preface
Traefik is a component of the Kubernetes ecosystem. Traefik is a component of the Kubernetes ecosystem. Traefik is a component of the Kubernetes ecosystem. Traefik is a component of the Kubernetes ecosystem. There’s a big gap between the two versions, and it feels like you’re using different software. This article is v2. Based on the x version to demonstrate, the script code involved in making https://github.com/lateautumn4lin/KubernetesResearch warehouse, When you use the switch directory to ClusterEcology/initTraefik below.
What points did Traefik v2.x upgrade raise
Let’s start by taking a look at Traefik V2. x’s new and upgraded features compared to v1.x.
1. Supports SNI routes and TCP over multi-protocol ports
Here is a simple example configuration – routing requests to a database using the latest supported YAML file format:
tcp:
routers:
to-database:
entrypoints:
- database-entrypoint
rule: HostSNI(` * `)
service: database-service
services:
database-service:
loadBalancer:
servers:
- address: xx.xx.xx.xx:xx
Copy the codeThe configuration example above shows that every request ending in database-entrypoint will be routed to database-service.
In addition, Traefik can route TCP requests based on SNI over TLS. In the following example, Traefik will route requests to two databases based on SNI:
tcp:
routers:
to-db- 1:
entrypoints:
- web-secure
rule: "HostSNI(`db1.domain`)"
service: "db1"
tls: {}
to-db2 -:
entrypoints:
- web-secure
rule: "HostSNI(`db2.domain`)"
service: "db2"
tls: {}
Copy the codeTraefik also supports HTTP and TCP on the same port, so if you want to get both HTTP and TCP requests from the same port, Traefik is perfect for this.
tcp:
routers:
to-db- 1:
entrypoints:
- web-secure
rule: "HostSNI(`db1.domain`)"
service: "db-1"
tls: {}
http:
routers:
to-db1-dashboard:
entrypoints:
- web-secure
rule: "Host(`dashboard.db1.domain`)"
service: "db1-dashboard"
tls: {}
Copy the codeFor example, in the example above, HTTP requests on dashboard.db1.domain are routed to the Dashboard service of the database, while TCP requests on db1.domain are routed to the database.
2. Use the middleware to completely customize routes
First we can declare a middleware that can be reused on any number of routes. Let’s demonstrate how to configure middleware and declare a BasicAuth middleware to control access to our service (this time using TOML) :
# declare a basicauth middleware for two users [http.middlewares.test-auth.basicauth] users = ["user1:hashed", My-router-service] rule = "host(' my-protected. Domain ')" middlewares = ["test-auth"] service = "service1"Copy the codeIn addition, you can declare a chain to combine and bind these middleware pieces and use them over and over again, and for Kubernetes users, Traefik’s new CRD can be used for clearer configuration without complex annotations. (You can find more information about the IngressRoute object in the documentation.) As follows:
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: test namespace: default spec: entryPoints: - web routes: - match: Host(`mydomain`) kind: Rule services: - name: whoami port: 80 middlewares: - name: secured --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: secured spec: chain: middlewares: - name: https-only - name: known-ips - name: auth-users --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: Auth-users spec: basicAuth: secret: secretUsers # compatible K8S secrets object -- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: https-only spec: redirectScheme: scheme: https --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: known-ips spec: ipWhiteList: SourceRange: -192.168.1.7-127.0.0.1/32Copy the codeIn the example above, the middleware secured is a chain of three middleware components: HTTPS -only, know- IPS, and Auth-Users.
And there’s a lot of middleware built into Traefik: path manipulation, multiple authentication mechanisms, buffering, circuit breakers, retry, compression, error handling, HEADERS, IP whitelist, speed limiting, redirection, and more. The code architecture has also been redesigned to make it easier for developers to provide third-party middleware.
3. The new Dashboard
The new version features a new web user interface (WebUI). The goal is to show users the information on the cluster at a glance and which features can be enabled. The huge difference in the interface also makes it feel like two different software are being used.
https://docs.traefik.io/v2.0/
Traefik V2. x Installation practice
Traefik v2.x installation is divided into two parts. The first part is to install Traefik v2.x service and the second part is to configure the corresponding service routes.
1. Install Traefik V2. x
1.1 Creating CRD Resources
After Traefik V2.0, Custom Resource Definition (CRD) is used to complete route configuration. Therefore, you need to create CRD resources in advance.
Look at the code
## IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
---
## IngressRouteTCP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
---
## Middleware
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
Copy the codeCreate the Traefik CRD resource
kubectl apply -f traefik-crd.yaml
Copy the code1.2 Creating RBAC Permission
In version 1.6, Kubernetes introduced role-based access Control (RBAC) policies to facilitate fine-grained control over Kubernetes resources and apis. Traefik requires certain permissions, so create Traefik ServiceAccount in advance and assign certain permissions.
Look at the code
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups: [""]
resources: ["services"."endpoints"."secrets"]
verbs: ["get"."list"."watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get"."list"."watch"]
- apiGroups: ["extensions"]
resources: ["ingresses/status"]
verbs: ["update"]
- apiGroups: ["traefik.containo.us"]
resources: ["middlewares"]
verbs: ["get"."list"."watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["ingressroutes"]
verbs: ["get"."list"."watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["ingressroutetcps"]
verbs: ["get"."list"."watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["tlsoptions"]
verbs: ["get"."list"."watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
Copy the codeCreate the Traefik RBAC resource
kubectl apply -f traefik-rbac.yaml -n kube-system
Copy the code1.3 Creating the Traefik Profile
Because Traefik configuration is many, it is not convenient to define Traefik through the CLI. In most cases, you choose to put the configuration options in the configuration file, save it to the ConfigMap, and attach it to Traefik.
Look at the code
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config
data:
traefik.yaml: |-
serversTransport:
insecureSkipVerify: true
api:
insecure: true
dashboard: true
debug: true
metrics:
prometheus: ""
entryPoints:
web:
address: ": 80"
websecure:
address: ": 443"
providers:
kubernetesCRD: ""
log:
filePath: ""
level: error
format: json
accessLog:
filePath: ""
format: json
bufferingSize: 0
filters:
retryAttempts: true
minDuration: 20
fields:
defaultMode: keep
names:
ClientUsername: drop
headers:
defaultMode: keep
names:
User-Agent: redact
Authorization: drop
Content-Type: keep
Copy the codeCreate the Traefik ConfigMap resource
kubectl apply -f traefik-config.yaml -n kube-system
Copy the code1.4 Node Settings Label Indicates the Label
As Traefik was deployed in Kubernetes DeamonSet, it was necessary to set the Label for the nodes in advance, so that Pod would be automatically scheduled to the node with the Label set when the program was deployed.
Node Setting Label Indicates the Label
Kubectl label Nodes [key=value]
kubectl label nodes k8s-node2 -- 12 IngressProxy=true
Copy the codeCheck whether the Label is set successfully for the node
[root@master1 initTraefik]# kubectl get nodes --show-labels NAME STATUS ROLES AGE VERSION LABELS master1 Ready master 26 h v1.17.2 IngressProxy=true,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,edgenode=true,kubernetes.io/arch=amd64,kuber netes.io/hostname=ydzs-master,kubernetes.io/os=linux,node-role.kubernetes.io/master=Copy the codeTo delete the label, use kubectl label nodes k8s-node-2-12 IngressProxy-
1.5 Kubernetes deploys Traefik
As Traefik 1.7 was deployed before, it was deployed in DaemonSet mode to facilitate expansion among multiple servers. Hostport mode was used to occupy ports 80 and 443 of the server to facilitate traffic entry.
Look at the code
apiVersion: v1 kind: Service metadata: name: traefik spec: ports: - name: web port: 80 - name: websecure port: 443 - name: admin port: 8080 selector: app: traefik --- apiVersion: apps/v1 kind: DaemonSet metadata: name: traefik-ingress-controller labels: app: traefik spec: selector: matchLabels: app: traefik template: metadata: name: traefik labels: app: traefik spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 1 Containers: - image: traefik:v2.0.5 Name: Traefik-ingress-lb ports: - name: web containerPort: 80 hostPort: Name: websecure containerPort: 443 hostPort: 443 #hostPort: 443 #hostPort: 443 admin containerPort: 8080 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 1000m memory: 1024Mi securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --configfile=/config/traefik.yaml volumeMounts: - mountPath: "/config" name: "config" volumes: - name: Tolerations: config configMap: name: traefik-config tolerations: # Sets tolerations for all smudges, preventing nodes from being smudged. Enable IngressProxy on a node with a specific label: "true"Copy the codeKubernetes deployment Traefik
kubectl apply -f traefik-deploy.yaml -n kube-system
Copy the codeThe Traefik V2.0 application has been deployed.
2. Configure service routes
2.1 Configuring HTTP Routing Rules (Traefik Dashboard As an Example)
The Traefik application has been deployed, but to enable external access to Kubernetes internal services, you need to configure routing rules. Traefik Dashboard is enabled here, so first configure routing rules for Traefik Dashboard. Enable external access to the Traefik Dashboard.
Look at the code
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
spec:
entryPoints:
- web
routes:
- match: Host(`traefik.lateautumn4lin.dashboard`)
kind: Rule
services:
- name: traefik
port: 8080
Copy the codeCreate a Traefik Dashboard routing rule object
kubectl apply -f traefik-dashboard-route.yaml -n kube-system
Copy the codeNext, configure Hosts. If a client wants to access the service using a domain name, DNS resolution must be performed. Since there is no DNS server for domain name resolution, modify the Hosts file to bind the IP address of the Traefik node to a customized host. Open the Hosts configuration file on your computer and add the following configuration to it:
192.144152.23. traefik.lateautumn4lin.dashboard
Copy the codeAfter configuration is complete, open the browser to input address: http://traefik.lateautumn4lin.dashboard open Traefik Dashboard.
2.2 Configuring HTTPS Routing Rules (Kubernetes Dashboard Is Used as an Example)
Here we create the Dashboard of Kubernetes using Https protocol. Since it requires Https requests, we configure routing rules based on Https and specify certificates.
Creating a certificate File
$openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls. CRT -subj "/ CN = cloud. Lateautumn4lin. Dashboard" # certificate store to Kubernetes Secret in $kubectl create Secret generic cloud - mydlq - TLS --from-file=tls.crt --from-file=tls.key -n kube-systemCopy the codeLook at the code
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: kubernetes-dashboard-route
spec:
entryPoints:
- websecure
tls:
secretName: cloud-mydlq-tls
routes:
- match: Host(`cloud.lateautumn4lin.dashboard`)
kind: Rule
services:
- name: kubernetes-dashboard
port: 443
Copy the codeCreate a Kubernetes Dashboard routing rule object
kubectl apply -f kubernetes-dashboard-route.yaml -n kube-system
Copy the codeConfigure the Hosts file as above
192.144152.23. cloud.lateautumn4lin.dashboard
Copy the codeAfter configuration is complete, open the browser to input address: https://cloud.lateautumn4lin.dashboard/ open the Dashboard, and the effect is the same, we see article said Traefik has good agent HTTPS requests.
2.3 Configuring TCP Routing Rules (Redis is used as an Example)
For the sake of demonstration, we only deploy single-node Redis here. The Redis cluster mode is not our focus here. Here is the resource manifest file we deploy :(redis.yaml)
Look at the code
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
spec:
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:3.211.
ports:
- containerPort: 6379
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: redis
spec:
ports:
- port: 6379
targetPort: 6379
selector:
app: redis
Copy the codeCreate the Redis service
kubectl apply -f redis.yaml
Copy the codeTraefik requires SNI to configure TCP routing, and SNI relies on TLS, so we need to configure the certificate, but if there is no certificate, we can use wildcard * to configure. Create a CRD object of type IngressRouteTCP :(ingressroute-redis.yaml)
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: redis
spec:
entryPoints:
- redis
routes:
- match: HostSNI(` * `)
services:
- name: redis
port: 6379
Copy the codeCreate the IngressRouteTCP object above
kubectl apply -f ingressroute-redis.yaml
Copy the codeOnce created, we can also go to Traefik’s Dashboard page to see if it works:
-n
We then configure a domain name resolution to Traefik’s node and connect to Redis via port 6379:
$ redis-cli -h redis.lateautumn4lin.com -p 6379
redis.lateautumn4lin.com:6379> ping
PONG
redis.lateautumn4lin.com:6379> set hello world
OK
redis.lateautumn4lin.com:6379> get hello
"world"
redis.lateautumn4lin.com:6379>
Copy the codeThe Traefik V2.0 service routing configuration has been deployed.
More Traefik V2.x production combat
At present, there are few practical cases on the market, mainly test cases of some features of Traefik V2.x, which will be added later.