7.2.2 Traefik部署

使用Helm部署Træfik

➜ git clone git@xxx
➜ cd  traefik

部署external

➜ helm install . --name traefik-ingress-lb-external --namespace kube-system --values external.yaml

部署internal

➜ git checkout internal
➜ helm install . --name traefik-ingress-lb-internal --namespace kube-system  --values external.yaml

卸载traefik

helm delete --purge traefik-ingress-lb-{internal|external}

默认配置参数：

internal.yml

TrafficType: internal   
serviceType: ClusterIP  

nodeSelector: {
  edgenode: "true"
}


tolerations: 
- key: "dedicated"
  operator: "Equal"
  value: "internal"
  effect: "NoSchedule"


kubernetes:
  labelSelector: traffic-type=internal

ssl:
  enabled: true
  defaultCert: 
  defaultKey: 
acme:
  enabled: false

#默认打开dashboard， 设置认证和白名单
dashboard: 
  enabled: true
  domain: traefik-internal.gxd88.cn
  ingress:
    labels:
      traffic-type: internal
    annotations:
      traefik.ingress.kubernetes.io/whitelist-source-range: "172.16.0.0/12, 10.40.0.0/16, 10.40.0.0/16"
  auth:
    basic:
       admin: $apr1$grwXYah.$V9Xqu.CNQOneRssUSQTui0

gzip:
  enabled: true

accessLogs:
  enabled: true
  format: json
rbac:
  enabled: true

deployment:
  hostPort:
    httpEnabled: true
    httpsEnabled: true
    dashboardEnabled: true

external.yml

TrafficType: external
serviceType: ClusterIP
replicas: 1

nodeSelector: {
  edgenode: "true"
}


tolerations: 
- key: "dedicated"
  operator: "Equal"
  value: "external"
  effect: "NoSchedule"

kubernetes:
  labelSelector: traffic-type=external

ssl:
  enabled: true
  enforced: false
  insecureSkipVerify: false
  tlsMinVersion: VersionTLS12
  defaultCert: 
  defaultKey: 
acme:
  enabled: true
  email: gongxiude@gxd88.cn
  staging: trues
  logging: true
  domains:
    enabled: true
    domainsList:
      - main: "*.gxd88.cn"


  challengeType: dns-01

  dnsProvider:
    name: dnspod
    dnspod:
      DNSPOD_API_KEY: "62355,2a66ccb57a10930963c230d1ea53ef40"

  persistence:
    enabled: true
    annotations: {volume.beta.kubernetes.io/storage-class: "example-nfs"}
    storageClass: "example-nfs"
    accessMode: ReadWriteOnce
    size: 1Gi

dashboard:
  enabled: true
  domain: traefik-external.gxd88.cn
  service:
  ingress:
    labels:
      traffic-type: external
    annotations:
      traefik.ingress.kubernetes.io/whitelist-source-range: "172.16.0.0/12, 10.40.0.0/16, 10.40.0.0/16"
  auth:
    basic:
       admin: $apr1$grwXYah.$V9Xqu.CNQOneRssUSQTui0

gzip:
  enabled: true
accessLogs:
  enabled: true
  format: json  
rbac:
  enabled: true

metrics:
  prometheus:
    enabled: false

deployment:
  hostPort:
    httpEnabled: true
    httpsEnabled: true
    dashboardEnabled: true

分场景部署

TrafficType: external
replicas: 1

nodeSelector: {
  edgenode: "true"
}


tolerations: 
- key: "dedicated"
  operator: "Equal"
  value: "external"
  effect: "NoSchedule"

kubernetes:
  labelSelector: traffic-type=external

TrafficType: external|internal|public
nodeSelector：需要设置节点为边缘节点, edgenode: "true"
添加toleration，选择 dedicated=external|internal|public
Traffic 根据label 选择部署的场景traffic-type=external|internal|public

开启dashboard

dashboard:
  enabled: true
  domain: traefik-external.gxd88.cn
  ingress:
    labels:
      traffic-type: external
    annotations:
      traefik.ingress.kubernetes.io/whitelist-source-range: "172.16.0.0/12, 10.40.0.0/16, 10.40.0.0/16"
  auth:
    basic:
       admin: $apr1$grwXYah.$V9Xqu.CNQOneRssUSQTui0

其中ingress.labels 设置为traffic-type: external|internal
annotations: traefik.ingress.kubernetes.io/whitelist-source-range 开启白名单
auth.basic dashboar 开启认证，使用htpasswd来生成默认为admin/

Let's Encrypt 生成泛域名https证书

acme:
  enabled: true
  email: yunwei@wecsah.net
  staging: true
  logging: true
  domains:
    enabled: true
    domainsList:
      - main: "*.gxd88.cn"

  challengeType: dns-01

  dnsProvider:
    name: dnspod
    dnspod:
      DNSPOD_API_KEY: ""

  persistence:
    enabled: true
    annotations: {volume.beta.kubernetes.io/storage-class: "example-nfs"}
    storageClass: "example-nfs"
    accessMode: ReadWriteOnce
    size: 1Gi

Let的证书有效期是3个月，我们必须每3个月更新一次。
Let’s Encrypt的staging server(https://acme-staging.api.letsencrypt.org/directory)，是测试使用的，如果一切都沒问题的话就可以把这一项改成**https://acme-v01.api.letsencrypt.org/directory**来取得正式TLS凭证，要注意正式的凭证有次数的限制(目前是一周20次)，如果你沒有确定可以跑得起来就直接用正式URL的话很容易被Let’s Encrypt 阻塞掉的https://letsencrypt.org/docs/rate-limits，所以正式环境staging: false, 测试环境staging: true
traefik使用的是lego的acme客户端，目前lego支持HTTP (http-01)， DNS (dns-01),TLS (tls-alpn-01)三种验证方式。只有在使用DNS-01的方式时才能进行泛域名证书的申请。
onHostRule = true 泛域名时不可用， Træfik在启动时会生成这些证书。如果配置改选项会自动为新域名生产证书，默认为此规则
onDemand = true 此配置允许HTTP-01在新域上的第一个HTTPS请求期间生成Let的加密证书
使用Let's Encrypt认证的新（子）域名，将使用默认的Træfik证书，直到Træfik重新启动

上一页7.2.1 Traefik配置详解下一页7.2.3 分场景使用示例

最后更新于4年前