1 Kubernetes Crd Provider使用
IngressRoute is the CRD implementation of a Traefik HTTP router.(可点击查看配置详解)
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: foo
namespace: bar
spec:
entryPoints: # 如果未指定,HTTP路由器将接受来自所有定义的入口点的请求。如果要将路由器范围限制为一组入口点,请设置entryPoints选项。
- foo
routes:
- kind: Rule # 目前kind只有一个取值为"Rule"
match: Host(`test.example.com`)
priority: 10 # 默认优先级的值等于表示Rule字符串的长度
middlewares: # 多个中间件,按照列表顺序依次应用
- name: middleware1
namespace: default # 定义中间件的名称空间
services: # 可以是TraefikService和Kubernetes service的任意组合
- kind: Service
name: foo
namespace: default
passHostHeader: true
port: 80
responseForwarding:
flushInterval: 1ms
scheme: https #向后端转发时的协议,支持(http/https/h2c)。默认为http协议
serversTransport: transport
sticky:
cookie:
httpOnly: true
name: cookie
secure: true
sameSite: none
strategy: RoundRobin
weight: 10
tls:
secretName: supersecret # 当前ns下的存储证书的secret
options:
name: opt
namespace: default
certResolver: foo # 定义证书解析者,在静态配置中定义
domains:
- main: example.net
sans:
- a.example.net
- b.example.net
Middleware is the CRD implementation of a Traefik middleware.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: strip-stripit-prefix
namespace: foo
spec:
stripPrefix:
prefixes:
- /stripit
中间件支持Cross-provider引用。
TraefikService is the CRD implementation of a “Traefik Service”.
支持Cross-provider引用。
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: svc1
namespace: default #缺省时,为当前名称空间
- name: svc2
namespace: default
TraefikService对象的services字段中引用如下3种的任意组合:
- servers load balancing.
- services Weighted Round Robin load balancing.
- services mirroring.
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: wrr1
namespace: default
spec:
weighted: #指定TraefikService为weighted类型
services:
- name: svc1
port: 80
weight: 1
- name: wrr2
kind: TraefikService
weight: 1
- name: mirror1
kind: TraefikService
weight: 1
---
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: wrr2
namespace: default
spec:
weighted:
services:
- name: svc2
port: 80
weight: 1
- name: svc3
port: 80
weight: 1
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: wrr1
namespace: default
kind: TraefikService
从k8s Service中进行镜像
# Mirroring from a k8s Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: mirror1
namespace: default
spec:
mirroring:
name: svc1
port: 80
mirrors:
- name: svc2
port: 80
percent: 20
- name: svc3
kind: TraefikService
percent: 20
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: mirror1
namespace: default
kind: TraefikService
从Traefik Service中进行镜像
# Mirroring from a Traefik Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: mirror1
namespace: default
spec:
mirroring:
name: wrr1
kind: TraefikService
mirrors:
- name: svc2
port: 80
percent: 20
- name: svc3
kind: TraefikService
percent: 20
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: mirror1
namespace: default
kind: TraefikService
多级会话粘性
如关于Stickiness会话的部分所述,要使Stickiness一直持续工作,必须在每个负载平衡级别上指定它。例如,在下面的示例中,存在一个第一级别的负载平衡,因为存在一个(两个Whoami服务的加权循环(Weighted Round Robin)负载平衡,由于每个whoami服务是一个replicaset,因此作为服务器的负载平衡器进行处理,因此存在第二个级别。
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: wrr1
namespace: default
spec:
weighted:
services:
- name: whoami1
kind: Service
port: 80
weight: 1
sticky:
cookie:
name: lvl2 # 2级load-balance
- name: whoami2
kind: Service
weight: 1
port: 80
sticky:
cookie:
name: lvl2 # 2级load-balance
sticky:
cookie:
name: lvl1 # 1级load-balance
---
apiVersion: v1
kind: Service
metadata:
name: whoami1
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: whoami1
---
apiVersion: v1
kind: Service
metadata:
name: whoami2
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: whoami2
curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo可以使用curl进行访问测试。
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroutetcpfoo
spec:
entryPoints: # [1]
- footcp
routes: # [2]
- match: HostSNI(`*`) # [3]
services: # [4]
- name: foo # [5]
port: 8080 # [6]
weight: 10 # [7]
terminationDelay: 400 # [8]
proxyProtocol: # [9]
version: 1 # [10]
tls: # [11]
secretName: supersecret # [12]
options: # [13]
name: opt # [14]
namespace: default # [15]
certResolver: foo # [16]
domains: # [17]
- main: example.net # [18]
sans: # [19]
- a.example.net
- b.example.net
passthrough: false # [20]
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
name: ingressrouteudpfoo
spec:
entryPoints: # [1]
- fooudp
routes: # [2]
- services: # [3]
- name: foo # [4]
port: 8080 # [5]
weight: 10 # [6]
TLSOption is the CRD implementation of a Traefik “TLS Option”.
TLSOption 可以在IngressRoute / IngressRouteTCP 中引用。
支持Cross-provider引用。
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: mytlsoption
namespace: default
spec:
minVersion: VersionTLS12 # [1]
maxVersion: VersionTLS13 # [1]
curvePreferences: # [3]
- CurveP521
- CurveP384
cipherSuites: # [4]
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
clientAuth: # [5]
secretNames: # [6]
- secretCA1
- secretCA2
clientAuthType: VerifyClientCertIfGiven # [7]
sniStrict: true # [8]
---
# referencing a TLSOption
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/stripit`)
kind: Rule
services:
- name: whoami
port: 80
tls:
options:
name: mytlsoption # 可以Cross-provider引用
namespace: default #缺省为当前名称空间
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
clientAuth:
# the CA certificate is extracted from key `tls.ca` of the given secrets.
secretNames:
- secretCA
clientAuthType: RequireAndVerifyClientCert
TLSStore is the CRD implementation of a Traefik “TLS Store”.
TLSStore 可以在IngressRoute / IngressRouteTCP 中引用。
Traefik当前仅使用名为“default”的TLSStore。这意味着,如果您在不同的kubernetes命名空间中有两个名为default的TLSStore,则会随机选择它们。目前,请仅配置一个名为default的TLSSTore。
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: default
spec:
defaultCertificate:
secretName: mySecret
---
# referencing a TLSStore
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/stripit`)
kind: Rule
services:
- name: whoami
port: 80
tls:
store:
name: default
ServersTransport is the CRD implementation of a ServersTransport.
If no serversTransport is specified, the default@internal will be used. The default@internal serversTransport is created from the static configuration.
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: mytransport
namespace: default
spec:
serverName: foobar # ServerName used to contact the server. serverName configure the server name that will be used for SNI. serverName配置将用于SNI的服务器名称。
insecureSkipVerify: true # Disable SSL certificate verification.
rootCAsSecrets: # Add cert file for self-signed certificate.用于验证自签证书的验证
- foobar
- foobar
certificatesSecrets: # client Certificates for mTLS.在mTLS时的客户端证书
- foobar
- foobar
maxIdleConnsPerHost: 1 # [5]
forwardingTimeouts: # [6]
dialTimeout: 42s # [7]
responseHeaderTimeout: 42s # [8]
idleConnTimeout: 42s # [9]
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: testroute
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`)
kind: Rule
services:
- name: whoami
port: 80
serversTransport: mytransport
关于SNI的介绍:https://blog.csdn.net/firefile/article/details/80532161