件之前,请在Kubernetes集群中注册Middleware 类型 .

声明和引用中间件
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: stripprefix
  namespace: foo

spec:
  stripPrefix:
    prefixes:
      - /stripit
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
    - name: stripprefix
      namespace: foo

跨提供商名称空间

由于Kubernetes也有自己的命名空间概念,因此,当中间件的定义来自另一提供程序时,不应将资源(在中间件的引用中)的kubernetes命名空间与提供程序命名空间混淆. 在这种情况下,在引用资源时指定名称空间没有任何意义,将被忽略. 此外,当您要从CRD提供程序引用中间件时,您必须在资源名称中附加资源的名称空间,因为Traefik会在内部自动附加名称空间.

专用中间件部分中提供了有关可用中间件的更多信息.

Kind: TraefikService

TraefikService" Traefik服务"的CRD实现.

注册TraefikService 那种创造前Kubernetes集群中TraefikService中的对象,引用服务IngressRoute对象,或在递归他人TraefikService对象.

歧义Traefik和Kubernetes服务

由于字段name可以引用不同类型的对象,因此请使用字段kind以避免任何歧义.

字段kind允许以下值:

TraefikService对象允许使用以下任意(有效)组合:

Server Load Balancing

专用服务器负载平衡部分中的更多信息.

声明和使用服务器负载平衡
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: svc1
      namespace: default
    - name: svc2
      namespace: default
apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: containous
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: containous
    task: app2

Weighted Round Robin

有关更多信息,请参见专用的加权循环调度服务负载平衡部分.

声明和使用加权循环
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: wrr1
      namespace: default
      kind: TraefikService
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr1
  namespace: default

spec:
  weighted:
    services:
      - name: svc1
        port: 80
        weight: 1
      - name: wrr2
        kind: TraefikService
        weight: 1
      - name: mirror1
        kind: TraefikService
        weight: 1

---
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr2
  namespace: default

spec:
  weighted:
    services:
      - name: svc2
        port: 80
        weight: 1
      - name: svc3
        port: 80
        weight: 1
apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: containous
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: containous
    task: app2
---
apiVersion: v1
kind: Service
metadata:
  name: svc3
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: containous
    task: app3

Mirroring

More information in the dedicated mirroring service section.

声明和使用镜像
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: mirror1
      namespace: default
      kind: TraefikService
# Mirroring from a k8s Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: mirror1
  namespace: default

spec:
  mirroring:
    name: svc1
    port: 80
    mirrors:
      - name: svc2
        port: 80
        percent: 20
      - name: svc3
        kind: TraefikService
        percent: 20
# Mirroring from a Traefik Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: mirror1
  namespace: default

spec:
  mirroring:
    name: wrr1
    kind: TraefikService
     mirrors:
       - name: svc2
         port: 80
         percent: 20
       - name: svc3
         kind: TraefikService
         percent: 20
apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: containous
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: containous
    task: app2

引用和名称空间

如果未设置可选的namespace属性,则配置将与当前资源的名称空间一起应用.

另外,当TraefikService的定义来自另一个提供程序时,应使用跨提供商语法( [email protected] )来引用TraefikService ,就像在中间件中一样.

在这种情况下,指定名称空间属性没有任何意义,并且将被忽略(除非提供者为kubernetescrd ).

Stickiness and load-balancing

如关于粘性会话的部分所述,为使粘性始终有效,必须在每个负载平衡级别上指定粘性.

例如,在下面的示例中,存在第一级负载平衡,因为这两个whoami服务存在(加权循环)负载平衡,而存在第二级,因为每个whoami服务都是一个replicaset ,并且因此作为服务器的负载平衡器处理.

在两个负载均衡级别上的粘性
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: wrr1
      namespace: default
      kind: TraefikService
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr1
  namespace: default

spec:
  weighted:
    services:
      - name: whoami1
        kind: Service
        port: 80
        weight: 1
        sticky:
          cookie:
            name: lvl2
      - name: whoami2
        kind: Service
        weight: 1
        port: 80
        sticky:
          cookie:
            name: lvl2
    sticky:
      cookie:
        name: lvl1
apiVersion: v1
kind: Service
metadata:
  name: whoami1

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami1

---
apiVersion: v1
kind: Service
metadata:
  name: whoami2

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami2
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: whoami1
  labels:
    app: whoami1

spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami1
  template:
    metadata:
      labels:
        app: whoami1
    spec:
      containers:
        - name: whoami1
          image: containous/whoami
          ports:
            - name: web
              containerPort: 80

---
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: whoami2
  labels:
    app: whoami2

spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami2
  template:
    metadata:
      labels:
        app: whoami2
    spec:
      containers:
        - name: whoami2
          image: containous/whoami
          ports:
            - name: web
              containerPort: 80

为了保持与同一服务器的会话打开,客户端将需要为每个请求在cookie中指定两个级别,例如,使用curl:

curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo

假设10.42.0.6whoami1服务的副本之一(然后是pod)的IP地址.

Kind IngressRouteTCP

IngressRouteTCPTraefik TCP路由器的CRD实现.

在创建IngressRouteTCP对象之前,请在Kubernetes集群中注册IngressRouteTCP 类型 .

IngressRouteTCP属性

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroutetcpfoo

spec:
  entryPoints:                  # [1]
    - footcp
  routes:                       # [2]
  - match: HostSNI(`*`)         # [3]
    services:                   # [4]
    - name: foo                 # [5]
      port: 8080                # [6]
      weight: 10                # [7]
      terminationDelay: 400     # [8]
  tls:                          # [9]
    secretName: supersecret     # [10]
    options:                    # [11]
      name: opt                 # [12]
      namespace: default        # [13]
    certResolver: foo           # [14]
    domains:                    # [15]
    - main: example.net         # [16]
      sans:                     # [17]
      - a.example.net
      - b.example.net
    passthrough: false          # [18]
Ref Attribute Purpose
[1] entryPoints 入口点名称列表
[2] routes 路线清单
[3] routes[n].match 定义与基础路由器相对应的规则
[4] routes[n].services Kubernetes服务定义列表(有关ExternalName Service设置,请参见下文)
[5] services[n].name 定义Kubernetes服务的名称
[6] services[n].port 定义Kubernetes服务的端口
[7] services[n].weight 定义权重以应用于服务器负载平衡
[8] services[n].terminationDelay 对应于代理设置的最后期限,在其连接的对等方之一指示它已关闭其连接的写入功能之后,也要关闭其读取功能,从而完全终止连接.
这是一个持续时间(以毫秒为单位),默认为100.负值表示无限的截止期限(即,读取功能永远不会关闭).
[9] tls 定义TLS证书配置
[10] tls.secretName 定义用于存储证书的秘密名称(在IngressRoute名称空间中)
[11] tls.options 定义对TLSOption的引用
[12] options.name 定义TLSOption名称
[13] options.namespace 定义TLSOption名称空间
[14] tls.certResolver 定义对CertResolver的引用
[15] tls.domains 列表
[16] domains[n].main 定义主域名
[17] domains[n].sans SAN列表(备用域)
[18] tls.passthrough 如果为true ,则将TLS终结点委托给后端
声明一个IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroutetcpfoo

spec:
  entryPoints:
    - footcp
  routes:
  # Match is the rule corresponding to an underlying router.
  - match: HostSNI(`*`)
    services:
    - name: foo
      port: 8080
      terminationDelay: 400
      weight: 10
    - name: bar
      port: 8081
      terminationDelay: 500
      weight: 10
  tls:
    certResolver: foo
    domains:
    - main: example.net
      sans:
      - a.example.net
      - b.example.net
    options:
      name: opt
      namespace: default
    secretName: supersecret
    passthrough: false
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: opt
  namespace: default

spec:
  minVersion: VersionTLS12
apiVersion: v1
kind: Secret
metadata:
  name: supersecret

data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

使用Kubernetes ExternalName服务

创建Traefik后端需要设置端口,但是可以定义Kubernetes ExternalName Service而不使用任何端口. 因此,Traefik支持以两种方式定义端口:

  • 仅在IngressRouteTCP服务上
  • 在两侧,如果端口不匹配,则会警告您,并且使用了IngressRouteTCP服务端口

因此,在两侧端口定义的情况下,Traefik期望端口之间匹配.

Examples
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: HostSNI(`*`)
    kind: Rule
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: HostSNI(`*`)
    kind: Rule
    services:
    - name: external-svc

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: HostSNI(`*`)
    kind: Rule
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

Kind IngressRouteUDP

IngressRouteUDPTraefik UDP路由器的CRD实现.

在创建IngressRouteUDP对象之前,请在Kubernetes集群中注册IngressRouteUDP 类型 .

IngressRouteUDP属性

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: ingressrouteudpfoo

spec:
  entryPoints:                  # [1]
    - fooudp
  routes:                       # [2]
  - services:                   # [3]
    - name: foo                 # [4]
      port: 8080                # [5]
      weight: 10                # [6]
Ref Attribute Purpose
[1] entryPoints 入口点名称列表
[2] routes 路线清单
[3] routes[n].services Kubernetes服务定义列表
[4] services[n].name 定义Kubernetes服务的名称
[6] services[n].port 定义Kubernetes服务的端口
[7] services[n].weight 定义权重以应用于服务器负载平衡
声明一个IngressRouteUDP
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: ingressrouteudpfoo

spec:
  entryPoints:
    - fooudp
  routes:
  - services:
    - name: foo
      port: 8080
      weight: 10
    - name: bar
      port: 8081
      weight: 10

Kind: TLSOption

TLSOption is the CRD implementation of a Traefik "TLS Option".

在创建TLSOption对象或在IngressRoute / IngressRouteTCP对象中引用TLS选项之前,请在Kubernetes集群中注册TLSOption 类型 .

TLSOption属性

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: mytlsoption
  namespace: default

spec:
  minVersion: VersionTLS12                      # [1]
  maxVersion: VersionTLS13                      # [1]
  curvePreferences:                             # [3]
    - CurveP521
    - CurveP384
  cipherSuites:                                 # [4]
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384
  clientAuth:                                   # [5]
    secretNames:                                # [6]
      - secretCA1
      - secretCA2
    clientAuthType: VerifyClientCertIfGiven     # [7]
  sniStrict: true                               # [8]
Ref Attribute Purpose
[1] minVersion 定义可接受的最低TLS版本
[2] maxVersion 定义可接受的最大TLS版本
[3] cipherSuites TLS直至TLS 1.2的受支持密码套件列表
[4] curvePreferences 按优先顺序将在ECDHE握手中使用的椭圆曲线参考的列表
[5] clientAuth 确定用于TLS 客户端身份验证的服务器策略
[6] clientAuth.secretNames 引用的Kubernetes Secrets名称列表(在TLSOption名称空间中)
[7] clientAuth.clientAuthType 定义要应用的客户端身份验证类型. 可用的值有: NoClientCertRequestClientCertVerifyClientCertIfGivenRequireAndVerifyClientCert
[8] sniStrict 如果为true ,则Traefik将不允许来自未指定server_name扩展名的客户端连接的连接
声明和引用TLSOption
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: mytlsoption
  namespace: default

spec:
  minVersion: VersionTLS12
  sniStrict: true
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384
  clientAuth:
    secretNames:
      - secretCA1
      - secretCA2
    clientAuthType: VerifyClientCertIfGiven
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    options: 
      name: mytlsoption
      namespace: default
apiVersion: v1
kind: Secret
metadata:
  name: secretCA1
  namespace: default

data:
  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

---
apiVersion: v1
kind: Secret
metadata:
  name: secretCA2
  namespace: default

data:
  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

引用和名称空间

如果未设置可选的namespace属性,则配置将与IngressRoute的名称空间一起应用.

此外,当TLS选项的定义来自另一个提供程序时,应使用跨提供商语法( [email protected] )来引用TLS选项,就像在中间件中一样 . 在这种情况下,指定名称空间属性没有任何意义,将被忽略.

Kind: TLSStore

TLSStoreTraefik" TLS存储"的CRD实现.

在创建TLSStore对象或在IngressRoute / IngressRouteTCP对象中引用TLS存储之前,请在Kubernetes集群中注册TLSStore类型.

默认TLS存储

Traefik当前仅使用名为" default"TLS存储 . 这意味着,如果您在不同的kubernetes名称空间中有两个名为default的商店,则可以随机选择它们. 目前,请仅配置一个名为default的TLSSTore.

TLSStore属性

apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: default

spec:
  defaultCertificate:
    secretName: mySecret                      # [1]
Ref Attribute Purpose
[1] secretName 引用的Kubernetes Secret的名称,其中包含商店的默认证书.
声明和引用TLSStore
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: default

spec:
  defaultCertificate:
    secretName:  supersecret
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    store: 
      name: default
apiVersion: v1
kind: Secret
metadata:
  name: supersecret

data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

Further

另请参阅"加密"的完整示例 .