摘 要
Traefik支持丰富的annotations配置,可配置众多出色的特性,例如:自动熔断、负载均衡策略、黑名单、白名单。所以 Traefik对于微服务来说简直就是一神器。
利用Traefik,并结合京东云Kubernetes集群及其他云服务(RDS,NAS,OSS,块存储等) , 可快速构建弹性扩展的微服务集群。
Traefik是一个为了让部署微服务更加便捷而诞生的现代HTTP反向代理、负载均衡工具。它支持多种后台(Kubernetes,Docker,Swarm,Marathon,Mesos,Consul,Etcd,Zookeeper等)。
本文大致步骤如下:
-
Kubernetes权限配置(RBAC);
-
Traefik部署;
-
创建三个实例服务;
-
生成Ingress规则,并通过PATH测试通过Traefik访问各个服务;
-
Traefik配置域名及TLS证书,并实现HTTP重定向到HTTS。
本文部署Traefik使用到的Yaml文件均基于Traefik官方实例,并为适配京东云Kubernetes集群做了相关修改:
https://github.com/containous/traefik/tree/master/examples/k8s
基本概念
Ingress边界路由
虽然Kubernetes集群内部署的pod、server都有自己的IP,但是却无法提供外网访问,虽然我们可以通过监听NodePort的方式暴露服务,但是这种方式并不灵活,生产环境也不建议使用。
Ingresss是k8s集群中的一个API资源对象,扮演边缘路由器(edge router)的角色,也可以理解为集群防火墙、集群网关,我们可以自定义路由规则来转发、管理、暴露服务(一组Pod),非常灵活,生产环境建议使用这种方式。
在Kubernetes中,Service和Pod的IP地址仅可以在集群网络内部使用,对于集群外的应用是不可见的。为了使外部的应用能够访问集群内的服务,在Kubernetes中可以通过NodePort和LoadBalancer这两种类型的Service,或者使用Ingress。
Ingress本质是通过http代理服务器将外部的http请求转发到集群内部的后端服务。通过Ingress,外部应用访问群集内容服务的过程如下所示:
I ngress 就是为进入集群的请求提供路由规则的集合。
Ingress 可以给 Service 提供集群外部访问的URL、负载均衡、SSL终止、HTTP路由等。为了配置这些 Ingress 规则,集群管理员需要部署一个 Ingress controller,它监听 Ingress 和 Service 的变化,并根据规则配置负载均衡并提供访问入口。
Traefik是什么?
Traefik在Github上Star数超19K:
https://github.com/containous/traefik
Traefik is a modern HTTP reverse proxy and load balancer designed for deploying microservices.
Traefik是一个为了让部署微服务更加便捷而诞生的现代HTTP反向代理、负载均衡工具。
Traefik是一个用Golang开发的轻量级的Http反向代理和负载均衡器,虽然相比于Nginx,它是后起之秀,但是它天然拥抱Kubernetes,直接与集群K8s的Api Server通信,反应非常迅速,同时还提供了友好的控制面板和监控界面,不仅可以方便地查看Traefik根据Ingress生成的路由配置信息,还可以查看统计的一些性能指标数据,如:总响应时间、平均响应时间、不同的响应码返回的总次数等。
不仅如此,Traefik还支持丰富的annotations配置,可配置众多出色的特性,例如:自动熔断、负载均衡策略、黑名单、白名单。所以Traefik对于微服务来说简直就是一神器。
Traefik User Guide for Kubernetes:
https://docs.traefik.io/user-guide/kubernetes/
京东云Kubernetes集群
京东云Kubernetes整合京东云虚拟化、存储和网络能力,提供高性能可伸缩的容器应用管理能力,简化集群的搭建和扩容等工作,让用户专注于容器化的应用的开发与管理。
用户可以在京东云创建一个安全高可用的 Kubernetes 集群,并由京东云完全托管 Kubernetes 服务,并保证集群的稳定性和可靠性。让用户可以方便地在京东云上使用 Kubernetes 管理容器应用。
京东云Kubernetes集群:
https://3.cn/C5KdrKa
前置条件
创建京东云Kubernetes集群
创建Kubernetes集群
请参考:
https://docs.jdcloud.com/cn/jcs-for-kubernetes/create-to-cluster
Kubernetes客户端配置
集群创建完成后,需要配置kubectl客户端以连接Kubernetes集群。
请参考:
https://docs.jdcloud.com/cn/jcs-for-kubernetes/connect-to-cluster
Traefik部署
权限配置
创建响应的Cluster Role和Cluster Role Binding,以赋予Traefik足够的权限。
Yaml文件如下:
1$ cat traefik-rbac.yaml
2---
3
kind: ClusterRole
4
apiVersion: rbac.authorization.k8s.io/v1beta1
5
metadata:
6 name: traefik-ingress-controller
7
rules:
8 - apiGroups:
9 -
""
10 resources:
11 - services
12 - endpoints
13 - secrets
14 verbs:
15 - get
16 - list
17 - watch
18 - apiGroups:
19 - extensions
20 resources:
21 - ingresses
22 verbs:
23 - get
24 - list
25 - watch
26---
27
kind: ClusterRoleBinding
28
apiVersion: rbac.authorization.k8s.io/v1beta1
29
metadata:
30 name: traefik-ingress-controller
31
roleRef:
32 apiGroup: rbac.authorization.k8s.io
33 kind: ClusterRole
34 name: traefik-ingress-controller
35
subjects:
36- kind: ServiceAccount
37 name: traefik-ingress-controller
38 namespace: kube-system
开始创建
1$ kubectl create -f traefik-rbac.yaml
2clusterrole
"traefik-ingress-controller" created
3clusterrolebinding
"traefik-ingress-controller" created
创建成功
1$ kubectl get clusterrole -n kube-
system |
grep traefik
2traefik-ingress-controller
25
s
3
4$ kubectl get clusterrolebinding -n kube-
system |
grep traefik
5traefik-ingress-controller
35
s
部署Traefik
本文选择使用Deployment部署Traefik。除此之外,Traefik还提供了DaemonSet的部署方式:
https://github.com/containous/traefik/blob/master/examples/k8s/traefik-ds.yaml
Traefik的80端口为接收HTTP请求,8080端口为Dashboard访问端口;通过Load Balancer类型的Service创建京东云负载均衡SLB,来作为K8s集群的统一入口。
Yaml文件如下:
1$ cat traefik-deployment.yaml
2---
3
apiVersion: v1
4
kind: ServiceAccount
5
metadata:
6 name: traefik-ingress-controller
7 namespace: kube-system
8---
9
kind: Deployment
10
apiVersion: extensions/v1beta1
11
metadata:
12 name: traefik-ingress-controller
13 namespace: kube-system
14 labels:
15 k8s-app: traefik-ingress-lb
16
spec:
17 replicas: 1
18 selector:
19 matchLabels:
20 k8s-app: traefik-ingress-lb
21 template:
22 metadata:
23 labels:
24 k8s-app: traefik-ingress-lb
25 name: traefik-ingress-lb
26 spec:
27 serviceAccountName: traefik-ingress-controller
28 terminationGracePeriodSeconds: 60
29 containers:
30 - image: traefik
31 name: traefik-ingress-lb
32 ports:
33 - name: http
34 containerPort: 80
35 - name: admin
36 containerPort: 8080
37 args:
38 - --api
39 - --kubernetes
40 - --logLevel=INFO
41---
42
kind: Service
43
apiVersion: v1
44
metadata:
45 name: traefik-ingress-service
46 namespace: kube-system
47
spec:
48 selector:
49 k8s-app: traefik-ingress-lb
50 ports:
51 - protocol: TCP
52 port: 80
53 name: web
54 - protocol: TCP
55 port: 8080
56 name: admin
57 type: LoadBalancer
开始创建
1$ kubectl create -f traefik-deployment.yaml
2serviceaccount "traefik-ingress-controller" created
3deployment "traefik-ingress-controller" created
4service "traefik-ingress-service" created
Pod正常运行
1$ kubectl get pod -n kube- system | grep traefik
2traefik-ingress-controller- 668679b744-jvmbg 1/ 1 Running 57 s
查看Pod日志
1$ kubectl logs traefik-ingress-controller
-668679b744-jvmbg -n kube-system
2
time=
"2018-12-15T16:58:49Z" level=info msg=
"Traefik version v1.7.6 built on 2018-12-14_06:43:37AM"
3
time=
"2018-12-15T16:58:49Z" level=info msg=
"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
4
time=
"2018-12-15T16:58:49Z" level=info msg=
"Preparing server http &{Address::80 TLS: Redirect: Auth: WhitelistSourceRange:[] WhiteList: Compress:false ProxyProtocol: ForwardedHeaders:0xc0005f9e20} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
5
time=
"2018-12-15T16:58:49Z" level=info msg=
"Preparing server traefik &{Address::8080 TLS: Redirect: Auth: WhitelistSourceRange:[] WhiteList: Compress:false ProxyProtocol: ForwardedHeaders:0xc0005f9e40} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
6
time=
"2018-12-15T16:58:49Z" level=info msg=
"Starting provider configuration.ProviderAggregator {}"
7
time=
"2018-12-15T16:58:49Z" level=info msg=
"Starting server on :80"
8
time=
"2018-12-15T16:58:49Z" level=info msg=
"Starting server on :8080"
9
time=
"2018-12-15T16:58:49Z" level=info msg=
"Starting provider *kubernetes.Provider {\"Watch\
":true,\"Filename\
":\"\
",\"Constraints\
":[],\"Trace\
":false,\"TemplateVersion\
":0,\"DebugLogGeneratedTemplate\
":false,\"Endpoint\
":\"\
",\"Token\
":\"\
",\"CertAuthFilePath\
":\"\
",\"DisablePassHostHeaders\
":false,\"EnablePassTLSCert\
":false,\"Namespaces\
":null,\"LabelSelector\
":\"\
",\"IngressClass\
":\"\
",\"IngressEndpoint\
":null}"
10
time=
"2018-12-15T16:58:49Z" level=info msg=
"ingress label selector is: \"\
""
11
time=
"2018-12-15T16:58:49Z" level=info msg=
"Creating in-cluster Provider client"
12
time=
"2018-12-15T16:58:50Z" level=info msg=
"Server configuration reloaded on :80"
13
time=
"2018-12-15T16:58:50Z" level=info msg=
"Server configuration reloaded on :8080"
查看Traefik对应的SLB Service
1$ kubectl get svc/traefik-ingress-service -n kube-system
2
NAME
TYPE CLUSTER-IP
EXTERNAL-IP PORT(S) AGE
3traefik-ingress-service LoadBalancer
10.0.
58.175
114.67.
95.167
80:
30331/TCP,
8080:
30232/TCP
2m
京东云负载均衡的公网IP为114.67.95.167。
如果需要通过域名访问K8s内的服务,则可以通过将域名解析至该公网IP。
此时,通过“公网IP:8080”便可以访问Traefik的Dashboard。
Traefik使用示例
创建3个Deployment对外提供HTTP服务,分别名为:Stilton、Cheddar、Wensleydale。
1$ cat cheese-deployments.yaml
2---
3
kind: Deployment
4
apiVersion: extensions/v1beta1
5
metadata:
6 name: stilton
7 labels:
8 app: cheese
9 cheese: stilton
10
spec:
11 replicas: 2
12 selector:
13 matchLabels:
14 app: cheese
15 task: stilton
16 template:
17 metadata:
18 labels:
19 app: cheese
20 task: stilton
21 version: v0.0.1
22 spec:
23 containers:
24 - name: cheese
25 image: errm/cheese:stilton
26 resources:
27 requests:
28 cpu: 100m
29 memory: 50Mi
30 limits:
31 cpu: 100m
32 memory: 50Mi
33 ports:
34 - containerPort: 80
35---
36
kind: Deployment
37
apiVersion: extensions/v1beta1
38
metadata:
39 name: cheddar
40 labels:
41 app: cheese
42 cheese: cheddar
43
spec:
44 replicas: 2
45 selector:
46 matchLabels:
47 app: cheese
48 task: cheddar
49 template:
50 metadata:
51 labels:
52 app: cheese
53 task: cheddar
54 version: v0.0.1
55 spec:
56 containers:
57 - name: cheese
58 image: errm/cheese:cheddar
59 resources:
60 requests:
61 cpu: 100m
62 memory: 50Mi
63 limits:
64 cpu: 100m
65 memory: 50Mi
66 ports:
67 - containerPort: 80
68---
69
kind: Deployment
70
apiVersion: extensions/v1beta1
71
metadata:
72 name: wensleydale
73 labels:
74 app: cheese
75 cheese: wensleydale
76
spec:
77 replicas: 2
78 selector:
79 matchLabels:
80 app: cheese
81 task: wensleydale
82 template:
83 metadata:
84 labels:
85 app: cheese
86 task: wensleydale
87 version: v0.0.1
88 spec:
89 containers:
90 - name: cheese
91 image: errm/cheese:wensleydale
92 resources:
93 requests:
94 cpu: 100m
95 memory: 50Mi
96 limits:
97 cpu: 100m
98 memory: 50Mi
99 ports:
100 - containerPort: 80
1$ kubectl create -f cheese-deployments.yaml
2deployment
"stilton" created
3deployment
"cheddar" created
4deployment
"wensleydale" created
对应的Service
1$ cat cheese-services.yaml
2---
3
apiVersion: v1
4
kind: Service
5
metadata:
6 name: stilton
7
spec:
8 ports:
9 - name: http
10 targetPort: 80
11 port: 80
12 selector:
13 app: cheese
14 task: stilton
15---
16
apiVersion: v1
17
kind: Service
18
metadata:
19 name: cheddar
20
spec:
21 ports:
22 - name: http
23 targetPort: 80
24 port: 80
25 selector:
26 app: cheese
27 task: cheddar
28---
29
apiVersion: v1
30
kind: Service
31
metadata:
32 name: wensleydale
33
spec:
34 ports:
35 - name: http
36 targetPort: 80
37 port: 80
38 selector:
39 app: cheese
40 task: wensleydale
1$ kubectl create -f cheese-services.yaml
2service
"stilton" created
3service
"cheddar" created
4service
"wensleydale" created
Ingress Yaml文件如下:
1$ cat my-cheeses-ingress.yaml
2
apiVersion: extensions/v1beta1
3
kind: Ingress
4
metadata:
5 name: cheeses
6 annotations:
7 traefik.frontend.rule.type: PathPrefixStrip
8
spec:
9 rules:
10 - host: www..com
11 http:
12 paths:
13 - path: /stilton
14 backend:
15 serviceName: stilton
16 servicePort: http
17 - path: /cheddar
18 backend:
19 serviceName: cheddar
20 servicePort: http
21 - path: /wensleydale
22 backend:
23 serviceName: wensleydale
24 servicePort: http
创建Ingress
1$ kubectl create -f
my-cheeses-ingress.yaml
2ingress
"cheeses" created
创建成功
1$ kubectl
describe ingress/cheeses
2
Name: cheeses
3Namespace:
default
4Address:
5
Default backend:
default-
http-backend:
80 (<
none>)
6
Rules:
7 Host
Path Backends
8
---- ---- --------
9 www.domain-
name>.com
10 /stilton stilton:
http (<
none>)
11 /cheddar cheddar:
http (<
none>)
12 /wensleydale wensleydale:
http (<
none>)
13Annotations:
14
Events: <
none>
直接通过ELB IP+PATH访问:
1$ curl
114.67.
95.167/stilton
2
404 page
not found
访问失败,因为Ingress规则里指定了host。
请求Header中指定host:
1$ curl -H "Host:www.
<
your-domain-name>.com" 114.67.95.167/stilton
2
<
html>
3
<
head>
4
<
style>
5
html {
6
background:
url(./bg.png) no-repeat center center fixed;
7
-webkit-background-size: cover;
8
-moz-background-size: cover;
9
-o-background-size: cover;
10
background-size: cover;
11 }
12
13
h1 {
14
font-family: Arial, Helvetica, sans-serif;
15
background:
rgba(187, 187, 187, 0.5);
16
width:
3em;
17
padding:
0.5em
1em;
18
margin:
1em;
19 }
20 style>
21
head>
22
<
body>
23
<
h1>Stilton
h1>
24
body>
25
html>
访问成功。
但是由于域名未备案,这种方式会被京东云拦截。
两种方式:
一
、Ingress里移除指定host;
二、
注册域名,并绑定证书及私钥。
将host字段注释掉:
1$ cat my-cheeses-ingress.yaml
2
apiVersion: extensions/v1beta1
3
kind: Ingress
4
metadata:
5 name: cheeses
6 annotations:
7 traefik.frontend.rule.type: PathPrefixStrip
8
spec:
9 rules:
10
# - host: www..com
11 - http:
12 paths:
13 - path: /stilton
14 backend:
15 serviceName: stilton
16 servicePort: http
17 - path: /cheddar
18 backend:
19 serviceName: cheddar
20 servicePort: http
21 - path: /wensleydale
22 backend:
23 serviceName: wensleydale
24 servicePort: http
重建Ingress
1$ kubectl
replace -f my-cheeses-ingress.yaml
2ingress
"cheeses" replaced
3$ kubectl
get ingress
4
NAME
HOSTS ADDRESS PORTS AGE
5cheeses *
80
18mIngress更新成功,通过公网IP+PATH访问。
Stilton服务
1$ curl -I 114.67.95.167/stilton
2HTTP/1.1 200 OK
3
Accept-Ranges: bytes
4
Content-Length: 517
5
Content-Type: text/html
6
Date: Thu, 20 Dec 2018 06:19:15 GMT
7
Etag: "5784f6c9-205"
8
Last-Modified: Tue, 12 Jul 2016 13:55:21 GMT
9
Server: nginx/1.11.1
Cheddar服务
1$ curl -I 114.67.95.167/cheddar
2HTTP/1.1 200 OK
3
Accept-Ranges: bytes
4
Content-Length: 517
5
Content-Type: text/html
6
Date: Thu, 20 Dec 2018 06:19:54 GMT
7
Etag: "5784f6e1-205"
8
Last-Modified: Tue, 12 Jul 2016 13:55:45 GMT
9
Server: nginx/1.11.1
Wensleydale服务
1$ curl -I 114.67.95.167/wensleydale
2HTTP/1.1 200 OK
3 Accept-Ranges: bytes
4 Content-Length: 521
5 Content-Type: text/html
6 Date: Thu, 20 Dec 2018 06:20:00 GMT
7 Etag: "5784f6fb-209"
8 Last-Modified: Tue, 12 Jul 2016 13:56:11 GMT
9 Server: nginx/1.11.1
三个服务均可通过/正常访问。
申请域名:.com,并在京东云上备案,并解析到SLB公网IP:114.67.95.167
证书和私钥
1$ ll *.pem
2
-rw-r--r-- 1 pmo_jd_a pmo_jd_a 3554 Dec 20 16:04 fullchain.pem
3
-rw------- 1 pmo_jd_a pmo_jd_a 1708 Dec 20 16:04 privkey.pem
创建Secret保存证书和私钥:
1$ kubectl create secret generic traefik-cert --
from-file=fullchain.pem --
from-file=privkey.pem -n kube-system
2secret
"traefik-cert" created
Traefik配置文件(HTTP访问重定向到HTTPS,证书及私钥存放在/ssl/目录下,需要Secret挂载到该目录以供Traefik读取):
1
# cat traefik.toml
2defaultEntryPoints = [
"http",
"https"]
3[
entryPoints]
4 [
entryPoints.http]
5 address =
":80"
6 [
entryPoints.http.redirect]
7 entryPoint =
"https"
8 [
entryPoints.https]
9 address =
":443"
10 [
entryPoints.https.tls]
11 [
[entryPoints.https.tls.certificates]]
12 CertFile =
"/ssl/fullchain.pem"
13 KeyFile =
"/ssl/privkey.pem"
创建ConfigMap用于保存配置文件traefik.toml:
1$ kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
2configmap "traefik-conf" created
需要重新部署Traefik,新的Yaml文件如下:
1$ cat traefik-deployment-new.yaml
2kind: Deployment
3apiVersion: extensions/v1beta1
4metadata:
5 name: traefik-ingress-controller
6 namespace: kube-system
7 labels:
8 k8s-app: traefik-ingress-lb
9spec:
10 replicas: 1
11 selector:
12 matchLabels:
13 k8s-app: traefik-ingress-lb
14 template:
15 metadata:
16 labels:
17 k8s-app: traefik-ingress-lb
18 name: traefik-ingress-lb
19 spec:
20 serviceAccountName: traefik-ingress-controller
21 terminationGracePeriodSeconds: 60
22 containers:
23 - image: traefik
24 name: traefik-ingress-lb
25 ports:
26 - name: http
27 containerPort: 80
28 - name: admin
29 containerPort: 8080
30 args:
31 - --api
32 - --kubernetes
33 - --logLevel=INFO
34 - --configfile=/config/traefik.toml
35 volumeMounts:
36 - mountPath: "/ssl"
37 name: "ssl"
38 - mountPath: "/config"
39 name: "config"
40 volumes:
41 - name: ssl
42 secret:
43 secretName: traefik-cert
44 - name: config
45 configMap:
46 name: traefik-conf
重新部署:
1$ kubectl replace -f traefik-deployment-
new.yaml
2deployment
"traefik-ingress-controller" replaced
3$ kubectl get pod -n kube-system | grep traefik
4traefik-ingress-controller
-668679b744-jvmbg
/
1 Terminating
4d
5traefik-ingress-controller
-7d6cd769c9
-2p57t
/
1 ContainerCreating
3s
6$ kubectl get pod -n kube-system | grep traefik
7traefik-ingress-controller
-7d6cd769c9
-2p57t
1/
1 Running
19s
重新部署的Pod正常running。
查看Pod日志
1$ kubectl logs traefik-ingress-controller
-7d6cd769c9
-2p57t -n kube-system
2
time=
"2018-12-20T09:29:30Z" level=info msg=
"Preparing server traefik &{Address::8080 TLS: Redirect: Auth: WhitelistSourceRange:[] WhiteList: Compress:false ProxyProtocol: ForwardedHeaders:0xc00072dbc0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
3
time=
"2018-12-20T09:29:30Z" level=info msg=
"Preparing server http &{Address::80 TLS: Redirect:0xc00059de40 Auth: WhitelistSourceRange:[] WhiteList: Compress:false ProxyProtocol: ForwardedHeaders:0xc00072db80} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
4
time=
"2018-12-20T09:29:30Z" level=info msg=
"Preparing server https &{Address::443 TLS:0xc000216c60 Redirect: Auth: WhitelistSourceRange:[] WhiteList: Compress:false ProxyProtocol: ForwardedHeaders:0xc00072dba0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
5
time=
"2018-12-20T09:29:30Z" level=info msg=
"Starting provider configuration.ProviderAggregator {}"
6
time=
"2018-12-20T09:29:30Z" level=info msg=
"Starting server on :8080"
7
time=
"2018-12-20T09:29:30Z" level=info msg=
"Starting server on :80"
8
time=
"2018-12-20T09:29:30Z" level=info msg=
"Starting server on :443"
9
time=
"2018-12-20T09:29:30Z" level=info msg=
"Starting provider *kubernetes.Provider {\"Watch\
":true,\"Filename\
":\"\
",\"Constraints\
":[],\"Trace\
":false,\"TemplateVersion\
":0,\"DebugLogGeneratedTemplate\
":false,\"Endpoint\
":\"\
",\"Token\
":\"\
",\"CertAuthFilePath\
":\"\
",\"DisablePassHostHeaders\
":false,\"EnablePassTLSCert\
":false,\"Namespaces\
":null,\"LabelSelector\
":\"\
",\"IngressClass\
":\"\
",\"IngressEndpoint\
":null}"
10
time=
"2018-12-20T09:29:30Z" level=info msg=
"ingress label selector is: \"\
""
11
time=
"2018-12-20T09:29:30Z" level=info msg=
"Creating in-cluster Provider client"
12
time=
"2018-12-20T09:29:30Z" level=info msg=
"Server configuration reloaded on :8080"
13
time=
"2018-12-20T09:29:30Z" level=info msg=
"Server configuration reloaded on :80"
14
time=
"2018-12-20T09:29:30Z" level=info msg=
"Server configuration reloaded on :443"
更新Ingress
1$ cat my-cheeses-ingress.yaml
2
apiVersion: extensions/v1beta1
3
kind: Ingress
4
metadata:
5 name: cheeses
6 annotations:
7 traefik.frontend.rule.type: PathPrefixStrip
8
spec:
9 rules:
10 - host: www..com
11 http:
12 paths:
13 - path: /stilton
14 backend:
15 serviceName: stilton
16 servicePort: http
17 - path: /cheddar
18 backend:
19 serviceName: cheddar
20 servicePort: http
21 - path: /wensleydale
22 backend:
23 serviceName: wensleydale
24 servicePort: http
重建Ingress
1$ kubectl replace -f
my-cheeses-ingress.yaml
更新Traefik Service,开放443端口:
1$ cat traefik-service.yaml
2kind: Service
3apiVersion: v1
4metadata:
5
name: traefik-ingress-service
6 namespace: kube-system
7spec:
8 selector:
9 k8s-app: traefik-ingress-lb
10 ports:
11 - protocol: TCP
12 port:
80
13
name: web
14 - protocol: TCP
15 port:
8080
16
name: admin
17 - protocol: TCP
18 port:
443
19
name: tls
20
type: LoadBalancer
应用Service更新:
1$ kubectl apply -f traefik-service.yaml -n kube-system
2Warning: kubectl apply should be used
on resource created
by either kubectl create --save-config
or kubectl apply
3service
"traefik-ingress-service" configured
HTTPS访问:
https://www.your-domain-name.com/stilton
以及HTTP:
http://www.your-domain-name.com/stilton
均可正常访问,且HTTP访问会被重定向到HTTPS。
本文仅测试了traefik的路由分发,当然traefik的功能远远不止于此,其大致特性如下:
-
它非常快~~~
-
无需安装其他依赖,通过Go语言编写的单一可执行文件
-
支持 Rest API
-
多种后台支持:Docker, Swarm, Kubernetes, Marathon, Mesos, Consul, Etcd, 并且还会更多
-
后台监控, 可以监听后台变化进而自动化应用新的配置文件设置
-
配置文件热更新,无需重启进程
-
正常结束http连接
-
后端断路器
-
轮询,rebalancer 负载均衡
-
Rest Metrics
-
支持最小化 官方 docker 镜像
-
后台支持SSL
-
前台支持SSL(包括SNI)
-
清爽的AngularJS前端页面
-
支持Websocket
-
支持HTTP/2
-
网络错误重试
-
支持Let’s Encrypt (自动更新HTTPS证书)
-
高可用集群模式
欢迎点击“ 京东云 ”了解更多精彩内容