preface

Traefik is a component of the Kubernetes ecosystem. Traefik is a component of the Kubernetes ecosystem. Traefik is a component of the Kubernetes ecosystem. Traefik is a component of the Kubernetes ecosystem. There’s a big gap between the two versions, and it feels like you’re using different software. This article is v2. Based on the x version to demonstrate, the script code involved in making https://github.com/lateautumn4lin/KubernetesResearch warehouse, When you use the switch directory to ClusterEcology/initTraefik below.

What points did Traefik v2.x upgrade raise

Let’s start by taking a look at Traefik V2. x’s new and upgraded features compared to v1.x.

1. Supports SNI routes and TCP over multi-protocol ports

Here is a simple example configuration – routing requests to a database using the latest supported YAML file format:

tcp:
  routers:
    to-database:
      entrypoints:
      - database-entrypoint
      rule: HostSNI(` * `)
      service: database-service
  services:     
    database-service:
      loadBalancer:
        servers:
        - address: xx.xx.xx.xx:xx
Copy the code

The configuration example above shows that every request ending in database-entrypoint will be routed to database-service.

In addition, Traefik can route TCP requests based on SNI over TLS. In the following example, Traefik will route requests to two databases based on SNI:

tcp:
  routers:
    to-db- 1:
      entrypoints:
      - web-secure
      rule: "HostSNI(`db1.domain`)"
      service: "db1"
      tls: {} 
    to-db2 -:
      entrypoints:
      - web-secure
      rule: "HostSNI(`db2.domain`)"
      service: "db2"
      tls: {}
Copy the code

Traefik also supports HTTP and TCP on the same port, so if you want to get both HTTP and TCP requests from the same port, Traefik is perfect for this.

tcp:
  routers:
    to-db- 1:
      entrypoints:
      - web-secure
      rule: "HostSNI(`db1.domain`)"
      service: "db-1"
      tls: {}
http:
  routers:
    to-db1-dashboard:
      entrypoints:
      - web-secure
      rule: "Host(`dashboard.db1.domain`)"
      service: "db1-dashboard"
      tls: {}
Copy the code

For example, in the example above, HTTP requests on dashboard.db1.domain are routed to the Dashboard service of the database, while TCP requests on db1.domain are routed to the database.

2. Use the middleware to completely customize routes

First we can declare a middleware that can be reused on any number of routes. Let’s demonstrate how to configure middleware and declare a BasicAuth middleware to control access to our service (this time using TOML) :

# declare a basicauth middleware for two users [http.middlewares.test-auth.basicauth] users = ["user1:hashed", My-router-service] rule = "host(' my-protected. Domain ')" middlewares =  ["test-auth"] service = "service1"Copy the code

In addition, you can declare a chain to combine and bind these middleware pieces and use them over and over again, and for Kubernetes users, Traefik’s new CRD can be used for clearer configuration without complex annotations. (You can find more information about the IngressRoute object in the documentation.) As follows:

apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: test namespace: default spec: entryPoints: - web routes: - match: Host(`mydomain`) kind: Rule services: - name: whoami port: 80 middlewares: - name: secured --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: secured spec: chain: middlewares: - name: https-only - name: known-ips - name: auth-users --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: Auth-users spec: basicAuth: secret: secretUsers # compatible K8S secrets object -- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: https-only spec: redirectScheme: scheme: https --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: known-ips spec: ipWhiteList: SourceRange: -192.168.1.7-127.0.0.1/32Copy the code

In the example above, the middleware secured is a chain of three middleware components: HTTPS -only, know- IPS, and Auth-Users.

And there’s a lot of middleware built into Traefik: path manipulation, multiple authentication mechanisms, buffering, circuit breakers, retry, compression, error handling, HEADERS, IP whitelist, speed limiting, redirection, and more. The code architecture has also been redesigned to make it easier for developers to provide third-party middleware.

3. The new Dashboard

The new version features a new web user interface (WebUI). The goal is to show users the information on the cluster at a glance and which features can be enabled. The huge difference in the interface also makes it feel like two different software are being used.

https://docs.traefik.io/v2.0/

Traefik V2. x Installation practice

Traefik v2.x installation is divided into two parts. The first part is to install Traefik v2.x service and the second part is to configure the corresponding service routes.

1. Install Traefik V2. x

1.1 Creating CRD Resources

After Traefik V2.0, Custom Resource Definition (CRD) is used to complete route configuration. Therefore, you need to create CRD resources in advance.

Look at the code

## IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
---
## IngressRouteTCP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
---
## Middleware
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
Copy the code

Create the Traefik CRD resource

kubectl apply -f traefik-crd.yaml
Copy the code
1.2 Creating RBAC Permission

In version 1.6, Kubernetes introduced role-based access Control (RBAC) policies to facilitate fine-grained control over Kubernetes resources and apis. Traefik requires certain permissions, so create Traefik ServiceAccount in advance and assign certain permissions.

Look at the code

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: kube-system
  name: traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups: [""]
    resources: ["services"."endpoints"."secrets"]
    verbs: ["get"."list"."watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get"."list"."watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["middlewares"]
    verbs: ["get"."list"."watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutes"]
    verbs: ["get"."list"."watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutetcps"]
    verbs: ["get"."list"."watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["tlsoptions"]
    verbs: ["get"."list"."watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: kube-system
Copy the code

Create the Traefik RBAC resource

kubectl apply -f traefik-rbac.yaml -n kube-system
Copy the code
1.3 Creating the Traefik Profile

Because Traefik configuration is many, it is not convenient to define Traefik through the CLI. In most cases, you choose to put the configuration options in the configuration file, save it to the ConfigMap, and attach it to Traefik.

Look at the code

kind: ConfigMap
apiVersion: v1
metadata:
  name: traefik-config
data:
  traefik.yaml: |-
    serversTransport:
      insecureSkipVerify: true
    api:
      insecure: true
      dashboard: true
      debug: true
    metrics:
      prometheus: ""
    entryPoints:
      web:
        address: ": 80"
      websecure:
        address: ": 443"
    providers:
      kubernetesCRD: ""
    log:
      filePath: ""
      level: error
      format: json
    accessLog:
      filePath: ""
      format: json
      bufferingSize: 0
      filters:
        retryAttempts: true
        minDuration: 20
      fields:
        defaultMode: keep
        names:
          ClientUsername: drop
        headers:
          defaultMode: keep
          names:
            User-Agent: redact
            Authorization: drop
            Content-Type: keep
Copy the code

Create the Traefik ConfigMap resource

kubectl apply -f traefik-config.yaml -n kube-system
Copy the code
1.4 Node Settings Label Indicates the Label

As Traefik was deployed in Kubernetes DeamonSet, it was necessary to set the Label for the nodes in advance, so that Pod would be automatically scheduled to the node with the Label set when the program was deployed.

Node Setting Label Indicates the Label

Kubectl label Nodes [key=value]

kubectl label nodes k8s-node2 -- 12 IngressProxy=true
Copy the code

Check whether the Label is set successfully for the node

[root@master1 initTraefik]# kubectl get nodes --show-labels NAME STATUS ROLES AGE VERSION LABELS master1 Ready master 26 h v1.17.2 IngressProxy=true,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,edgenode=true,kubernetes.io/arch=amd64,kuber netes.io/hostname=ydzs-master,kubernetes.io/os=linux,node-role.kubernetes.io/master=Copy the code

To delete the label, use kubectl label nodes k8s-node-2-12 IngressProxy-

1.5 Kubernetes deploys Traefik

As Traefik 1.7 was deployed before, it was deployed in DaemonSet mode to facilitate expansion among multiple servers. Hostport mode was used to occupy ports 80 and 443 of the server to facilitate traffic entry.

Look at the code

apiVersion: v1 kind: Service metadata: name: traefik spec: ports: - name: web port: 80 - name: websecure port: 443 - name: admin port: 8080 selector: app: traefik --- apiVersion: apps/v1 kind: DaemonSet metadata: name: traefik-ingress-controller labels: app: traefik spec: selector: matchLabels: app: traefik template: metadata: name: traefik labels: app: traefik spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 1 Containers: - image: traefik:v2.0.5 Name: Traefik-ingress-lb ports: - name: web containerPort: 80 hostPort: Name: websecure containerPort: 443 hostPort: 443 #hostPort: 443 #hostPort: 443 admin containerPort: 8080 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 1000m memory: 1024Mi securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --configfile=/config/traefik.yaml volumeMounts: - mountPath: "/config" name: "config" volumes: - name: Tolerations: config configMap: name: traefik-config tolerations: # Sets tolerations for all smudges, preventing nodes from being smudged. Enable IngressProxy on a node with a specific label: "true"Copy the code

Kubernetes deployment Traefik

kubectl apply -f traefik-deploy.yaml -n kube-system
Copy the code

The Traefik V2.0 application has been deployed.

2. Configure service routes

2.1 Configuring HTTP Routing Rules (Traefik Dashboard As an Example)

The Traefik application has been deployed, but to enable external access to Kubernetes internal services, you need to configure routing rules. Traefik Dashboard is enabled here, so first configure routing rules for Traefik Dashboard. Enable external access to the Traefik Dashboard.

Look at the code

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard-route
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`traefik.lateautumn4lin.dashboard`)
      kind: Rule
      services:
        - name: traefik
          port: 8080
Copy the code

Create a Traefik Dashboard routing rule object

kubectl apply -f traefik-dashboard-route.yaml -n kube-system
Copy the code

Next, configure Hosts. If a client wants to access the service using a domain name, DNS resolution must be performed. Since there is no DNS server for domain name resolution, modify the Hosts file to bind the IP address of the Traefik node to a customized host. Open the Hosts configuration file on your computer and add the following configuration to it:

192.144152.23.  traefik.lateautumn4lin.dashboard
Copy the code

After configuration is complete, open the browser to input address: http://traefik.lateautumn4lin.dashboard open Traefik Dashboard.

2.2 Configuring HTTPS Routing Rules (Kubernetes Dashboard Is Used as an Example)

Here we create the Dashboard of Kubernetes using Https protocol. Since it requires Https requests, we configure routing rules based on Https and specify certificates.

Creating a certificate File

$openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls. CRT -subj "/ CN = cloud. Lateautumn4lin. Dashboard" # certificate store to Kubernetes Secret in $kubectl create Secret generic cloud - mydlq - TLS --from-file=tls.crt --from-file=tls.key -n kube-systemCopy the code

Look at the code

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: kubernetes-dashboard-route
spec:
  entryPoints:
    - websecure
  tls:
    secretName: cloud-mydlq-tls
  routes:
    - match: Host(`cloud.lateautumn4lin.dashboard`) 
      kind: Rule
      services:
        - name: kubernetes-dashboard
          port: 443
Copy the code

Create a Kubernetes Dashboard routing rule object

kubectl apply -f kubernetes-dashboard-route.yaml -n kube-system
Copy the code

Configure the Hosts file as above

192.144152.23.  cloud.lateautumn4lin.dashboard
Copy the code

After configuration is complete, open the browser to input address: https://cloud.lateautumn4lin.dashboard/ open the Dashboard, and the effect is the same, we see article said Traefik has good agent HTTPS requests.

2.3 Configuring TCP Routing Rules (Redis is used as an Example)

For the sake of demonstration, we only deploy single-node Redis here. The Redis cluster mode is not our focus here. Here is the resource manifest file we deploy :(redis.yaml)

Look at the code

apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis
spec:
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
    spec:
      containers:
      - name: redis
        image: redis:3.211.
        ports:
        - containerPort: 6379
          protocol: TCP

---

apiVersion: v1
kind: Service
metadata:
  name: redis
spec:
  ports:
  - port: 6379
    targetPort: 6379
  selector:
    app: redis
Copy the code

Create the Redis service

kubectl apply -f redis.yaml
Copy the code

Traefik requires SNI to configure TCP routing, and SNI relies on TLS, so we need to configure the certificate, but if there is no certificate, we can use wildcard * to configure. Create a CRD object of type IngressRouteTCP :(ingressroute-redis.yaml)

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: redis
spec:
  entryPoints:
    - redis
  routes:
  - match: HostSNI(` * `)
    services:
    - name: redis
      port: 6379
Copy the code

Create the IngressRouteTCP object above

kubectl apply -f ingressroute-redis.yaml 
Copy the code

Once created, we can also go to Traefik’s Dashboard page to see if it works:

-n

We then configure a domain name resolution to Traefik’s node and connect to Redis via port 6379:

$ redis-cli -h redis.lateautumn4lin.com -p 6379
redis.lateautumn4lin.com:6379> ping
PONG
redis.lateautumn4lin.com:6379> set hello world
OK
redis.lateautumn4lin.com:6379> get hello
"world"
redis.lateautumn4lin.com:6379>
Copy the code

The Traefik V2.0 service routing configuration has been deployed.

More Traefik V2.x production combat

At present, there are few practical cases on the market, mainly test cases of some features of Traefik V2.x, which will be added later.