Traefik & Kubernetes

Kubernetes入口控制器,自定义资源方式.

Resource Configuration

如果您很着急,也许您应该阅读动态配置参考.

Traefik IngressRoute definition

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

然后可以使用该IngressRoute类型定义一个IngressRoute对象,例如:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutefoo

spec:
  entryPoints:
    - web
  routes:
  # Match is the rule corresponding to an underlying router.
  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
  # but for now we only support a traefik style matching rule.
  - match: Host(`foo.com`) && PathPrefix(`/bar`)
    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
    # "Parameter", etc, to support simpler forms of rule matching, but for now we
    # only support "Rule".
    kind: Rule
    # (optional) Priority disambiguates rules of the same length, for route matching.
    priority: 12
    services:
    - name: whoami
      port: 80
      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
      weight: 1
      # (default true) PassHostHeader controls whether to leave the request's Host
      # Header as it was before it reached the proxy, or whether to let the proxy set it
      # to the destination (backend) host.
      passHostHeader: true
      responseForwarding:
        # (default 100ms) Interval between flushes of the buffered response body to the client.
        flushInterval: 100ms

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroutetcpfoo.crd

spec:
  entryPoints:
    - footcp
  routes:
  # Match is the rule corresponding to an underlying router.
  - match: HostSNI(`*`)
    services:
    - name: whoamitcp
      port: 8080

Middleware

另外,为了允许在IngressRoute使用中间件,我们在下面为Middleware类型定义了CRD.

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

一旦在Kubernetes集群中注册了Middleware类型,便可以在IngressRoute定义中使用它,例如:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: stripprefix
  namespace: foo

spec:
  stripPrefix:
    prefixes:
      - /stripit

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`bar.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
    - name: stripprefix
      namespace: foo

跨提供商名称空间

由于Kubernetes也有自己的命名空间概念,因此,当中间件的定义来自另一个提供程序时,不应将资源(在中间件的引用中)的kubernetes命名空间与提供程序命名空间混淆. 在这种情况下,在引用资源时指定名称空间没有任何意义,将被忽略.

专用中间件部分中提供了有关可用中间件的更多信息.

Services

如果需要的设置比服务器的负载均衡器复杂(这是幕后的Kubernetes服务类型),则可以根据以下CRD中定义的TraefikService类型定义和使用特定于Traefik的其他服务对象.

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced

一旦在TraefikService集群中注册了TraefikService类型,便可以在IngressRoute定义中(以及在其他Traefik Services中递归使用),如下所述. 请注意,现在IngressRoute定义中的name字段是如何引用TraefikService而不是(Kubernetes)服务的. 允许这样做的原因,以及name可以引用TraefikService或Service的原因,是因为使用kind字段来打破歧义. 此字段的允许值为TraefikServiceService (这是默认值).

apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr1
  namespace: default

spec:
  weighted:
    services:
      - name: s2
        kind: Service
        port: 80
        weight: 1
      - name: s3
        weight: 1
        port: 80

---
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: mirror1
  namespace: default

spec:
  mirroring:
    name: wrr1
    kind: TraefikService
    mirrors:
      - name: s1
        percent: 20
        port: 80

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default


spec:
  entryPoints:
    - web
  routes:
  - match: Host(`bar.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: mirror1
      namespace: default
      kind: TraefikService

引用和名称空间

如果未设置可选的namespace属性,则配置将与当前资源的名称空间一起应用.

此外,当TraefikService的定义来自另一个提供程序时,应使用跨提供商语法( [电子邮件保护] )来引用TraefikService ,就像在中间件中一样. 在这种情况下,指定名称空间属性没有任何意义,并且将被忽略(除非提供者为kubernetescrd ).

TLS Option

另外,为了允许在IngressRoute中使用TLS选项,我们在下面为TLSOption类型定义了CRD. 专用的TLS配置选项中提供了有关TLS选项的更多信息.

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

TLSOption类型已在Kubernetes集群中注册或在文件提供程序中定义后,便可以在IngressRoute定义中使用,例如:

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: mytlsoption
  namespace: default

spec:
  minVersion: VersionTLS12

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`bar.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    options: 
      name: mytlsoption
      namespace: default

引用和名称空间

如果未设置可选的namespace属性,则配置将与IngressRoute的名称空间一起应用.

另外,当TLS选项的定义来自其他提供程序时,应像中间件一样使用跨提供商语法( [email protected] )来引用TLS选项. 在这种情况下,指定名称空间属性没有任何意义,将被忽略.

TLS

为了允许TLS,我们使用了已经定义的Secret类型,并且可以直接在IngressRoute中使用IngressRoute

apiVersion: v1
kind: Secret
metadata:
  name: supersecret

data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls

spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`foo.com`) && PathPrefix(`/bar`)
    kind: Rule
    services:
    - name: whoami
      port: 443
  tls:
    secretName: supersecret

Further

另请参阅"加密"的完整示例 .