EKS生产环境部署基于NLB的traefik网关

使用helm部署，并以NLB类型的负载均衡器暴露服务，并开启Gateway API

Helm 安装命令

# 添加traefik helm仓库
helm repo add traefik https://traefik.github.io/charts
# 安装
helm install -f values.yaml traefik traefik/traefik -n traefik --create-namespace
# 更新
helm upgrade --install -f values.yaml traefik traefik/traefik -n traefik
# 卸载
helm uninstall traefik -n traefik

values.yaml 文件

image:
  registry: docker.io
  repository: traefik
  tag: v3.5.0
  pullPolicy: IfNotPresent

deployment:
  enabled: true
  # -- Deployment or DaemonSet
  kind: Deployment
  type: LoadBalancer
  # -- Number of pods of the deployment (only applies when kind == Deployment)
  replicas: 2

service:
  annotations:
    # 以NLB方式暴露服务，集群中需要提前部署aws-load-balancer-controller
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" # 开启NLB代理协议v2，用于后端服务获取真实ip

ports:
  web:
    port: 8000
    expose:
      default: true
    exposedPort: 80
    protocol: TCP
    # 开启代理协议和信任ip网段（由于负载均衡器在vpc内部，此处填写vpc的网段）
    proxyProtocol:
      trustedIPs:
        - "10.1.0.0/16"
  websecure:
    port: 8443
    expose:
      default: true
    exposedPort: 443
    protocol: TCP
    # 开启代理协议和信任ip网段（由于负载均衡器在vpc内部，此处填写vpc的网段）
    proxyProtocol:
      trustedIPs:
        - "10.1.0.0/16"

# 启用 Gateway API provider，关闭 Ingress
providers:
  kubernetesGateway:
    enabled: true
  kubernetesIngress:
    enabled: false

logs:
  general:
    level: INFO
  access:
    enabled: true
    fields:
      headers:
        defaultmode: keep
        names:
          X-Forwarded-For: keep
          X-Real-Ip: keep

验证效果

创建secret资源保存证书

kubectl create secret tls example.com \
--cert=/cert/example.com.pem \
--key=/cert/example.com.key \
-n default

创建Gateway资源

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: default-gateway
  namespace: default
spec:
  gatewayClassName: traefik

  listeners:
    - name: web
      protocol: HTTP
      port: 8000
      allowedRoutes:
        namespaces:
          from: All

    - name: websecure
      protocol: HTTPS
      port: 8443
      tls:
        # https终止
        mode: Terminate
        certificateRefs:
          - name: example.com
            namespace: default
      allowedRoutes:
        namespaces:
          from: All

创建HTTPRoute资源

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: test-nginx-http
  namespace: default
spec:
  parentRefs:
    - name: default-gateway
      sectionName: web
      kind: Gateway
  hostnames:
    - demo.example.com
  rules:
    - filters:
        - type: RequestRedirect
          requestRedirect:
            scheme: https
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: test-nginx-https
  namespace: default
spec:
  parentRefs:
    - name: default-gateway
      sectionName: websecure
      kind: Gateway
  hostnames:
    - demo.example.com
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        # nginx测试服务需要提前创建好
        - name: nginx-service
          # HTTPRoute资源和后端服务需要在同一个命名空间，否则需要创建ReferenceGrant资源进行授权
          namespace: default
          port: 80