Ingress


Nginx

https://github.com/kubernetes/ingress-nginx

// 部署
 $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/baremetal/deploy.yaml

// 验证部署
$ kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch

// Detect installed version
POD_NAMESPACE=ingress-nginx
POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
$ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version

traefik

traefik2.2+

https://github.com/traefik/traefik

install with helm:

helm repo add traefik https://helm.traefik.io/traefik
helm repo update
helm install --create-namespace traefik -n traefik traefik traefik/traefik -f ./value.yaml

# expose dashboard:
kubectl port-forward -n traefik $(kubectl get pods -n traefik --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000 --address 0.0.0.0

请求模型

Client => Traefik => Backend

端口:

9000: traefik管理页面端口

重要组件

  • Providers: 自动发现平台上的服务.
  • Entrypoints: 监听传入的流量,定义接受请求的端口.
  • Routers: 分析请求,负责将传入请求连接到负责处理的服务上.
  • Middlewares: 在routers转给services之前修改请求.
  • Services/LB: 将请求转给应用, 负责配置处理请求的实际服务.

配置

两种配置类型

  • 静态配置: 启动时的配置,通过配置文件(/etc/traefik/traefik.[toml|yaml],环境变量或命令行参数配置 providers和entrypoints等.
  • 动态配置: 动态的路由配置,定义系统如何处理请求,从providers获取动态配置.

静态配置:

  • entrypoints
  • providers
  • servertransport
  • certificatesresolvers
  • api
  • ping
  • experimental
  • hostresolver
  • accesslog
  • log
  • metrics(datadog, influxdb, prometheus,statsd)
  • tracing(datadog, elastic, haystack, instana, jaeger, zipkin)

全局配置:

--global.checknewversion
--global.sendanonymoususagge

控制Traefik到Backend的连接的参数serversTransport:

--serversTransport.insecureSkipVerify=true
# self-signed TLS CA.
--serversTransport.rootCAs=foo.crt,bar.crt
--serversTransport.maxIdleConnsPerHost=7
--serversTransport.forwardingTimeouts.dialTimeout=1s
--serversTransport.forwardingTimeouts.responseHeaderTimeout=1s
--serversTransport.forwardingTimeouts.idleConnTimeout=1s

kubernetes provider

kubernetes provider有三种类型

  • Ingress
  • IngressRoute
  • Gateway API

https & tls

traefik的证书可以是手动创建证书,也可以通过let’s encrypt自动创建

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: name
  namespace: ns
spec:
  tls:
    secretName: my-tls

通过Let’s encrypt来自动创建证书有三种验证方式(tls, http, dns).

- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.tlschallenge.entrypoint=websecure"
- "--certificatesresolvers.myresolver.acme.email=canux.cheng@arm.com"
- "--certificatesresolvers.myresolver.acme.storage=acme.json"