第一次提交

README.md

-# Traefik
+# Traefik Ingress 部署
 
-Traefik 部署
\ No newline at end of file
+此项目用于介绍如何在`Kubernets`环境中部署 Traefik。
+
+
+## 部署架构介绍
+
+![部署架构图](images/arch.png)
+
+`Traefik`使用`DaemonSet`方式部署在K8s集群中，监听`80`端口，`80`端口采用`hostPort`方式与节点网络绑定。`Traefik`作为K8s集群接入外部流量的统一入口。
+
+为方便管理，将`Traefik`部署到专有的节点，通过给节点打上`IngressProxy=true`标签，使用`nodeSelector`将`Traefik Pod`调度到指定节点。如上图，在`Node01`上打有`IngressProxy=true`标签，则`Traefik Pod`只会在`Node01`上启动。生产环境建议部署到两台节点上（给两台节点打标签）。
+
+本架构中使用`CLB`进行反向代理与`SSL`证书的配置，当`https`流量到达`CLB`后，会进行`SSL`证书加密卸载，然后使用`http`请求到`Traefik Pod`，`Traefik Pod`会根据请求主机和路径等信息将请求正确路由到后端服务`Pod`。
+
+## 文件介绍
+
+```
+.
+├── README.md         # 本文档
+├── images            # 图片文件夹
+│   └── arch.png
+├── traefik-config.yaml           # Traefik 配置文件 yaml
+├── traefik-crd-2.5.2.yaml        # Traefik CRD yaml
+├── traefik-dashboard-route.yaml  # Traefik Dashboard 路由配置 yaml
+├── traefik-deploy.yaml           # Traefik DaemonSet 部署 yaml
+└── traefik-rbac.yaml             # Traefik RBAC 配置 yaml
+```
+
+`traefik-dashboard-route.yaml`文件中的`Host`需要修改自己所需域名，可以通过此域名访问到`Traefik`到`Dashboard`方便查看路由信息。
+
+
+## 部署操作
+
+使用如下命令进行部署。
+
+```
+# 给节点打标签
+kubectl label nodes Node01 IngressProxy=true
+
+# 部署 Traefik
+kubectl -n kube-system apply -f traefik-config.yaml -f traefik-crd-2.5.2.yaml -f traefik-dashboard-route.yaml -f traefik-rbac.yaml -f traefik-deploy.yaml 
+```
+
+
+查看部署结果：
+
+```
+$ kubectl -n kube-system get pods -l app=traefik
+NAME                               READY   STATUS    RESTARTS   AGE
+traefik-ingress-controller-mz6jv   1/1     Running   0          1m
+```
+
+## 配置 CLB
+
+以阿里云`CLB`为例，首先创建一个`https`的监听，端口配置为`443`，配置自己所需的证书，后端服务器选择`Node01`，后端服务器端口选择`80`，配置完成类似如下图：
+![https监听](images/clb-https.png)
+
+配置 `http` `80` 端口监听，将其重定向到`https`监听，配置完成如下图：
+![http监听](images/clb-http.png)
+
+
+## 验证
+
+如上步骤完成后，访问`Traefik Dashboard`地址，能够正常查看到路由信息，代表配置完成。
+
+![Traefik Dashboard](images/traefik-dashboard.png)
+
+（完）
\ No newline at end of file

traefik-config.yaml

+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: traefik-config
+  namespace: kube-system
+data:
+  traefik.yaml: |-
+    ping: ""                    ## 启用 Ping
+    serversTransport:
+      insecureSkipVerify: true  ## Traefik 忽略验证代理服务的 TLS 证书
+    api:
+      insecure: true            ## 允许 HTTP 方式访问 API
+      dashboard: true           ## 启用 Dashboard
+      debug: false              ## 启用 Debug 调试模式
+    entryPoints:
+      web:
+        address: ":80"          ## 配置 80 端口，并设置入口名称为 web
+      websecure:
+        address: ":443"         ## 配置 443 端口，并设置入口名称为 websecure
+      metrics:
+        address: ":9000"
+    providers:
+      kubernetesCRD: ""         ## 启用 Kubernetes CRD 方式来配置路由规则
+      kubernetesIngress: ""     ## 启动 Kubernetes Ingress 方式来配置路由规则
+    log:
+      filePath: ""              ## 设置调试日志文件存储路径，如果为空则输出到控制台
+      level: error              ## 设置调试日志级别
+      format: json              ## 设置调试日志格式
+    accessLog:
+      filePath: ""              ## 设置访问日志文件存储路径，如果为空则输出到控制台
+      format: json              ## 设置访问调试日志格式
+      bufferingSize: 0          ## 设置访问日志缓存行数
+      filters:
+        #statusCodes: ["200"]   ## 设置只保留指定状态码范围内的访问日志
+        retryAttempts: true     ## 设置代理访问重试失败时，保留访问日志
+        minDuration: 20         ## 设置保留请求时间超过指定持续时间的访问日志
+      fields:                   ## 设置访问日志中的字段是否保留（keep 保留、drop 不保留）
+        defaultMode: keep       ## 设置默认保留访问日志字段
+        names:                  ## 针对访问日志特别字段特别配置保留模式
+          ClientUsername: drop
+        headers:                ## 设置 Header 中字段是否保留
+          defaultMode: keep     ## 设置默认保留 Header 中字段
+          names:                ## 针对 Header 中特别字段特别配置保留模式
+            User-Agent: redact
+            Authorization: drop
+            Content-Type: keep

traefik-dashboard-route.yaml

+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard-route
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`traefik.example.com`)
+      kind: Rule
+      services:
+        - name: traefik
+          port: 8080

traefik-deploy.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  ports:
+    - name: web
+      port: 80
+    - name: websecure
+      port: 443
+    - name: admin
+      port: 8080 
+  selector:
+    app: traefik
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+  labels:
+    app: traefik
+spec:
+  selector:
+    matchLabels:
+      app: traefik
+  template:
+    metadata:
+      name: traefik
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik-ingress-controller
+      terminationGracePeriodSeconds: 5
+      containers:
+        - image: traefik:v2.8
+          name: traefik-ingress-lb
+          ports:
+            - name: web
+              containerPort: 80
+              hostPort: 80    ## 将容器端口绑定所在服务器的 80 端口
+            - name: websecure
+              containerPort: 443
+              hostPort: 443    ## 将容器端口绑定所在服务器 443 端口
+            - name: admin
+              containerPort: 8080  ## Traefik Dashboard 端口
+          resources:
+            limits:
+              cpu: 2000m
+              memory: 2024Mi
+            requests:
+              cpu: 1000m
+              memory: 2024Mi
+          env:
+             - name: PILOT_LOG_PREFIX
+               value: "pilot,custom"
+             - name: pilot_logs_nginx
+               value: stdout
+             - name: pilot_logs_nginx_format
+               value: json
+             - name: pilot_logs_nginx_target
+               value: "uat-glico-k8s-ingress-traefik-json-log"
+             - name: pilot_logs_nginx_tags
+               value: "stage=prod"
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+          args:
+            - --configfile=/config/traefik.yaml
+          volumeMounts:
+            - mountPath: "/config"
+              name: "config"
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 8080 
+            failureThreshold: 3
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 8080
+            failureThreshold: 3
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+      volumes:
+        - name: config
+          configMap:
+            name: traefik-config
+      nodeSelector:             ## 设置node筛选器，在特定label的节点上启动
+        IngressProxy: "true"

traefik-rbac.yaml

+## ServiceAccount
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: traefik-ingress-controller
+---
+## ClusterRole
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-ingress-controller
+rules:
+  - apiGroups: [""]
+    resources: ["services","endpoints","secrets"]
+    verbs: ["get","list","watch"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses"]
+    verbs: ["get","list","watch"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses/status"]
+    verbs: ["update"]
+  - apiGroups: ["traefik.containo.us"]
+    resources: ["middlewares","ingressroutes","ingressroutetcps","tlsoptions","ingressrouteudps","traefikservices","tlsstores","serverstransports","middlewaretcps","servertransporsport"]
+    verbs: ["get","list","watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses","ingressclasses"]
+    verbs: ["get","list","watch"]
+---
+## ClusterRoleBinding
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-ingress-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-controller
+    namespace: kube-system