k8s使用traefik暴露http服务和tcp服务

traefik官网：Traefik Proxy Documentation - Traefik

1、下载chart包

helm repo add traefik https://helm.traefik.io/traefik

helm repo update

helm pull traefik/traefik

2、下载镜像

docker pull docker.io/library/traefik:2.8

3、修改values.yaml

3.1、几个重要的端口配置

将traefik、web、websecure、metrics下的expose都改为true。

ports:
  traefik:
    port: 9000
    expose: false
    # The exposed port for this service
    exposedPort: 9000
    # The port protocol (TCP/UDP)
    protocol: TCP
  web:
    port: 8000
    # hostPort: 8000
    expose: true
    exposedPort: 80
    # The port protocol (TCP/UDP)
    protocol: TCP
  websecure:
    port: 8443
    # hostPort: 8443
    expose: true
    exposedPort: 443
    # The port protocol (TCP/UDP)
    protocol: TCP
    tls:
      enabled: false
      # this is the name of a TLSOption definition
      options: ""
      certResolver: ""
      domains: []
      # - main: example.com
      #   sans:
      #     - foo.example.com
      #     - bar.example.com
  metrics:
    port: 9100
    # hostPort: 9100
    expose: false
    # The exposed port for this service
    exposedPort: 9100
    # The port protocol (TCP/UDP)
    protocol: TCP
 
tlsOptions: {}

3.2、service配置：

配置使用何种方式将traefik的相关服务暴露出去，使得在集群外可以访问，我这里使用NodePort暴露。

# Options for the main traefik service, where the entrypoints traffic comes
# from.
service:
  enabled: true
  type: NodePort
  # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)
  annotations: {}
  # Additional annotations for TCP service only
  annotationsTCP: {}
  # Additional annotations for UDP service only
  annotationsUDP: {}
  # Additional service labels (e.g. for filtering Service by custom labels)
  labels: {}
  # Additional entries here will be added to the service spec.
  # Cannot contain type, selector or ports entries.
  spec: {}
    # externalTrafficPolicy: Cluster
    # loadBalancerIP: "1.2.3.4"
    # clusterIP: "2.3.4.5"
  loadBalancerSourceRanges: []
    # - 192.168.0.1/32
    # - 172.16.0.0/16
  externalIPs: []

3.3、使用hostNetwork

必须将hostNetwork的值设为true。

hostNetwork: true

3.4、配置traefik ingressClass

我这里将ingressClass设为mytraefik（建议将ingressClass的值设为和部署实例名称一样）。

providers:
  kubernetesIngress:
    enabled: true
    allowExternalNameServices: false
    allowEmptyServices: false
    ingressClass: mytraefik

3.5、 添加自定义端口

在traefik中，暴露TCP服务需要在部署traefik时定义好需要使用的端口，不同于nginx-ingress可以动态修改TCP端口，traefik不支持动态增加TCP端口。

这里，我配置了两个端口：32000和32001，这两个端口的别名分别为myport32000和myport32001如果需要使用traefik暴露TCP服务，我就可以使用这两个端口。

additionalArguments:
  - --entrypoints.myport32000.Address=:32000
  - --entrypoints.myport32001.Address=:32001

3.6、允许使用80端口

ecurityContext:
  capabilities:
    drop: [ALL]
    add: [NET_BIND_SERVICE]		# 开放绑定端口
  readOnlyRootFilesystem: true
  runAsGroup: 0
  runAsNonRoot: false
  runAsUser: 

4、部署traefik

改好参数后，就可以直接部署traefik了。

helm install mytraefik .

5、访问traefik

部署完成后，查看创建的service

使用浏览器访问traefik的dashboard(9000端口对应的服务就是dashboard)

# 千万注意，这个地址不能错。必须是 服务器ip:NodePort端口/dashboard/#/
http://10.10.101.140:30332/dashboard/#/

6、使用traefik暴露http服务

6.1：创建ingress

traefik暴露HTTP服务和nginx ingress的方式是一样的，就是创建一个Ingress资源，在annotations中指定tkubernetes.io/ingress.class为mytraefik（在步骤3.4中配置的）。

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: mytraefik
  name: es-log-elasticsearch-http-ehcth3
  namespace: zeus-test
spec:
  rules:
  - host: hces.hclyl.com
    http:
      paths:
      - backend:
          serviceName: es-log-kibana
          servicePort: 5200
        path: /

6、使用traefik暴露tcp服务

6.1 创建ingressroutetcp

match的值都默认为: HostSNI('*')

entryPoints: entryPoints的值即为步骤3.5中配置的端口别名，我这里使用myport32000。

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mysql
  namespace: zeus-test
spec:
  entryPoints:
    - myport32000
  routes:
  - match: HostSNI(`*`)
    services:
    - name: test-mysql
      port: 3306

创建完ingressroutetcp cr后，就可以使用32000端口访问mysql服务了。