helm3 部置traefik2

traefik详细说明：https://www.qikqiak.com/traefik-book/
参考:
https://mp.weixin.qq.com/s/nMMN7hAJK6SFn1V1YyxvHA
https://doc.traefik.io/traefik/migration/v1-to-v2/
https://doc.traefik.io/traefik/middlewares/overview/
https://zhuanlan.zhihu.com/p/126752663

环境说明：
k8s 1.23.4
helm3 3.8

一、helm3

1.1、 安装

curlhttps://get.helm.sh/helm-v3.4.2-linux-amd64.tar.gz-ohelm-v3.4.2-linux-amd64.tar.gztarzxvf helm-v3.4.2-linux-amd64.tar.gzmvlinux-amd64/helm /usr/bin/

1.2、添加traefik仓库

#添加 Traefik v2 helm charthelm repoaddtraefik https://helm.traefik.io/traefik# 更新下仓库helm repo update#查询repohelm repo list traefik https://helm.traefik.io/traefik

二、部暑traefik2

2.1、部署

mkdir-p/data/traefik2cd/data/traefik2#下载traefik2helm pull traefik/traefik--version10.19.4#提取values.yaml文件tarzxvf traefik-10.19.4.tgz --strip-components1traefik/values.yamlcat>/data/traefik2/start.sh<<'EOF' helm upgrade --install --create-namespace --wait traefik2 traefik-10.19.4.tgz -f values.yaml -n kube-system EOFbash/data/traefik2/start.sh

2.2、配置values.yaml

选择部分配置

deployment:#部暑的副本数量replicas:1#let's encrypt配置#additionalArguments:# - "--certificatesresolvers.defalut.acme.storage=/data/acme.json"# - --certificatesresolvers.default.acme.tlschallenge# - --certificatesresolvers.default.acme.email=me@myself.com# - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory#日志相关配置logs:general:level:ERRORaccess:enabled:trueformat:jsonbufferingSize:100filters:statuscodes:"200,300-302"retryattempts:trueminduration:10msfields:general:defaultmode:keepnames:ClientUsername:dropheaders:defaultmode:dropnames:User-Agent:redactAuthorization:dropContent-Type:keep#全局参数，开启dashboard,metrics等globalArguments:-"--global.checknewversion"-"--global.sendanonymoususage"-"--serversTransport.insecureSkipVerify=true"-"--api.insecure=true"-"--api.dashboard=true"-"--metrics.prometheus=true"-"--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000"-"--metrics.prometheus.addEntryPointsLabels=true"-"--metrics.prometheus.addServicesLabels=true"-"--metrics.prometheus.entryPoint=metrics"-"--metrics.prometheus.manualrouting=true"#- "--entryPoints.metrics.address=:8020"#- "--metrics.prometheus.manualrouting=true"# zinkin tracing 配置-"--tracing.zipkin=true"-"--tracing.zipkin.httpEndpoint=http://localhost:9411/api/v2/spans"-"--tracing.zipkin.sameSpan=true"-"--tracing.zipkin.id128Bit=false"-"--tracing.zipkin.sampleRate=0.2"#端口暴露配置ports:traefik:port:9000# hostPort: 9000# hostIP: 192.168.100.10expose:trueexposedPort:9000protocol:TCPnodePort:29000web:port:8000# hostPort: 8000expose:trueexposedPort:80protocol:TCPnodePort:20080# redirectTo: websecurewebsecure:port:8443# hostPort: 8443expose:trueexposedPort:443protocol:TCPnodePort:20443#设置tcp代理mongo:port:27017expose:trueexposedPort:27017protocol:TCP#hostPort: 27017nodePort:27017#资源限制resources:requests:cpu:"100m"memory:"50Mi"limits:cpu:"300m"memory:"150Mi"#端口暴露方式service:#type: LoadBalancertype:NodePort

2.3、验证

访问管理后台：
http://192.168.11.211:29000/dashboard/#/

2.4 、把traefik的dashboard发布到http接口上

cat>/data/traefik2/traefik_dashboard.yaml << 'EOF'apiVersion:traefik.containo.us/v1alpha1kind:IngressRoutemetadata:name:traefik-dashboard-routenamespace:kube-system#配置命名空间spec:entryPoints:-web# tls:# secretName: cloudfe-cert-tlsroutes:-match:Host(`traefik.kids.cn`)&&PathPrefix(`/`)#配置域名kind:Ruleservices:-name:traefik2#与sevicename对应port:9000#与serviceport对应middlewares:-name:test-authnamespace:default---apiVersion:traefik.containo.us/v1alpha1kind:Middlewaremetadata:name:test-authspec:basicAuth:secret:authsecret---apiVersion:v1kind:Secretmetadata:name:authsecretnamespace:defaultdata:users:|2 dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5 aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK#密码用成命令htpasswd -nb user password | openssl base64EOF

例子二 PathPrefix

apiVersion:traefik.containo.us/v1alpha1kind:IngressRoutemetadata:name:ingressroutebarspec:entryPoints:-httproutes:-match:Host(`test.localhost`)&&PathPrefix(`/test`)kind:Ruleservices:-name:server0port:80-name:server1port:80middlewares:-name:basicauthnamespace:foo

三、traefik中间件

3.1、basicauth验证

帐号密码生成工具：http://web.chacuo.net/nethtpasswd
或通过执行openssl passwd -apr1 yourPassword来生成密码

cat>/data/traefik2/traefik_authsecret.yaml << 'EOF'apiVersion:v1kind:Secretmetadata:name:traefik-authsecretnamespace:kube-systemtype:OpaquestringData:users:test:$apr1$XeP7Hl7a$HZggi6xLd5IlYFrOxFNpe1 EOF

配置 BasicAuth 中间件

cat>/data/traefik2/traefik_basic_auth.yaml << 'EOF'apiVersion:traefik.containo.us/v1alpha1kind:Middlewaremetadata:name:traefik-basic-authnamespace:kube-systemspec:basicAuth:secret:traefik-authsecret EOF

重新配置 Ingress Route

cat>/data/traefik2/traefik_dashboard.yaml << 'EOF'apiVersion:traefik.containo.us/v1alpha1kind:IngressRoutemetadata:name:traefik-dashboard-routenamespace:kube-system#配置命名空间spec:entryPoints:-web# tls:# secretName: cloudfe-cert-tlsroutes:# - match: Host(`traefik.goodboy.cn`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))-match:Host(`traefik.kids.cn`)#配置域名kind:Ruleservices:-name:traefik2#与sevicename对应port:9000#与serviceport对应middlewares:-name:traefik-basic-auth EOF 应用配置 kubectl apply-f traefik_authsecret.yaml kubectl apply-f traefik_basic_auth.yaml kubectl apply-f traefik_dashboard.yaml

访问地址：http://traefik.kids.cn:20080/dashboard/#/

帐号，密码： test/test

3.2、 https

3.2.1、 #自签证书

cd/data/traefik2/#创建证书openssl req-x509-nodes-days3650-newkeyrsa:2048-keyouttraefik-tls.key-outtraefik-tls.crt-subj"/CN=*.kids.cn"#通过 Secret 对象来引用证书文件kubectl create secret tls traefik-tls--cert=traefik-tls.crt--key=traefik-tls.key-nkube-system#修改 ingressroutecat>/data/traefik2/traefik_dashboard_https.yaml<<'EOF' apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard-route-tls namespace: kube-system #配置命名空间 spec: entryPoints: - websecure routes: - match: Host(`traefik.kids.cn`) #配置域名 kind: Rule services: - name: traefik2 #与sevicename对应 port: 9000 #与serviceport对应 middlewares: - name: traefik-basic-auth tls: secretName: traefik-tls EOF

3.2.2、 Let’s Encrypt 来进行自动化 HTTPS

cat>/data/traefik2/certificatesresolvers.yaml<<'EOF' certificatesresolvers: default: acme: tlsChallenge: {} email: "xbzeng@163.com" storage: "acme.json" EOF#在IngressRoute中引用tls: certResolver: default

3.2.3、traefik使用cert-manager自签证书

cert-manager 的helm3安装方法https://blog.csdn.net/u010533742/article/details/120201547

cat>/data/cert-manager/ca-sign.yaml<<'EOF' apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: ca-issuer namespace: cert-manager spec: selfSigned: {} EOF

kubectl apply -f /data/cert-manager/ca-sign.yaml

#创建Certificate资源cat>/data/cert-manager/Certificate.yaml<<EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kids-cn namespace: kube-system spec: secretName: kids-cn-tls duration: 2160h # 90d renewBefore: 360h # 15d privateKey: algorithm: ECDSA size: 256 # algorithm: RSA # encoding: PKCS1 # size: 2048 issuerRef: name: ca-issuer kind: ClusterIssuer group: cert-manager.io commonName: kids.cn dnsNames: - kids.cn - www.kids.cn - traefik.kids.cn ipAddresses: - 127.0.0.1 EOF

kubectl apply -f /data/cert-manager/Certificate.yaml

#修改 ingressroutecat>/data/traefik2/traefik_dashboard_https.yaml<<'EOF' apiVersion: traefik.containo.us/v1alpha1 kind: TLSOption metadata: name: mytlsoption namespace: default spec: minVersion: VersionTLS12 cipherSuites: - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard-route-tls namespace: kube-system #配置命名空间 spec: entryPoints: - websecure routes: - match: Host(`traefik.kids.cn`) #配置域名 kind: Rule services: - name: traefik2 #与sevicename对应 port: 9000 #与serviceport对应 # middlewares: # - name: traefik-basic-auth tls: secretName: kids-cn-tls options: name: mytlsoption namespace: default EOF

kubectl apply -f /data/traefik2/traefik_dashboard_https.yaml

3.3、 希望用户通过 https 来访问应用（http自动跳转到https）

cat>/data/traefik2/redirect-https.yaml<<'EOF' apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: redirect-https namespace: kube-system spec: redirectScheme: scheme: https port: "20443" permanent: true EOF

在IngressRoute中引用中间件

middlewares:-name:redirect-https#引用中间件

3.4 替换路径

apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: test-replacepathregex namespace: kube-system spec: replacePathRegex: regex: ^/foo/(.*)replacement: /bar/$1

在IngressRoute中引用中间件

middlewares:-name:test-replacepathregex#引用中间件

3.5 去掉路径

apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: test-stripprefix spec: stripPrefix: prefixes: - /foobar - /fiibar

在IngressRoute中引用中间件

middlewares:-name:test-stripprefix#引用中间件

3.6 TCP代理

cat>/data/traefik2/tcp_mongo.yaml << 'EOF'apiVersion:traefik.containo.us/v1alpha1kind:IngressRouteTCPmetadata:name:mongo-routenamespace:base#配置命名空间spec:entryPoints:-mongoroutes:-match:Host(`*`)# TCP 路由配置需要 SNI，而 SNI 有是依赖 TLS 的，所以我们需要配置证书才行，但是如果没有证书的话，我们可以使用通配符 *kind:Ruleservices:-name:mongo#与sevicename对应port:27017#与serviceport对应EOF 或者 cat>/data/traefik2/tcp_mongo_sni.yaml << 'EOF'apiVersion:traefik.containo.us/v1alpha1kind:IngressRouteTCPmetadata:name:mongo-routenamespace:base#配置命名空间spec:entryPoints:-mongoroutes:-match:Host(`mongo.kids.cn`)#配置域名kind:Ruleservices:-name:mongo#与sevicename对应port:27017#与serviceport对应tls:secretName:traefik-tlspassthrough:trueEOF

3.7 ServiceMonitor (prometheus-operator相关)

apiVersion:v1kind:Servicemetadata:annotations:labels:app.kubernetes.io/instance:traefik2name:kube-prometheus-stack-traefik2namespace:kube-systemspec:ipFamilies:-IPv4ipFamilyPolicy:SingleStackports:-name:metricsport:8082protocol:TCPtargetPort:metricsselector:app.kubernetes.io/instance:traefik2type:ClusterIP---apiVersion:monitoring.coreos.com/v1kind:ServiceMonitormetadata:name:kube-prometheus-stack-traefik2namespace:monitoringlabels:release:kube-prometheus-stackspec:jobLabel:app.kubernetes.io/nameselector:matchLabels:app.kubernetes.io/instance:traefik2namespaceSelector:matchNames:-kube-systemendpoints:-port:metricsinterval:30spath:/metrics

3.8、白名单，认证、https例 子

apiVersion:traefik.containo.us/v1alpha1kind:IngressRoutemetadata:name:testnamespace:defaultspec:entryPoints:-webroutes:-match:Host(`mydomain`)kind:Ruleservices:-name:whoamiport:80middlewares:-name:secured---apiVersion:traefik.containo.us/v1alpha1kind:Middlewaremetadata:name:securedspec:chain:middlewares:-name:https-only-name:known-ips-name:auth-users---apiVersion:traefik.containo.us/v1alpha1kind:Middlewaremetadata:name:auth-usersspec:basicAuth:users:-test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/---apiVersion:traefik.containo.us/v1alpha1kind:Middlewaremetadata:name:https-onlyspec:redirectScheme:scheme:https---apiVersion:traefik.containo.us/v1alpha1kind:Middlewaremetadata:name:known-ipsspec:ipWhiteList:sourceRange:-192.168.1.7-127.0.0.1/32