diff --git a/manifests/ingress/traefik/traefik-ingress-v2.yaml b/manifests/ingress/traefik/traefik-ingress-v2.yaml new file mode 100644 index 0000000..1c8e336 --- /dev/null +++ b/manifests/ingress/traefik/traefik-ingress-v2.yaml @@ -0,0 +1,332 @@ +## Traefik RBAC +--- +# ServiceAccount +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: kube-system + name: traefik-ingress-controller + +--- +# ClusterRole +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: traefik-ingress-controller + namespace: kube-system +rules: + - apiGroups: [""] + resources: ["services","endpoints","secrets"] + verbs: ["get","list","watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get","list","watch"] + - apiGroups: ["extensions"] + resources: ["ingresses/status"] + verbs: ["update"] + - apiGroups: ["traefik.containo.us"] + resources: ["middlewares","ingressroutes","ingressroutetcps","tlsoptions","ingressrouteudps","traefikservices","tlsstores"] + verbs: ["get","list","watch"] + +--- +# ClusterRoleBinding +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: traefik-ingress-controller + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: kube-system + +## Custom Resource Definition +--- +# IngressRoute +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us +spec: + scope: Namespaced + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + shortNames: + - ingr + scope: Namespaced + +--- +# IngressRouteTCP +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us +spec: + scope: Namespaced + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + shortNames: + - ingt + scope: Namespaced + +--- +# Middleware +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us +spec: + scope: Namespaced + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced + +--- +# TLSOption +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us +spec: + scope: Namespaced + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced + +--- +# TraefikService +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: traefikservices.traefik.containo.us +spec: + scope: Namespaced + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced + +--- +# TLSStore +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsstores.traefik.containo.us +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSStore + plural: tlsstores + singular: tlsstore + scope: Namespaced + +--- +# IngressRouteUDP +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressrouteudps.traefik.containo.us +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteUDP + plural: ingressrouteudps + singular: ingressrouteudp + shortNames: + - ingu + scope: Namespaced + +## Traefik ConfigMap +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: traefik-config + namespace: kube-system +data: + traefik.yaml: |- + ping: "" + serversTransport: + insecureSkipVerify: true + api: + insecure: true + dashboard: true + debug: false + metrics: + prometheus: "" + entryPoints: + web: + address: ":80" + websecure: + address: ":443" + providers: + kubernetesCRD: "" + kubernetesIngress: "" + log: + filePath: "" + level: error + format: json + accessLog: + filePath: "" # stdout + format: json + bufferingSize: 0 + filters: + #statusCodes: ["200"] + retryAttempts: true + minDuration: 20 + fields: + defaultMode: keep + names: + ClientUsername: drop + headers: + defaultMode: keep + names: + User-Agent: redact + Authorization: drop + Content-Type: keep + #tracing: + # serviceName: + # zipkin: + # sameSpan: true + # id128Bit: true + # sampleRate: 0.1 + # httpEndpoint: http://localhost:9411/api/v2/spans + +## Deploy Traefik DaemonSet +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: traefik-ingress-controller + namespace: kube-system + labels: + app: traefik +spec: + selector: + matchLabels: + app: traefik + template: + metadata: + name: traefik + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller + terminationGracePeriodSeconds: 1 + #hostNetwork: true + containers: + - image: traefik:v2.4 + name: traefik-ingress-lb + imagePullPolicy: IfNotPresent + ports: + - name: web + containerPort: 80 + hostPort: 80 + - name: websecure + containerPort: 443 + hostPort: 443 + - name: admin + containerPort: 8080 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 1000m + memory: 1024Mi + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + args: + - --configfile=/config/traefik.yaml + volumeMounts: + - mountPath: "/config" + name: "config" + readinessProbe: + httpGet: + path: /ping + port: 8080 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /ping + port: 8080 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + volumes: + - name: config + configMap: + name: traefik-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: traefik-svc + namespace: kube-system +spec: + type: ClusterIP + ports: + - name: web + port: 80 + protocol: TCP + - name: websecure + port: 443 + protocol: TCP + - name: admin + port: 8080 + protocol: TCP + selector: + app: traefik + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard-route + namespace: kube-system +spec: + entryPoints: + - web + routes: + - match: Host(`traefik.example.com`) + kind: Rule + services: + - name: traefik-svc + port: 8080 + diff --git a/roles/cluster-addon/defaults/main.yml b/roles/cluster-addon/defaults/main.yml index 8713046..5ef2261 100644 --- a/roles/cluster-addon/defaults/main.yml +++ b/roles/cluster-addon/defaults/main.yml @@ -27,7 +27,10 @@ dashboardMetricsScraperVer: "v1.0.4" metricsscraper_offline: "metrics-scraper_{{ dashboardMetricsScraperVer }}.tar" # ingress 自动安装,可选 "traefik" 和 "nginx-ingress" -#ingress_install: "no" +ingress_install: "no" +ingress_backend: "traefik_v2" +traefikVer: "v2.4" +traefik_v2_offline: "traefik_{{ traefikVer }}.tar" # metallb 自动安装 #metallb_install: "no" diff --git a/roles/cluster-addon/tasks/ingress.yml b/roles/cluster-addon/tasks/ingress.yml index 50d9483..2d19bd2 100644 --- a/roles/cluster-addon/tasks/ingress.yml +++ b/roles/cluster-addon/tasks/ingress.yml @@ -3,11 +3,11 @@ - name: 尝试推送离线 traefik镜像(若执行失败,可忽略) copy: src={{ base_dir }}/down/{{ traefik_offline }} dest=/opt/kube/images/{{ traefik_offline }} when: 'traefik_offline in download_info.stdout' - + - name: 获取traefik离线镜像推送情况 command: "ls /opt/kube/images" register: image_info - + - name: 导入 traefik的离线镜像(若执行失败,可忽略) shell: "{{ bin_dir }}/docker load -i /opt/kube/images/{{ traefik_offline }}" when: 'traefik_offline in image_info.stdout and CONTAINER_RUNTIME == "docker"' @@ -23,6 +23,32 @@ when: 'ingress_backend == "traefik"' ignore_errors: true +# Traefik v2 +- block: + - block: + - name: 尝试推送离线 traefik v2 镜像(若执行失败,可忽略) + copy: src={{ base_dir }}/down/{{ traefik_v2_offline }} dest=/opt/kube/images/{{ traefik_v2_offline }} + when: 'traefik_offline in download_info.stdout' + + - name: 获取traefik离线镜像推送情况 + command: "ls /opt/kube/images" + register: image_info + + - name: 导入 traefik的离线镜像(若执行失败,可忽略) + shell: "{{ bin_dir }}/docker load -i /opt/kube/images/{{ traefik_v2_offline }}" + when: 'traefik_v2_offline in image_info.stdout and CONTAINER_RUNTIME == "docker"' + + - name: 导入 traefik的离线镜像(若执行失败,可忽略) + shell: "{{ bin_dir }}/ctr -n=k8s.io images import /opt/kube/images/{{ traefik_v2_offline }}" + when: 'traefik_v2_offline in image_info.stdout and CONTAINER_RUNTIME == "containerd"' + + - name: 创建 traefik部署 + shell: "{{ base_dir }}/bin/kubectl apply -f {{ base_dir }}/manifests/ingress/traefik/traefik-ingress-v2.yaml" + connection: local + run_once: true + when: 'ingress_backend == "traefik_v2"' + ignore_errors: true + - block: - block: - name: 尝试推送离线 nginx-ingress镜像(若执行失败,可忽略) diff --git a/roles/cluster-addon/tasks/main.yml b/roles/cluster-addon/tasks/main.yml index 1c5b69d..0a59c43 100644 --- a/roles/cluster-addon/tasks/main.yml +++ b/roles/cluster-addon/tasks/main.yml @@ -108,8 +108,8 @@ when: '"kubernetes-dashboard" not in pod_info.stdout and dashboard_install == "yes"' ignore_errors: true -#- import_tasks: ingress.yml -# when: '"ingress-controller" not in pod_info.stdout and ingress_install == "yes"' +- import_tasks: ingress.yml + when: '"ingress-controller" not in pod_info.stdout and ingress_install == "yes"' #- block: # - block: diff --git a/tools/easzup b/tools/easzup index 0b90e40..74be3b5 100755 --- a/tools/easzup +++ b/tools/easzup @@ -27,6 +27,7 @@ dashboardMetricsScraperVer=v1.0.6 flannelVer=v0.13.0-amd64 metricsVer=v0.3.6 pauseVer=3.2 +traefikVer=v2.4 function download_docker() { echo -e "[INFO] \033[33mdownloading docker binaries\033[0m $DOCKER_VER" @@ -237,6 +238,10 @@ function get_offline_image() { docker pull easzlab/kubeasz:${KUBEASZ_VER} && \ docker save -o ${imageDir}/kubeasz_${KUBEASZ_VER}.tar easzlab/kubeasz:${KUBEASZ_VER} fi + if [[ ! -f "$imageDir/kubeasz_$traefikVer.tar" ]];then + docker pull traefik:${traefikVer} && \ + docker save -o ${imageDir}/traefik_${traefikVer}.tar traefik:${traefikVer} + fi } function download_all() {