traefik2.0-动态配置

实战

        之前在traefik部署的时候做了traefik 2.0 的动态安装和动态配置加载,本次来结合实际的场景进行配置测试,测试主要几个功能: 灰度发布、流量复制、ssl证书加载、tcp配置、中间件。yaml配置参考,本次主要是以toml格式进行配置文件的配置加载

灰度发布

        灰度发布参部分考traefik2.0部署动态配置加载,最后部分。也可以按照下列写法,效果一致。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# cat >canary.toml <<EOF
[http]
[http.routers]
[http.routers.Router-canary]
namespace = "default"
entryPoints = ["web"]
service = "nginx-canary"
rule = "Host(`wrr.xxlaila.cn`)"

[http.services]
[http.services.nginx-canary]
[http.services.nginx-canary.weighted]
[[http.services.nginx-canary.weighted.services]]
name = "appv1"
weight = 3
[[http.services.nginx-canary.weighted.services]]
name = "appv2"
weight = 2
EOF

img
        这里的name指的是服务的名称,在浏览器打开进行测试,然后观察日志。

流量复制

        流量复制yaml格式参考,在node节点的conf目录下面新建一个mirr.toml文件。

  • mirr.toml
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    # cat > mirr.toml<<EOF
    [http]
    [http.routers]
    [http.routers.Router-nginx]
    namespace = "default"
    entryPoints = ["web"]
    service = "nginx-mirr"
    rule = "Host(`mirror.xxlaila.cn`)"

    [http.services]
    [http.services.nginx-mirr]
    [http.services.nginx-mirr.mirroring]
    service = "app"
    [[http.services.nginx-mirr.mirroring.mirrors]]
    name = "appv1-nginx"

    [[http.services.nginx-mirr.mirroring.mirrors]]
    name = "appv2-nginx"
    percent = 50

    [http.services.appv1-nginx]
    [http.services.appv1-nginx.loadBalancer]
    [[http.services.appv1-nginx.loadBalancer.servers]]
    url = "http://appv1/"

    [http.services.appv2-nginx]
    [http.services.appv2-nginx.loadBalancer]
    [[http.services.appv2-nginx.loadBalancer.servers]]
    url = "http://appv2/"
    EOF

        url=http://appv1 和 url=http://appv2可以以完成的域名写入http://appv1.default.svc.cluster.local:80/,保存退出以后可以在traefik 的dashboard界面看到,在浏览器输入域名进行访问测试
img
img
img

ssl证书加载

        新起一个ssl.toml的文件用于证书的加载,吧配置文件进行分开,利于维护和错误时影响范围缩小。拷贝证书到node节点/opt/traefik/certs。

单证书加载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# cat >ssl.toml <<EOF
[tls]

[[tls.certificates]]
certFile = "/config/certs/xxlaila.cn.crt"
keyFile = "/config/certs/xxlaila.cn.key"
stores = ["default"]

[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/config/certs/xxlaila.cn.crt"
keyFile = "/config/certs/xxlaila.cn.key"

[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
[tls.options.mintls13]
minVersion = "VersionTLS13"
EOF

多证书加载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# cat >ssl.toml <<EOF
[tls]

[[tls.certificates]]
certFile = "/config/certs/test.xxlaila.cn.crt"
keyFile = "/config/certs/test.xxlaila.cn.key"
stores = ["default"]
[[tls.certificates]]
certFile = "/config/certs/dev.xxlaila.cn.crt"
keyFile = "/config/certs/dev.xxlaila.cn.key"
stores = ["kxldev"]

[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/config/certs/test.xxlaila.cn.crt"
keyFile = "/config/certs/test.xxlaila.cn.key"
[tls.stores.kxldev]
[tls.stores.kxldev.defaultCertificate]
certFile = "/config/certs/dev.xxlaila.cn.crt"
keyFile = "/config/certs/dev.xxlaila.cn.key"


[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
[tls.options.mintls13]
minVersion = "VersionTLS13"
EOF

        这里遇到一个问题,自己生成的证书,没办法加载,但是公司购买的证书,可以自动识别,不知道为啥。cipherSuites

tcp配置

        对于tcp 的路由是基于sni,之前参考一些文档,说的是traefik 2.0 版本的sni需要tls证书,但在2.1试用的时候,没有使用证书,而且支持域名。参考tcp支持,下面是测试代理redis服务和mongo数据库服务。

redis 服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# cat >redis_tcp.toml <<EOF
[tcp]
[tcp.routers]
[tcp.routers.redis]
namespace = "kube-ops"
entryPoints = ["redis"]
service = "redis"
rule = "HostSNI(`*`)"

[tcp.services]
[tcp.services.redis.loadBalancer]
[[tcp.services.redis.loadBalancer.servers]]
address = "redis.kube-ops.svc.cluster.local:6379"
EOF

mongo服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# cat >mongo_tcp.toml<<EOF
[tcp]
[tcp.routers]
[tcp.routers.mongo]
namespace = "default"
entryPoints = ["mongo"]
service = "mongo"
rule = "HostSNI(`*`)"

[tcp.services]
[tcp.services.mongo.loadBalancer]
[[tcp.services.mongo.loadBalancer.servers]]
address = "mongo.default.svc.cluster.local:27017"
EOF

测试效果
img
img
img
img
        但是在写toml文件的时候,在HostSNI这里的时候不能使用域名,只能使用*来代替,因为这里需要tls的支持。在address这个参数配置项目的时候可以使用一个完整的域
名,该域名是k8s默认的域名,及时服务被重新部署以后,也不会影响地址的链接。只要service保持不变。

http

        配置一个ll.xxlaila.cn域名代理到后段appv2的服务去。然后配置了一个ip的白名单。强制跳转到https。这里需要用到中间件Middlewares,https强制跳转和ip白名单可以参考下面的中间件。

1
2
3
4
5
6
7
8
9
# cat >http_nginx.toml<<EOF
[http]
[http.routers]
[http.routers.app]
namespace = "default"
entryPoints = ["web"]
service = "appv2"
rule = "Host(`ll.xxlaila.cn`)"
EOF

        service参数可以是服务名称,直接引用服务名也可以进行访问。在servers项的url里面会直接应用appv2服务的域名路径。
img

跳转https和白名单

        这里http强制跳转到https,加载白名单,这两种配置是写在Middlewares里面。让其他的来进行加载,Middlewares的写法参考下面章节。而ssl证书文件参考文档上面的ssl章节。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# cat >http_nginx.toml<<EOF
[http]
[http.routers]
[http.routers.Router0001]
namespace = "default"
entryPoints = ["web", "websecure"]
service = "appv2-zxc"
rule = "Host(`ll.xxlaila.cn`)"
middlewares = ["test-ipwhitelist", "test-redirectscheme"]
priority = 42
[http.routers.Router0001.tls]

[http.services]
[http.services.appv2-zxc]
[http.services.appv2-zxc.loadBalancer]
passHostHeader = true
[[http.services.appv2-zxc.loadBalancer.servers]]
url = "http://appv2.default.svc.cluster.local:80"
EOF

img
img
img
        由于自己生成的证书不能识别加载,故而使用了公司的证书,加载时可以正常的。以下是两个环境的配置文件,里面包含了ip白名单,https跳转,页面打开认证,header的加载。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# cat >dev_nginx.toml<<EOF
[http]
[http.routers]
[http.routers.Router0001]
namespace = "default"
entryPoints = ["web", "websecure"]
service = "appv2-zxc"
rule = "Host(`ll.dev.xxlaila`)"
middlewares = ["test-ipwhitelist", "test-redirectscheme", "test-auth", "testHeader"]
priority = 42
[http.routers.Router0001.tls]
options = "default"

[http.services]
[http.services.appv2-zxc]
[http.services.appv2-zxc.loadBalancer]
passHostHeader = true
[[http.services.appv2-zxc.loadBalancer.servers]]
url = "http://appv2.default.svc.cluster.local:80"
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# cat >test_nginx.toml<<EOF
[http]
[http.routers]
[http.routers.Router00010]
namespace = "default"
entryPoints = ["web", "websecure"]
service = "appv1-zxc"
rule = "Host(`ll.test.xxlaila.cn`)"
middlewares = ["test-ipwhitelist", "test-redirectscheme", "test-auth", "testHeader"]
priority = 42
[http.routers.Router00010.tls]
options = "default"

[http.services]
[http.services.appv1-zxc]
[http.services.appv1-zxc.loadBalancer]
passHostHeader = true
[[http.services.appv1-zxc.loadBalancer.servers]]
url = "http://appv1.default.svc.cluster.local:80"
EOF

中间件

        Middlewares针对每一个 router 开启和调整相关特性,Middlewares 是在请求实际转发到服务之前对其进行操作的组件,如果不满足要求的条件,甚至可以决定不转发请求。
Traefik附带了一下功能:

  • AddPrefix(给请求添加一个前缀路径)
  • BasicAuth
  • DigestAuth
  • ForwardAuth(委托第三方服务身份验证)
  • Buffering
  • Chain (定义可重用的Middleware集和)
  • CircuitBreaker (断路器,避免调用压垮服务)
  • Compress
  • Errors(提供自定义的错误页面)
  • Headers(头部请求)
  • IpWhitelist(白名单)
  • MaxConn(限制连接到服务的并发连接数)
  • PassTLSClientCert
  • RateLimit(在给定时间段内限制对服务的请求数量)
  • RedirectRegex
  • RedirectScheme
  • ReplacePath(在转发到服务之前更新请求路径)
  • ReplacePathRegex
  • Retry
  • StripPrefix
  • StripPrefixRegex
            利用Middlewares来实现前端白名单请求。http强制跳转到https。白名单,页面打开认证,header。
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    # cat >middlewares.toml <<EOF
    [http.middlewares]
    [http.middlewares.test-ipwhitelist.ipWhiteList]
    sourceRange = ["172.20.20.0/20", "172.21.21.0/20", "172.20.16.22"]

    [http.middlewares.test-redirectscheme.redirectScheme]
    scheme = "https"
    permanent = true

    [http.middlewares.test-auth.basicAuth]
    headerField = "X-WebAuth-User"
    removeHeader = true
    users = [
    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
    ]

    [http.middlewares.testHeader.headers]
    frameDeny = true
    sslRedirect = true
    EOF
坚持原创技术分享,您的支持将鼓励我继续创作!
0%