使用helm部署,并以NLB类型的负载均衡器暴露服务,并开启Gateway API
Helm 安装命令
shell
# 添加traefik helm仓库
helm repo add traefik https://traefik.github.io/charts
# 安装
helm install -f values.yaml traefik traefik/traefik -n traefik --create-namespace
# 更新
helm upgrade --install -f values.yaml traefik traefik/traefik -n traefik
# 卸载
helm uninstall traefik -n traefik
values.yaml 文件
yaml
image:
registry: docker.io
repository: traefik
tag: v3.5.0
pullPolicy: IfNotPresent
deployment:
enabled: true
# -- Deployment or DaemonSet
kind: Deployment
type: LoadBalancer
# -- Number of pods of the deployment (only applies when kind == Deployment)
replicas: 2
service:
annotations:
# 以NLB方式暴露服务,集群中需要提前部署aws-load-balancer-controller
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" # 开启NLB代理协议v2,用于后端服务获取真实ip
ports:
web:
port: 8000
expose:
default: true
exposedPort: 80
protocol: TCP
# 开启代理协议和信任ip网段(由于负载均衡器在vpc内部,此处填写vpc的网段)
proxyProtocol:
trustedIPs:
- "10.1.0.0/16"
websecure:
port: 8443
expose:
default: true
exposedPort: 443
protocol: TCP
# 开启代理协议和信任ip网段(由于负载均衡器在vpc内部,此处填写vpc的网段)
proxyProtocol:
trustedIPs:
- "10.1.0.0/16"
# 启用 Gateway API provider,关闭 Ingress
providers:
kubernetesGateway:
enabled: true
kubernetesIngress:
enabled: false
logs:
general:
level: INFO
access:
enabled: true
fields:
headers:
defaultmode: keep
names:
X-Forwarded-For: keep
X-Real-Ip: keep
验证效果
创建secret资源保存证书
shell
kubectl create secret tls example.com \
--cert=/cert/example.com.pem \
--key=/cert/example.com.key \
-n default
创建Gateway资源
yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: default-gateway
namespace: default
spec:
gatewayClassName: traefik
listeners:
- name: web
protocol: HTTP
port: 8000
allowedRoutes:
namespaces:
from: All
- name: websecure
protocol: HTTPS
port: 8443
tls:
# https终止
mode: Terminate
certificateRefs:
- name: example.com
namespace: default
allowedRoutes:
namespaces:
from: All
创建HTTPRoute资源
yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: test-nginx-http
namespace: default
spec:
parentRefs:
- name: default-gateway
sectionName: web
kind: Gateway
hostnames:
- demo.example.com
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: test-nginx-https
namespace: default
spec:
parentRefs:
- name: default-gateway
sectionName: websecure
kind: Gateway
hostnames:
- demo.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
# nginx测试服务需要提前创建好
- name: nginx-service
# HTTPRoute资源和后端服务需要在同一个命名空间,否则需要创建ReferenceGrant资源进行授权
namespace: default
port: 80