k3s/009-基础设施/005-ingress/readme.md

# Traefik Ingress 控制器配置

## 当前状态

K3s 默认已安装 Traefik 作为 Ingress 控制器。

- **命名空间**: kube-system
- **服务类型**: ClusterIP
- **端口**: 80 (HTTP), 443 (HTTPS)

## Traefik 配置信息

查看 Traefik 配置：
```bash
kubectl get deployment traefik -n kube-system -o yaml
```

查看 Traefik 服务：
```bash
kubectl get svc traefik -n kube-system
```

## 使用 Ingress

### 基本 HTTP Ingress 示例

```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  namespace: default
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80
```

### HTTPS Ingress 示例（使用 TLS）

```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress-tls
  namespace: default
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80
```

## 创建 TLS 证书

### 使用 Let's Encrypt (cert-manager)

1. 安装 cert-manager：
```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
```

2. 创建 ClusterIssuer：
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your-email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: traefik
```

### 使用自签名证书

```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout tls.key -out tls.crt \
  -subj "/CN=example.com/O=example"

kubectl create secret tls example-tls-secret \
  --key tls.key --cert tls.crt -n default
```

## Traefik Dashboard

访问 Traefik Dashboard：

```bash
kubectl port-forward -n kube-system $(kubectl get pods -n kube-system -l app.kubernetes.io/name=traefik -o name) 9000:9000
```

然后访问: http://localhost:9000/dashboard/

## 常用注解

### 重定向 HTTP 到 HTTPS
```yaml
annotations:
  traefik.ingress.kubernetes.io/redirect-entry-point: https
  traefik.ingress.kubernetes.io/redirect-permanent: "true"
```

### 设置超时
```yaml
annotations:
  traefik.ingress.kubernetes.io/router.middlewares: default-timeout@kubernetescrd
```

### 启用 CORS
```yaml
annotations:
  traefik.ingress.kubernetes.io/router.middlewares: default-cors@kubernetescrd
```

## 中间件示例

### 创建超时中间件
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: timeout
  namespace: default
spec:
  forwardAuth:
    address: http://auth-service
    trustForwardHeader: true
```

## 监控和日志

查看 Traefik 日志：
```bash
kubectl logs -n kube-system -l app.kubernetes.io/name=traefik -f
```

## 故障排查

### 检查 Ingress 状态
```bash
kubectl get ingress -A
kubectl describe ingress <ingress-name> -n <namespace>
```

### 检查 Traefik 配置
```bash
kubectl get ingressroute -A
kubectl get middleware -A
```

## 外部访问配置

如果需要从外部访问，可以：

1. **使用 NodePort**：
```bash
kubectl patch svc traefik -n kube-system -p '{"spec":{"type":"NodePort"}}'
```

2. **使用 LoadBalancer**（需要云环境或 MetalLB）：
```bash
kubectl patch svc traefik -n kube-system -p '{"spec":{"type":"LoadBalancer"}}'
```

3. **使用 HostPort**（直接绑定到节点端口 80/443）

## 参考资源

- Traefik 官方文档: https://doc.traefik.io/traefik/
- K3s Traefik 配置: https://docs.k3s.io/networking#traefik-ingress-controller