Proxy
Contents
[NOTE] Updated January 4, 2020. This article may have outdated content or subject matter.
Proxy
proxy addons:
- Ingress-nginx
- Traefik
ingress-nginx
https://github.com/kubernetes/ingress-nginx
// 部署
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/baremetal/deploy.yaml
// 验证部署
$ kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch
// Detect installed version
POD_NAMESPACE=ingress-nginx
POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
$ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
traefik
traefik2.2+
https://github.com/traefik/traefik
install with helm:
helm repo add traefik https://helm.traefik.io/traefik
helm repo update
helm install --create-namespace traefik -n traefik traefik traefik/traefik -f ./value.yaml
# expose dashboard:
kubectl port-forward -n traefik $(kubectl get pods -n traefik --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000 --address 0.0.0.0
请求模型
Client => Traefik => Backend
端口:
9000: traefik管理页面端口
重要组件
- Providers: 自动发现平台上的服务.
- Entrypoints: 监听传入的流量,定义接受请求的端口.
- Routers: 分析请求,负责将传入请求连接到负责处理的服务上.
- Middlewares: 在routers转给services之前修改请求.
- Services/LB: 将请求转给应用, 负责配置处理请求的实际服务.
配置
两种配置类型
- 静态配置: 启动时的配置,通过配置文件(/etc/traefik/traefik.[toml|yaml],环境变量或命令行参数配置 providers和entrypoints等.
- 动态配置: 动态的路由配置,定义系统如何处理请求,从providers获取动态配置.
静态配置:
- entrypoints
- providers
- servertransport
- certificatesresolvers
- api
- ping
- experimental
- hostresolver
- accesslog
- log
- metrics(datadog, influxdb, prometheus,statsd)
- tracing(datadog, elastic, haystack, instana, jaeger, zipkin)
全局配置:
--global.checknewversion
--global.sendanonymoususagge
控制Traefik到Backend的连接的参数serversTransport:
--serversTransport.insecureSkipVerify=true
# self-signed TLS CA.
--serversTransport.rootCAs=foo.crt,bar.crt
--serversTransport.maxIdleConnsPerHost=7
--serversTransport.forwardingTimeouts.dialTimeout=1s
--serversTransport.forwardingTimeouts.responseHeaderTimeout=1s
--serversTransport.forwardingTimeouts.idleConnTimeout=1s
kubernetes provider
kubernetes provider有三种类型
- Ingress
- IngressRoute
- Gateway API
https & tls
traefik的证书可以是手动创建证书,也可以通过let’s encrypt自动创建
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: name
namespace: ns
spec:
tls:
secretName: my-tls
通过Let’s encrypt来自动创建证书有三种验证方式(tls, http, dns).
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.tlschallenge.entrypoint=websecure"
- "--certificatesresolvers.myresolver.acme.email=canux.cheng@arm.com"
- "--certificatesresolvers.myresolver.acme.storage=acme.json"
Author Canux
LastMod 4017-08-08T13:20:399