7.2.2 Traefik部署
使用Helm部署Træfik
➜ git clone git@xxx
➜ cd traefik
部署external
➜ helm install . --name traefik-ingress-lb-external --namespace kube-system --values external.yaml
部署internal
➜ git checkout internal ➜ helm install . --name traefik-ingress-lb-internal --namespace kube-system --values external.yaml
卸载traefik
helm delete --purge traefik-ingress-lb-{internal|external}
默认配置参数:
internal.yml
TrafficType: internal
serviceType: ClusterIP
nodeSelector: {
edgenode: "true"
}
tolerations:
- key: "dedicated"
operator: "Equal"
value: "internal"
effect: "NoSchedule"
kubernetes:
labelSelector: traffic-type=internal
ssl:
enabled: true
defaultCert:
defaultKey:
acme:
enabled: false
#默认打开dashboard, 设置认证和白名单
dashboard:
enabled: true
domain: traefik-internal.gxd88.cn
ingress:
labels:
traffic-type: internal
annotations:
traefik.ingress.kubernetes.io/whitelist-source-range: "172.16.0.0/12, 10.40.0.0/16, 10.40.0.0/16"
auth:
basic:
admin: $apr1$grwXYah.$V9Xqu.CNQOneRssUSQTui0
gzip:
enabled: true
accessLogs:
enabled: true
format: json
rbac:
enabled: true
deployment:
hostPort:
httpEnabled: true
httpsEnabled: true
dashboardEnabled: true
external.yml
TrafficType: external
serviceType: ClusterIP
replicas: 1
nodeSelector: {
edgenode: "true"
}
tolerations:
- key: "dedicated"
operator: "Equal"
value: "external"
effect: "NoSchedule"
kubernetes:
labelSelector: traffic-type=external
ssl:
enabled: true
enforced: false
insecureSkipVerify: false
tlsMinVersion: VersionTLS12
defaultCert:
defaultKey:
acme:
enabled: true
email: [email protected]
staging: trues
logging: true
domains:
enabled: true
domainsList:
- main: "*.gxd88.cn"
challengeType: dns-01
dnsProvider:
name: dnspod
dnspod:
DNSPOD_API_KEY: "62355,2a66ccb57a10930963c230d1ea53ef40"
persistence:
enabled: true
annotations: {volume.beta.kubernetes.io/storage-class: "example-nfs"}
storageClass: "example-nfs"
accessMode: ReadWriteOnce
size: 1Gi
dashboard:
enabled: true
domain: traefik-external.gxd88.cn
service:
ingress:
labels:
traffic-type: external
annotations:
traefik.ingress.kubernetes.io/whitelist-source-range: "172.16.0.0/12, 10.40.0.0/16, 10.40.0.0/16"
auth:
basic:
admin: $apr1$grwXYah.$V9Xqu.CNQOneRssUSQTui0
gzip:
enabled: true
accessLogs:
enabled: true
format: json
rbac:
enabled: true
metrics:
prometheus:
enabled: false
deployment:
hostPort:
httpEnabled: true
httpsEnabled: true
dashboardEnabled: true
分场景部署
TrafficType: external
replicas: 1
nodeSelector: {
edgenode: "true"
}
tolerations:
- key: "dedicated"
operator: "Equal"
value: "external"
effect: "NoSchedule"
kubernetes:
labelSelector: traffic-type=external
TrafficType: external|internal|public
nodeSelector:需要设置节点为边缘节点, edgenode: "true"
添加toleration,选择 dedicated=external|internal|public
Traffic 根据label 选择部署的场景traffic-type=external|internal|public
开启dashboard
dashboard:
enabled: true
domain: traefik-external.gxd88.cn
ingress:
labels:
traffic-type: external
annotations:
traefik.ingress.kubernetes.io/whitelist-source-range: "172.16.0.0/12, 10.40.0.0/16, 10.40.0.0/16"
auth:
basic:
admin: $apr1$grwXYah.$V9Xqu.CNQOneRssUSQTui0
其中ingress.labels 设置为traffic-type: external|internal
annotations: traefik.ingress.kubernetes.io/whitelist-source-range 开启白名单
auth.basic dashboar 开启认证, 使用htpasswd来生成默认为admin/
Let's Encrypt 生成泛域名https证书
acme:
enabled: true
email: [email protected]
staging: true
logging: true
domains:
enabled: true
domainsList:
- main: "*.gxd88.cn"
challengeType: dns-01
dnsProvider:
name: dnspod
dnspod:
DNSPOD_API_KEY: ""
persistence:
enabled: true
annotations: {volume.beta.kubernetes.io/storage-class: "example-nfs"}
storageClass: "example-nfs"
accessMode: ReadWriteOnce
size: 1Gi
Let的证书有效期是3个月,我们必须每3个月更新一次。
Let’s Encrypt的staging server(https://acme-staging.api.letsencrypt.org/directory),是测试使用的,如果一切都沒问题的话就可以把这一项改成**https://acme-v01.api.letsencrypt.org/directory**来取得正式TLS凭证,要注意正式的凭证有次数的限制(目前是一周20次),如果你沒有确定可以跑得起来就直接用正式URL的话很容易被Let’s Encrypt 阻塞掉的https://letsencrypt.org/docs/rate-limits, 所以正式环境staging: false, 测试环境staging: true
traefik使用的是
lego
的acme客户端, 目前lego支持HTTP (http-01)
,DNS (dns-01)
,TLS (tls-alpn-01)
三种验证方式。 只有在使用DNS-01
的方式时才能进行泛域名证书的申请。
onHostRule = true
泛域名时不可用, Træfik在启动时会生成这些证书。如果配置改选项会自动为新域名生产证书, 默认为此规则
onDemand = true
此配置允许HTTP-01
在新域上的第一个HTTPS请求期间生成Let的加密证书使用Let's Encrypt认证的新(子)域名,将使用默认的Træfik证书,直到Træfik重新启动
最后更新于
这有帮助吗?