一.Kubernetes Nginx Ingress Controller组件 很难下载镜像,转而使用traefik
二.安装traefik及使用
1.整体思路:
-> 先给k8s安装一个核心附件:traefik-ingress-controller
-> 接下来就是建立 pod + deployment + svc-ingress (关联svc的资源)
-> ingress-controller与apiserver动态通信刷新路由到集群内部的路由规则
2.安装 traefik-ingress-controller
# git clone -b v1.7 https://github.com/containous/traefik.git
# cd /traefik/examples/k8s/
# kubectl apply -f traefik-ds.yaml
# kubectl get pod -n kube-system -w
traefik-ingress-controller-5hzm8 1/1 Running 0 2m28s
traefik-ingress-controller-8gmfs 1/1 Running 0 2m33s
# curl 任一node节点ip
404 page not found 安装成功
3.建立 pod + deployment + svc-ingress (关联svc的资源) 需要被外部访问的资源
|-官方示例:根据path路由
# kubectl apply -f cheeses-ingress.yaml
修改访问windows主机的hosts文件
k8s任一集群node的ip cheeses.minikube
浏览器访问 http://cheeses.minikube/wensleydale/
同时,可以访问traefik的ui面板查看路由情况 http://traefik-ui.minikube/dashboard/
|-自己实践的tomcat
# mkdir -p /k8s/traefik/ && cd /k8s/traefik/
# vi tomcat-deploy.yaml
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: tomcat-deploy
namespace: tomcat-ns
labels:
app: tomcat
release: canary
spec:
replicas: 2
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
version: v0.0.1
spec:
containers:
- name: tomcat
image: tomcat:8.5.40-jre8-alpine
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 100m
memory: 200Mi
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
---
kind: Service
apiVersion: v1
metadata:
name: tomcat-svc
namespace: tomcat-ns
spec:
selector:
app: tomcat
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
# vi tomcat-svc-ingress.yaml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-tomcat
namespace: tomcat-ns
spec:
rules:
- host: tomcat.jupiterx.com
http:
paths:
- path: /
backend:
serviceName: tomcat-svc
servicePort: 8080
修改访问windows主机的hosts文件
k8s任一集群node的ip tomcat.jupiterx.com
浏览器访问 http://tomcat.jupiterx.com/
同时,可以访问traefik的ui面板查看路由情况 http://traefik-ui.minikube/dashboard/
三.traefik配置https实践
要实现更安全更复杂的https访问traefik,有两种访问过程:
1.后端service是普通http的,即client与traefik间采用https加密通信,但traefik与svc间则是明文的http通信
client --- (via https) ---> traefik ---- (via http) ----> services
2.后端service是https的,即client与traefik间采用https加密通信,但traefik与svc也是采用https通信
client --- (via https) ---> traefik ---- (via https) ----> services
3.实现第一种配置步骤:
# mkdir -p /k8s/traefik/ssl/ && cd /k8s/traefik/ssl
# openssl genrsa -out tls.key 2048
# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=BJ/L=BJ/O=Juwenzhe/CN=要生成证书的访问域名
# kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system
# mkdir -p /k8s/traefik/config/ && cd /k8s/traefik/config
# vi tomcat-traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/k8s/traefik/ssl/tls.crt"
keyFile = "/k8s/traefik/ssl/tls.key"
# kubectl create configmap traefik-conf --from-file=tomcat-traefik.toml -n kube-system
# cd ..
# vi traefik-ds.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: true
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
containers:
- image: traefik
name: traefik-ingress-lb
volumeMounts:
- mountPath: "/k8s/traefik/ssl"
name: "ssl"
- mountPath: "/k8s/traefik/config"
name: "config"
ports:
- name: https
containerPort: 443
hostPort: 443
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
hostPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --configFile=/k8s/traefik/config/tomcat-traefik.toml
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 443
name: https
- protocol: TCP
port: 8080
name: admin
type: NodePort
# kubectl apply -f traefik-ds.yaml -n kube-system
serviceaccount/traefik-ingress-controller created
daemonset.extensions/traefik-ingress-controller created
service/traefik-ingress-service created
4.浏览器访问 http://tomcat.jupiterx.com/
同时,可以访问traefik的ui面板查看路由情况 http://traefik-ui.minikube/dashboard/
参考文献
1.Kubernetes 服务入口管理与 Nginx Ingress Controller
2.从零开始搭建K8S--搭建K8S Ingress
3.k8s安装traefik作为ingress
4.深入玩转K8S之如何访问业务应用(Traefik-ingress配置https篇)
附一:配置阿里云docker仓库
1:阿里云docker仓库 https://dev.aliyun.com/search.html
2:进去注册帐号后,点击自己的管理中心。
https://cr.console.aliyun.com/cn-hangzhou/instances/mirrors
3:在管理中心点击加速器,右边面板会有你的加速地址,右边面板下面有详细设置步骤。