traefik

Installing Resource Definition and RBAC

# Install Traefik Resource Definitions:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

# Install RBAC for Traefik:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

The apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in Kubernetes v1.16+ and will be removed in v1.22+.

For Kubernetes v1.16+, please use the Traefik apiextensions.k8s.io/v1 CRDs instead.

Traefik & CRD & Let’s Encrypt

traefik.sh

traefik:v2.2.10

bash traefik.sh
#!/bin/bash
DIR="$(cd "$(dirname "$0")" && pwd)"


base_file=$DIR/test
crd=1-crd.yaml
rbac=2-rbac.yaml
role=3-role.yaml
static=4-static_config.yaml
dynamic=5-dynamic_toml.toml
deploy=6-deploy.yaml
svc=7-service.yaml
ingress=8-ingress.yaml




y_crd(){
    cat >$1 <
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced


---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us


spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced


---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us


spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced


---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressrouteudps.traefik.containo.us


spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteUDP
    plural: ingressrouteudps
    singular: ingressrouteudp
  scope: Namespaced


---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us


spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced


---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsstores.traefik.containo.us


spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSStore
    plural: tlsstores
    singular: tlsstore
  scope: Namespaced


---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us


spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced
EOF
}


y_rbac(){
    cat>$1 <
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - persistentvolumes
    verbs:
      - get
      - list
      - watch
      - create  # persistentvolumes
      - delete
  - apiGroups:
      - ""
    resources:
      - persistentvolumeclaims
    verbs:
      - get
      - list
      - watch
      - update  # persistentvolumeclaims         
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
    verbs:
      - get
      - list
      - watch
EOF
}


y_role(){
   cat >$1 <
}


#静态配置动态文件======================?
y_static_config(){
   cat >$1 <
genkey(){
openssl req \
        -newkey rsa:2048 -nodes -keyout tls.key \
        -x509 -days 3650 -out tls.crt \
        -subj "/C=CN/ST=GD/L=SZ/O=cs/OU=shea/CN=k8s.org" 
#kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system        
}


y_dynamic_toml(){
   cat >$1 <
EOF
}


y_deploy(){
   cat >$1 <
y_service(){
   cat >$1 <
EOF
}


y_ingress(){
   cat >$1 <<"EOF"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard-route
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`master02`) #pod节点 192.168.56.109
      kind: Rule
      services:
        - name: traefik
          port: 8080
EOF
}


[ -d "$base_file" ] || { echo "没有目录,则创建目录" && mkdir $base_file; }
[ -n "$(which openssl)" ] || { echo "需要用到openssl,没有找到,退出" && exit 1; }
cd $base_file


# genkey  
# [ -f "tls.key" ] || { echo "没有生成密钥,退出" && exit 1; }
#kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system
# #kubectl create configmap traefik-conf --from-file=$dynamic -n kube-system


arr=($crd $rbac $role $static $dynamic $deploy  $svc $ingress)


for i in ${arr[@]}; do
echo "开始生成:"$i 
y_${i:2:0-5}  $i
[ -f "$i" ] || { echo "没有生成$i,退出" && exit 1; }
#kubectl apply -f  $i
done  

traefik-v2.10.4

bash traefik.sh
#!/bin/bash
DIR="$(cd "$(dirname "$0")" && pwd)"


version="k8s.org/k8s/traefik:v2.10.4"
base_file=$DIR/test
crd=1-crd.yaml
rbac=2-rbac.yaml
static=3-static_config.yaml
dynamic=4-dynamic_toml.toml
deploy=5-deploy.yaml
svc=6-service.yaml
ingress=7-ingress.yaml


y_crd(){
    [ -f "$DIR/crd.yml" ] && {  echo "cp crd" && cp $DIR/crd.yml  $DIR/test/$1 && return 0; }
  url=https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
  echo "请执行wget -O crd.yml  $url"
}


y_rbac(){
[ -f "$DIR/rabc.yml" ] && {  echo "cp rabc" && cp $DIR/rabc.yml  $DIR/test/$2 && return 0; }
    url=https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
  echo "请执行wget -O rabc.yml  $url"
}




#静态配置动态文件======================?
y_static_config(){
   cat >$1 <


genkey(){
openssl req \
        -newkey rsa:2048 -nodes -keyout tls.key \
        -x509 -days 3650 -out tls.crt \
        -subj "/C=CN/ST=GD/L=SZ/O=cs/OU=shea/CN=ui.k8s.cn" 
        #ui.k8s.cn 对应rule host
#kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system        
}


y_dynamic_toml(){
   cat >$1 <
EOF
}


y_deploy(){
   cat >$1 <
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-ingress-controller
  labels:
    app: traefik
spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      name: traefik
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 1
      containers:
        - image: $version
          name: traefik
          ports:
            - name: web
              containerPort: 80
              hostPort: 80         ## 将容器端口绑定所在服务器的 80 端口
            - name: websecure
              containerPort: 443
              hostPort: 443        ## 将容器端口绑定所在服务器的 443 端口
            - name: redis
              containerPort: 6379
              hostPort: 6379
            - name: admin
              containerPort: 8080  ## Traefik Dashboard 端口
          resources:
            limits:
              cpu: 200m
              memory: 256Mi
            requests:
              cpu: 100m
              memory: 256Mi
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
          args:
            - --configfile=/config/traefik.yaml
          volumeMounts:
            - mountPath: "/config"
              name: "config"
            - mountPath: "/ssl"
              name: "ssl"
      volumes:
        - name: config
          configMap:
            name: traefik-config-yaml
        - name: ssl
          secret:
            secretName: traefik-cert
EOF
}


y_service(){
   cat >$1 <
EOF
}


#kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/user-guides/crd-acme/04-ingressroutes.yml
y_ingress(){
   cat >$1 <<"EOF"
apiVersion: traefik.io/v1alpha1  #v3 版本废弃v1alpha1，使用v1
kind: IngressRoute
metadata:
  name: dashboard
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`ui.k8s.cn`)
    kind: Rule
    services:
    - name: api@internal
      kind: TraefikService
  tls:
     secretName: traefik-cert
EOF
}


[ -d "$base_file" ] || { echo "没有目录,则创建目录" && mkdir $base_file; }
[ -n "$(which openssl)" ] || { echo "需要用到openssl,没有找到,退出" && exit 1; }
cd $base_file


# genkey  
# [ -f "tls.key" ] || { echo "没有生成密钥,退出" && exit 1; }
#kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system
# #kubectl create configmap traefik-conf --from-file=$dynamic -n kube-system
# 
arr=($crd $rbac $static $dynamic $deploy  $svc $ingress)


for i in ${arr[@]}; do
echo "开始生成:"$i 
y_${i:2:0-5}  $i
[ -f "$i" ] || { echo "没有生成$i,退出" && exit 1; }
# kubectl apply -f  $i
done






  

$bash traefik.sh
$ tree  ./test
./test
├── 1-crd.yaml
├── 2-rbac.yaml
├── 3-role.yaml
├── 4-static_config.yaml
├── 5-dynamic_toml.toml
├── 6-deploy.yaml
├── 7-service.yaml
└── 8-ingress.yaml

https://www.lvbibir.cn/posts/tech/kubernetes-traefik-2-router/

helm

❯ helm install -f ./traefik/values.yaml  -name traefik   --namespace kube-system  ./traefik
NAME: traefik
LAST DEPLOYED: Wed Sep  6 20:00:43 2023
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Traefik Proxy v2.10.4 has been deployed successfully on kube-system namespace !
❯ helm upgrade  -name traefik --namespace kube-system  ./traefik
Release "traefik" has been upgraded. Happy Helming!
NAME: traefik
LAST DEPLOYED: Wed Sep  6 20:08:33 2023
NAMESPACE: kube-system
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
Traefik Proxy v2.10.4 has been deployed successfully on kube-system namespace !
❯helm uninstall  -name traefik --namespace kube-system
release "traefik" uninstalled

nginx

#https://docs.nginx.com/nginx-ingress-controller
❯  helm repo add nginx-stable https://helm.nginx.com/stable
"nginx-stable" has been added to your repositories
❯ helm pull nginx-stable/nginx-ingress --untar

#https://github.com/kubernetes/ingress-nginx 
❯ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
"ingress-nginx" has been added to your repositories
❯ helm pull ingress-nginx/ingress-nginx --untar

❯ kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io
NAME                      WEBHOOKS   AGE
ingress-nginx-admission   1          42s

❯ kubectl delete -A validatingwebhookconfigurations.admissionregistration.k8s.io ingress-nginx-admission
validatingwebhookconfiguration.admissionregistration.k8s.io "ingress-nginx-admission" deleted

UPGRADE FAILED: cannot patch “grafana” with kind Ingress: Internal error occurred: failed calling webhook “validate.nginx.ingress.kubernetes.io”: failed to call webhook: Post “https://ingress-nginx-controller-admission.default.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate signed by unknown authority

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: todo
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/app-root: /app/
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/configuration-snippet: |
      rewrite ^(/app)$ $1/ redirect;
      rewrite ^/stylesheets/(.*)$ /app/stylesheets/$1 redirect;
      rewrite ^/images/(.*)$ /app/images/$1 redirect;
spec:
  rules:
  - host: todo.qikqiak.com
    http:
      paths:
      - backend:
          serviceName: todo
          servicePort: 3000
        path: /app(/|$)(.*)