# 7.2.4 Traefik功能示例 ## Annotate的配置详解 通用配置 * kubernetes.io/ingress.class: traefik Ingress声明,这里声明了ingress后端采用traefik实现,而不是nginx的controller * ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16" 配置访问白名单,支持ipv4和ipv6 * ingress.kubernetes.io/auth-type: basic http认证模式,此处为basic模式 * ingress.kubernetes.io/auth-secret: mysecret basic认证的对应的username和password,这里对应的traefik所在kubernetes命名空间里的secrets 前端配置 * traefik.frontend.rule.type: PathPrefixStrip 对于在前端配置多个路径转发时,必须配置改选项。例如: * traefik.frontend.priority: "3" 配置前端的权重,值越高则优先匹配 * traefik.frontend.passHostHeader: "false" 关闭传入Hearder * traefik.protocol=https 使用https协议 * traefik.frontend.entryPoints=http,https 同时支持http和https 后端配置 * traefik.backend.loadbalancer.method=drr 后端Service的负载均衡策略,目前traefik支持的策略包括:wrr(加权轮训调度算法)和drr(动态加权循环调度算法) * traefik.backend.loadbalancer.stickiness=true 是否开启负载均衡器的session亲和性 * traefik.backend.loadbalancer.stickiness.cookieName=NAME 手动配置后端session亲和性的cookie名称 * traefik.backend.loadbalancer.sticky=true 弃用 健康检查 * traefik.backend.healthcheck.path=/health traefik的监控检查路径 * traefik.backend.healthcheck.interval=5s 健康检查的时间间隔 * traefik.backend.circuitbreaker: "NetworkErrorRatio() > 0.5" 监测某台节点上的服务错误率达到50%时,自动下线该节点。 * traefik.backend.circuitbreaker: "LatencyAtQuantileMS(50.0) > 50" 监测某台节点上服务的延时大于50ms时,自动下线该节点。 * traefik.backend.circuitbreaker: "ResponseCodeRatio(500, 600, 0, 600) > 0.5" 监测某台节点上服务返回状态码为\[500-600]在\[0-600]区间占比超过50%时,自动下线该节点。 ## Traffik 自定义https证书 后期配置tls证书, 此证书只允许具有相同namespace ingress使用 ``` apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-web-ui namespace: kube-system annotations: kubernetes.io/ingress.class: traefik spec: rules: - host: traefik-ui.minikube http: paths: - backend: serviceName: traefik-web-ui servicePort: 80 tls: - secretName: traefik-ui-tls-cert ``` 在ingress 创建的空间内创建secert ``` kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt ``` ### 定义后端的分发策略 这里支持多种负载均衡方法:\ wrr: 加权轮询\ drr: 动态轮询: 这会为表现比其他服务器好的服务器增加权重。当服务器表现有变化的时,它也会会退到正常权重。 定义在service 资源中, 不能定义在ingress资源中 ``` kind: Service apiVersion: v1 metadata: name: nginx annotations: traefik.ingress.kubernetes.io/load-balancer-method: drr spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 ``` ### session 粘滞 所有的负载平衡器都支持粘滞会话(sticky sessions)。当粘滞会话被开启时,会有一个名称叫做\_TRAEFIK\_BACKEND的cookie在请求被初始化时被设置在请求初始化时。在随后的请求中,客户端会被直接转发到这个cookie中存储的后端(当然它要是健康可用的),如果这个后端不可用,将会指定一个新的后端。 开启的方法为添加`traefik.ingress.kubernetes.io/affinity: "true"` 的annotations 定义在service 资源中, 不能定义在ingress资源中 ``` kind: Service apiVersion: v1 metadata: name: nginx annotations: traefik.ingress.kubernetes.io/affinity: "true" traefik.ingress.kubernetes.io/load-balancer-method: drr spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 ``` 请求header 如下 ``` ➜ ~ curl -H "Host: ngx09.gxd88.cn" http://internal/api/ -v GET /api/ HTTP/1.1 Host: ngx09.gxd88.cn User-Agent: curl/7.51.0 Accept: / < HTTP/1.1 200 OK < Accept-Ranges: bytes < Content-Length: 612 < Content-Type: text/html < Date: Sun, 05 Aug 2018 04:07:11 GMT < Etag: "54999765-264" < Last-Modified: Tue, 23 Dec 2014 16:25:09 GMT < Server: nginx/1.7.9 < Set-Cookie: _c43d4=http://172.20.0.162:80; Path=/. cookie 记录后端服务IP < Vary: Accept-Encoding ``` ### http 强制跳转https ``` apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx05 namespace: default labels: traffic-type: internal annotations: traefik.ingress.kubernetes.io/redirect-entry-point: https spec: rules: - host: ngx05.gxd88.cn http: paths: - backend: serviceName: nginx servicePort: 80 ``` 或者使用rewrite ``` apiVersion: extensions/v1beta1 kind: Ingress metadata: name: redirectdomain namespace: default labels: traffic-type: internal annotations: traefik.ingress.kubernetes.io/redirect-permanent: "true" traefik.ingress.kubernetes.io/redirect-regex: ^http://(.*) traefik.ingress.kubernetes.io/redirect-replacement: https://$1 spec: rules: - host: redirectdomain.gxd88.cn http: paths: - path: /image backend: serviceName: nginx servicePort: 80 ``` ### 自定义请求header ``` apiVersion: extensions/v1beta1 kind: Ingress metadata: name: internal namespace: default labels: traffic-type: internal annotations: kubernetes.io/ingress.class: traefik ingress.kubernetes.io/custom-request-headers: traffic-type:internal||team:devops spec: rules: - host: ngx-internal.gxd88.cn http: paths: - backend: serviceName: nginx servicePort: 80 ``` ### 请求路径前添加路径 ``` --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: addpath namespace: default labels: traffic-type: internal annotations: traefik.ingress.kubernetes.io/request-modifier: AddPrefix:/api spec: rules: - host: ngx09.wecsh.net http: paths: - path: /a backend: serviceName: nginx servicePort: 80 ``` 请求`ngx09.wecsh.net/a` 到后端服务为`/api/a` ### 请求路径删除前缀 ``` --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: deletepath01 namespace: default labels: traffic-type: internal annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip spec: rules: - host: del.gxd88.cn http: paths: - path: /api/v1 backend: serviceName: nginx servicePort: 80 ``` 请求`del.gxd88.cn/api/v1/1`到后端为`del.gxd88.cn/1` ### 定义白名单 ``` apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx03 namespace: default annotations: kubernetes.io/ingress.class: traefik-external ingress.kubernetes.io/whitelist-x-forwarded-for: "false" traefik.ingress.kubernetes.io/whitelist-source-range: "10.40.0.227" spec: rules: - host: ngx03.gxd88.cn http: paths: /api - backend: serviceName: nginx servicePort: 80 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.gxd88.cn/kuberbetesfu-wu-bao-lu-pian/traefik/723-traefikgong-neng-shi-li.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.