Traefik
Less than 1 minute
Traefik
introduction
Traefik is a modern HTTP reverse proxy and load balancer designed specifically to simplify the deployment of microservices and containerized applications. Compared with traditional reverse proxy tools (such as Nginx and Apache), it offers stronger automation capabilities and cloud-native features.
prerequisites
- a domain name controlled by aliyun, in this example, it's
dashboard.traefik.dev.geekcity.tech
installation
- configure aliyun ram
- create a user, in this example, it's
traefik-dns - create a policy, in this example, it's
traefik-dns{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "alidns:AddDomainRecord", "alidns:DeleteDomainRecord" ], "Resource": "acs:alidns:*:*:domain/geekcity.tech" }, { "Effect": "Allow", "Action": [ "alidns:DescribeDomains", "alidns:DescribeDomainRecords" ], "Resource": "acs:alidns:*:*:domain/*" } ] }
- bind the policy
traefik-dnsto the usertraefik-dns
- create a user, in this example, it's
- create a secret named
traefik-aliyun-dns-credentialswhich store the access key and access secret of the usertraefik-dns#export ACCESS_KEY_ID=access_key_id_of_traefik_dns #export ACCESS_KEY_SECRET=access_key_secret_of_traefik_dns kubectl -n traefik create secret generic traefik-aliyun-dns-credentials \ --from-literal=access-key="$ACCESS_KEY_ID" \ --from-literal=secret-key="$ACCESS_KEY_SECRET"
- install or update Traefik
- (optional, only for k3s,) remove traefik installed in k3s by default
kubectl delete -f /var/lib/rancher/k3s/server/manifests/traefik.yaml
- prepare
traefik.app.yamlapiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: traefik spec: syncPolicy: syncOptions: - CreateNamespace=true project: default source: repoURL: https://traefik.github.io/charts chart: traefik targetRevision: 37.1.1 helm: releaseName: traefik valuesObject: image: registry: m.daocloud.io/docker.io ingressClass: enabled: true isDefaultClass: true name: traefik ingressRoute: enabled: false providers: kubernetesCRD: enabled: true allowCrossNamespace: false allowExternalNameServices: false allowEmptyServices: true kubernetesIngress: enabled: true allowExternalNameServices: false allowEmptyServices: true publishedService: enabled: true ports: web: port: 8000 targetPort: web protocol: TCP nodePort: 32080 websecure: port: 8443 targetPort: websecure protocol: TCP nodePort: 32443 service: enabled: true type: LoadBalancer persistence: enabled: true storageClass: "local-path" size: 1Gi env: - name: ALICLOUD_ACCESS_KEY valueFrom: secretKeyRef: name: traefik-aliyun-dns-credentials key: access-key - name: ALICLOUD_SECRET_KEY valueFrom: secretKeyRef: name: traefik-aliyun-dns-credentials key: secret-key - name: ALICLOUD_REGION_ID value: "cn-hangzhou" certificatesResolvers: letsencrypt: acme: email: ben.wangz@foxmail.com storage: /data/acme.json dnsChallenge: provider: alidns delayBeforeCheck: 30 resolvers: - "223.5.5.5:53" - "223.6.6.6:53" ingressRoute: dashboard: enabled: true matchRule: Host(`dashboard.traefik.dev.geekcity.tech`) services: - name: api@internal kind: TraefikService entryPoints: - websecure tls: certResolver: letsencrypt domains: - main: dashboard.traefik.dev.geekcity.tech destination: server: https://kubernetes.default.svc namespace: traefik- NOTES
- service.type=LoadBalancer, make sure the cluster has a load balancer controller
- if service.type=NodePort, make sure the nodes of the cluster has
ExternalIP, because The ExternalIP addresses of the nodes in the cluster will be propagated to the ingress status. - reference: traefik-docs-ingress-endpoint-publishd-service
- apply to k8s
kubectl -n argocd apply -f traefik.app.yaml
- sync the application
argocd app sync argocd/traefik \ && argocd app wait argocd/traefik
- (optional, only for k3s,) remove traefik installed in k3s by default
check traefik dashboard
curl -L https://dashboard.traefik.dev.geekcity.tech