# Traefik Ingress 控制器配置 ## 当前状态 K3s 默认已安装 Traefik 作为 Ingress 控制器。 - **命名空间**: kube-system - **服务类型**: ClusterIP - **端口**: 80 (HTTP), 443 (HTTPS) ## Traefik 配置信息 查看 Traefik 配置: ```bash kubectl get deployment traefik -n kube-system -o yaml ``` 查看 Traefik 服务: ```bash kubectl get svc traefik -n kube-system ``` ## 使用 Ingress ### 基本 HTTP Ingress 示例 ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress namespace: default annotations: traefik.ingress.kubernetes.io/router.entrypoints: web spec: rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: example-service port: number: 80 ``` ### HTTPS Ingress 示例(使用 TLS) ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress-tls namespace: default annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" spec: tls: - hosts: - example.com secretName: example-tls-secret rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: example-service port: number: 80 ``` ## 创建 TLS 证书 ### 使用 Let's Encrypt (cert-manager) 1. 安装 cert-manager: ```bash kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml ``` 2. 创建 ClusterIssuer: ```yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: your-email@example.com privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: traefik ``` ### 使用自签名证书 ```bash openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout tls.key -out tls.crt \ -subj "/CN=example.com/O=example" kubectl create secret tls example-tls-secret \ --key tls.key --cert tls.crt -n default ``` ## Traefik Dashboard 访问 Traefik Dashboard: ```bash kubectl port-forward -n kube-system $(kubectl get pods -n kube-system -l app.kubernetes.io/name=traefik -o name) 9000:9000 ``` 然后访问: http://localhost:9000/dashboard/ ## 常用注解 ### 重定向 HTTP 到 HTTPS ```yaml annotations: traefik.ingress.kubernetes.io/redirect-entry-point: https traefik.ingress.kubernetes.io/redirect-permanent: "true" ``` ### 设置超时 ```yaml annotations: traefik.ingress.kubernetes.io/router.middlewares: default-timeout@kubernetescrd ``` ### 启用 CORS ```yaml annotations: traefik.ingress.kubernetes.io/router.middlewares: default-cors@kubernetescrd ``` ## 中间件示例 ### 创建超时中间件 ```yaml apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: timeout namespace: default spec: forwardAuth: address: http://auth-service trustForwardHeader: true ``` ## 监控和日志 查看 Traefik 日志: ```bash kubectl logs -n kube-system -l app.kubernetes.io/name=traefik -f ``` ## 故障排查 ### 检查 Ingress 状态 ```bash kubectl get ingress -A kubectl describe ingress -n ``` ### 检查 Traefik 配置 ```bash kubectl get ingressroute -A kubectl get middleware -A ``` ## 外部访问配置 如果需要从外部访问,可以: 1. **使用 NodePort**: ```bash kubectl patch svc traefik -n kube-system -p '{"spec":{"type":"NodePort"}}' ``` 2. **使用 LoadBalancer**(需要云环境或 MetalLB): ```bash kubectl patch svc traefik -n kube-system -p '{"spec":{"type":"LoadBalancer"}}' ``` 3. **使用 HostPort**(直接绑定到节点端口 80/443) ## 参考资源 - Traefik 官方文档: https://doc.traefik.io/traefik/ - K3s Traefik 配置: https://docs.k3s.io/networking#traefik-ingress-controller