“使用Traefik 2.x作为CRD的入口来公开Kubernetes服务”

huangapple
go评论69阅读模式
英文:

kubernetes expose services with Traefik 2.x as ingress with CRD

问题

我有什么

我有一个Kubernetes集群,如下所示:

  • 单一的控制平面(但计划扩展到3个控制平面以实现高可用性)
  • 2个工作节点

<br><br>
在这个集群上,我部署了以下内容(根据traefik文档https://docs.traefik.io/user-guides/crd-acme/):

  • 一个部署,创建了两个Pod:

    • traefik本身:负责路由,使用暴露的端口80和8080
    • whoami:一个简单的HTTP服务器,响应HTTP请求

  • 两个服务

    • traefik服务:“使用Traefik 2.x作为CRD的入口来公开Kubernetes服务”
    • whoami服务:“使用Traefik 2.x作为CRD的入口来公开Kubernetes服务”

  • 一个Traefik IngressRoute:
    “使用Traefik 2.x作为CRD的入口来公开Kubernetes服务”

我想要什么

我在集群中运行多个服务,并希望通过Ingress将它们暴露给外部。更准确地说,我想使用新的Traefik 2.x CDR Ingress方法。

我的最终目标是使用新的Traefik 2.x CRD来使用IngressRoute自定义资源定义来在端口80、443和8080上公开资源。

问题是什么

如果我理解正确,经典的Ingress控制器允许将我们想要的所有端口暴露给外部世界(包括80、8080和443)。

但是,使用新的Traefik CDR Ingress方法,它本身不会导出任何东西。一种解决方案是将Traefik服务定义为负载均衡器类型的服务,然后暴露一些端口。但是,您必须使用30000-32767端口范围(与NodePort相同),我不想在能够公开端口80和443之前在反向代理前面添加另一个反向代理...

此外,我从新Ingress CRD的文档中(https://docs.traefik.io/user-guides/crd-acme/)看到了以下内容:

kubectl port-forward --address 0.0.0.0 service/traefik 8000:8000 8080:8080 443:4443 -n default

是必需的,我现在明白了。您需要将主机端口映射到服务端口。但是以这种方式映射端口感觉笨重且不直观。我不想在YAML中有服务描述的一部分,同时又要记住我需要使用kubectl映射端口。

我相当确信有一个简洁而简单的解决方案来解决这个问题,但我不明白如何保持事情简单。你们有使用新的Traefik 2.x CRD配置的Kubernetes经验吗?

英文:

What i have

I have a Kubernetes cluster as follow:

  • Single control plane (but plan to extend to 3 control plane for HA)
  • 2 worker nodes

<br><br>
On this cluster i deployed (following this doc from traefik https://docs.traefik.io/user-guides/crd-acme/):

  • A deployment that create two pods :

    • traefik itself: which will be in charge of routing with exposed port 80, 8080
    • whoami:a simple http server thats responds to http requests

  • two services

    • traefik service: “使用Traefik 2.x作为CRD的入口来公开Kubernetes服务”
    • whoami servic: “使用Traefik 2.x作为CRD的入口来公开Kubernetes服务”

  • One traefik IngressRoute:
    “使用Traefik 2.x作为CRD的入口来公开Kubernetes服务”

What i want

I have multiple services running in the cluster and i want to expose them to the outside using Ingress.
More precisely i want to use the new Traefik 2.x CDR ingress methods.

My ultimate goal is to use new traefiks 2.x CRD to expose resources on port 80, 443, 8080 using IngressRoute Custom resource definitions

What's the problem

If i understand well, classic Ingress controllers allow exposition of every ports we want to the outside world (including 80, 8080 and 443).

But with the new traefik CDR ingress approach on it's own it does not exports anything at all.
One solution is to define the Traefik service as a loadbalancer typed service and then expose some ports. But you are forced to use the 30000-32767 ports range (same as nodeport), and i don't want to add a reverse proxy in front of the reverse proxy to be able to expose port 80 and 443...

Also i've seed from the doc of the new igress CRD (https://docs.traefik.io/user-guides/crd-acme/) that:

kubectl port-forward --address 0.0.0.0 service/traefik 8000:8000 8080:8080 443:4443 -n default

is required, and i understand that now. You need to map the host port to the service port.
But mapping the ports that way feels clunky and counter intuitive. I don't want to have a part of the service description in a yaml and at the same time have to remember that i need to map port with kubectl.

I'm pretty sure there is a neat and simple solution to this problem, but i can't understand how to keep things simple. Do you guys have an experience in kubernetes with the new traefik 2.x CRD config?

答案1

得分: 1

把下面这段内容翻译成中文:

apiVersion: v1
kind: Service
metadata:
  name: traefik

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
      targetPort: 8000
    - protocol: TCP
      name: admin
      port: 8080
      targetPort: 8080
    - protocol: TCP
      name: websecure
      port: 443
      targetPort: 4443
  selector:
    app: traefik

不要翻译这段内容:

"have you tried to use tragetPort where every request comes on 80 redirect to 8000 but when you use port-forward you need to always use service instead of pod"

英文: 
apiVersion: v1
kind: Service
metadata:
  name: traefik

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
      targetPort: 8000
    - protocol: TCP
      name: admin
      port: 8080
      targetPort: 8080
    - protocol: TCP
      name: websecure
      port: 443
      targetPort: 4443
  selector:
    app: traefik

have you tried to use tragetPort where every request comes on 80 redirect to 8000 but when you use port-forward you need to always use service instead of pod

答案2

得分: 1

你可以尝试使用LoadBalancer服务类型来将Traefik服务暴露在端口80、443和8080上。我已在GKE中测试了你提供的链接中的YAML,并且它正常工作。

你需要更改'traefik'服务的端口并添加一个服务类型为'LoadBalancer':

kind: Service
metadata:
  name: traefik
spec:
  ports:
    - protocol: TCP
      name: web
      port: 80 <== 用于接收HTTP连接的端口
    - protocol: TCP
      name: admin
      port: 8080 <== 管理端口
    - protocol: TCP
      name: websecure
      port: 443 <== 用于接收HTTPS连接的端口
  selector:
    app: traefik
  type: LoadBalancer <== 定义负载均衡器类型

Kubernetes将为您的服务创建一个负载均衡器,您可以使用端口80和443访问您的应用程序。

$ curl https://35.111.XXX.XX/tls -k
Hostname: whoami-5df4df6ff5-xwflt
IP: 127.0.0.1
IP: 10.60.1.11
RemoteAddr: 10.60.1.13:55262
GET /tls HTTP/1.1
Host: 35.111.XXX.XX
User-Agent: curl/7.66.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.60.1.1
X-Forwarded-Host: 35.111.XXX.XX
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-66dd84c65c-4c5gp
X-Real-Ip: 10.60.1.1

$ curl http://35.111.XXX.XX/notls
Hostname: whoami-5df4df6ff5-xwflt
IP: 127.0.0.1
IP: 10.60.1.11
RemoteAddr: 10.60.1.13:55262
GET /notls HTTP/1.1
Host: 35.111.XXX.XX
User-Agent: curl/7.66.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.60.1.1
X-Forwarded-Host: 35.111.XXX.XX
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-66dd84c65c-4c5gp
X-Real-Ip: 10.60.1.1
英文:

You can try to use LoadBalancer service type for expose the Traefik service on ports 80, 443 and 8080. I've tested the yaml from the link you provided in GKE, and it's works.

You need to change the ports on 'traefik' service and add a 'LoadBalancer' as service type:

kind: Service
metadata:
  name: traefik
spec:
  ports:
    - protocol: TCP
      name: web
      port: 80 &lt;== Port to receive HTTP connections
    - protocol: TCP
      name: admin
      port: 8080 &lt;== Administration port
    - protocol: TCP
      name: websecure
      port: 443 &lt;== Port to receive HTTPS connections
  selector:
    app: traefik
  type: LoadBalancer &lt;== Define the type load balancer

Kubernetes will create a Loadbalancer for you service and you can access your application using ports 80 and 443.

$ curl https://35.111.XXX.XX/tls -k
Hostname: whoami-5df4df6ff5-xwflt
IP: 127.0.0.1
IP: 10.60.1.11
RemoteAddr: 10.60.1.13:55262
GET /tls HTTP/1.1
Host: 35.111.XXX.XX
User-Agent: curl/7.66.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.60.1.1
X-Forwarded-Host: 35.111.XXX.XX
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-66dd84c65c-4c5gp
X-Real-Ip: 10.60.1.1

$ curl http://35.111.XXX.XX/notls   
Hostname: whoami-5df4df6ff5-xwflt
IP: 127.0.0.1
IP: 10.60.1.11
RemoteAddr: 10.60.1.13:55262
GET /notls HTTP/1.1
Host: 35.111.XXX.XX
User-Agent: curl/7.66.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.60.1.1
X-Forwarded-Host: 35.111.XXX.XX
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-66dd84c65c-4c5gp
X-Real-Ip: 10.60.1.1

答案3

得分: 0

Sure, here's the translation:

好的,在一段时间后,我决定在Kubernetes集群前面放置一个HAProxy。这似乎是目前唯一的解决方案。

英文:

Well after some time i've decided to put an haproxy in front of the kubernetes Cluster. It's seems to be the only solution ATM.

huangapple
  • 本文由 发表于 2020年1月6日 23:47:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/59615044.html
  • kubernetes
  • kubernetes-ingress
  • traefik
  • traefik-ingress
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定