EKS生产环境部署基于NLB的traefik网关

使用helm部署,并以NLB类型的负载均衡器暴露服务,并开启Gateway API

Helm 安装命令

shell 复制代码
# 添加traefik helm仓库
helm repo add traefik https://traefik.github.io/charts
# 安装
helm install -f values.yaml traefik traefik/traefik -n traefik --create-namespace
# 更新
helm upgrade --install -f values.yaml traefik traefik/traefik -n traefik
# 卸载
helm uninstall traefik -n traefik

values.yaml 文件

yaml 复制代码
image:
  registry: docker.io
  repository: traefik
  tag: v3.5.0
  pullPolicy: IfNotPresent

deployment:
  enabled: true
  # -- Deployment or DaemonSet
  kind: Deployment
  type: LoadBalancer
  # -- Number of pods of the deployment (only applies when kind == Deployment)
  replicas: 2

service:
  annotations:
    # 以NLB方式暴露服务,集群中需要提前部署aws-load-balancer-controller
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" # 开启NLB代理协议v2,用于后端服务获取真实ip

ports:
  web:
    port: 8000
    expose:
      default: true
    exposedPort: 80
    protocol: TCP
    # 开启代理协议和信任ip网段(由于负载均衡器在vpc内部,此处填写vpc的网段)
    proxyProtocol:
      trustedIPs:
        - "10.1.0.0/16"
  websecure:
    port: 8443
    expose:
      default: true
    exposedPort: 443
    protocol: TCP
    # 开启代理协议和信任ip网段(由于负载均衡器在vpc内部,此处填写vpc的网段)
    proxyProtocol:
      trustedIPs:
        - "10.1.0.0/16"

# 启用 Gateway API provider,关闭 Ingress
providers:
  kubernetesGateway:
    enabled: true
  kubernetesIngress:
    enabled: false

logs:
  general:
    level: INFO
  access:
    enabled: true
    fields:
      headers:
        defaultmode: keep
        names:
          X-Forwarded-For: keep
          X-Real-Ip: keep

验证效果

创建secret资源保存证书

shell 复制代码
kubectl create secret tls example.com \
--cert=/cert/example.com.pem \
--key=/cert/example.com.key \
-n default

创建Gateway资源

yaml 复制代码
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: default-gateway
  namespace: default
spec:
  gatewayClassName: traefik

  listeners:
    - name: web
      protocol: HTTP
      port: 8000
      allowedRoutes:
        namespaces:
          from: All

    - name: websecure
      protocol: HTTPS
      port: 8443
      tls:
        # https终止
        mode: Terminate
        certificateRefs:
          - name: example.com
            namespace: default
      allowedRoutes:
        namespaces:
          from: All

创建HTTPRoute资源

yaml 复制代码
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: test-nginx-http
  namespace: default
spec:
  parentRefs:
    - name: default-gateway
      sectionName: web
      kind: Gateway
  hostnames:
    - demo.example.com
  rules:
    - filters:
        - type: RequestRedirect
          requestRedirect:
            scheme: https
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: test-nginx-https
  namespace: default
spec:
  parentRefs:
    - name: default-gateway
      sectionName: websecure
      kind: Gateway
  hostnames:
    - demo.example.com
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        # nginx测试服务需要提前创建好
        - name: nginx-service
          # HTTPRoute资源和后端服务需要在同一个命名空间,否则需要创建ReferenceGrant资源进行授权
          namespace: default
          port: 80
相关推荐
小心草里有鬼10 分钟前
Linux 数据库 Mysql8 主从复制
linux·运维·数据库·sql·mysql
黄昏恋慕黎明18 分钟前
javaEE初阶 网络编程(socket初识)
运维·服务器·网络
key_Go41 分钟前
06.容器存储
运维·服务器·网络·docker
宁雨桥1 小时前
Nginx反向代理配置全流程实战:从环境搭建到HTTPS部署
运维·nginx·https
花开富贵贼富贵1 小时前
Nginx 配置指南:HTTPS 自签名、Location、Rewrite 与状态统计
运维·nginx·https
StevenLdh1 小时前
Docker容器化部署简要指南
运维·docker·容器
東雪蓮☆1 小时前
ELK 企业级日志分析系统实战教程
linux·运维·elk
RoboWizard2 小时前
传输无界 金士顿双接口U盘上新抽电脑
运维·人工智能·缓存·电脑·金士顿
Teamhelper_AR2 小时前
AR技术:轨道交通运维与安全保障的革新力量
运维·安全·ar
jnpher2 小时前
通过你的自有服务器代理网址
运维·服务器