add deploy traefik-ingress-v2 manifest, use DaemonSet delpoy traefik, use traefik router expose traefik ui

2020-12-18 14:55:23 +08:00 · 2020-12-18 14:55:23 +08:00 · 32370c5bc6
parent 576eabc086
commit 32370c5bc6
5 changed files with 371 additions and 5 deletions
--- a/manifests/ingress/traefik/traefik-ingress-v2.yaml
+++ b/manifests/ingress/traefik/traefik-ingress-v2.yaml
@ -0,0 +1,332 @@
+## Traefik RBAC
+---
+# ServiceAccount
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: traefik-ingress-controller
+
+---
+# ClusterRole
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources: ["services","endpoints","secrets"]
+    verbs: ["get","list","watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get","list","watch"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses/status"]
+    verbs: ["update"]
+  - apiGroups: ["traefik.containo.us"]
+    resources: ["middlewares","ingressroutes","ingressroutetcps","tlsoptions","ingressrouteudps","traefikservices","tlsstores"]
+    verbs: ["get","list","watch"]
+
+---
+# ClusterRoleBinding
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-controller
+    namespace: kube-system
+
+## Custom Resource Definition
+---
+# IngressRoute
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutes.traefik.containo.us
+spec:
+  scope: Namespaced
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRoute
+    plural: ingressroutes
+    singular: ingressroute
+    shortNames:
+    - ingr
+  scope: Namespaced
+
+---
+# IngressRouteTCP
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+spec:
+  scope: Namespaced
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+    shortNames:
+    - ingt
+  scope: Namespaced
+
+---
+# Middleware
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.containo.us
+spec:
+  scope: Namespaced
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+
+---
+# TLSOption
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+spec:
+  scope: Namespaced
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+
+---
+# TraefikService
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+spec:
+  scope: Namespaced
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+
+---
+# TLSStore
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsstores.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSStore
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+
+---
+# IngressRouteUDP
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressrouteudps.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteUDP
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+    shortNames:
+    - ingu
+  scope: Namespaced
+
+## Traefik ConfigMap
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: traefik-config
+  namespace: kube-system
+data:
+  traefik.yaml: |-
+    ping: ""
+    serversTransport:
+      insecureSkipVerify: true
+    api:
+      insecure: true
+      dashboard: true
+      debug: false
+    metrics:
+      prometheus: ""
+    entryPoints:
+      web:
+        address: ":80"
+      websecure:
+        address: ":443"
+    providers:
+      kubernetesCRD: ""
+      kubernetesIngress: ""
+    log:
+      filePath: ""
+      level: error
+      format: json
+    accessLog:
+      filePath: "" # stdout
+      format: json
+      bufferingSize: 0
+      filters:
+        #statusCodes: ["200"]
+        retryAttempts: true
+        minDuration: 20
+      fields:
+        defaultMode: keep
+        names:
+          ClientUsername: drop
+        headers:
+          defaultMode: keep
+          names:
+            User-Agent: redact
+            Authorization: drop
+            Content-Type: keep
+    #tracing:
+    #  serviceName:
+    #  zipkin:
+    #    sameSpan: true
+    #    id128Bit: true
+    #    sampleRate: 0.1
+    #    httpEndpoint: http://localhost:9411/api/v2/spans
+ 
+## Deploy Traefik DaemonSet
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+  labels:
+    app: traefik
+spec:
+  selector:
+    matchLabels:
+      app: traefik
+  template:
+    metadata:
+      name: traefik
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik-ingress-controller
+      terminationGracePeriodSeconds: 1
+      #hostNetwork: true
+      containers:
+        - image: traefik:v2.4
+          name: traefik-ingress-lb
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: web
+              containerPort: 80
+              hostPort: 80
+            - name: websecure
+              containerPort: 443
+              hostPort: 443
+            - name: admin
+              containerPort: 8080
+          resources:
+            limits:
+              cpu: 2000m
+              memory: 1024Mi
+            requests:
+              cpu: 1000m
+              memory: 1024Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+          args:
+            - --configfile=/config/traefik.yaml
+          volumeMounts:
+            - mountPath: "/config"
+              name: "config"
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 8080
+            failureThreshold: 3
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 8080
+            failureThreshold: 3
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+      volumes:
+        - name: config
+          configMap:
+            name: traefik-config
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-svc
+  namespace: kube-system
+spec:
+  type: ClusterIP
+  ports:
+    - name: web
+      port: 80
+      protocol: TCP
+    - name: websecure
+      port: 443
+      protocol: TCP
+    - name: admin
+      port: 8080
+      protocol: TCP
+  selector:
+    app: traefik
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard-route
+  namespace: kube-system
+spec:
+  entryPoints:
+  - web
+  routes:
+  - match: Host(`traefik.example.com`)
+    kind: Rule
+    services:
+      - name: traefik-svc
+        port: 8080
+
--- a/roles/cluster-addon/defaults/main.yml
+++ b/roles/cluster-addon/defaults/main.yml
@ -27,7 +27,10 @@ dashboardMetricsScraperVer: "v1.0.4"
 metricsscraper_offline: "metrics-scraper_{{ dashboardMetricsScraperVer }}.tar"

 # ingress 自动安装，可选 "traefik" 和 "nginx-ingress"
-#ingress_install: "no"
+ingress_install: "no"
+ingress_backend: "traefik_v2"
+traefikVer: "v2.4"
+traefik_v2_offline: "traefik_{{ traefikVer }}.tar"

 # metallb 自动安装
 #metallb_install: "no"
--- a/roles/cluster-addon/tasks/ingress.yml
+++ b/roles/cluster-addon/tasks/ingress.yml
@ -23,6 +23,32 @@
  when: 'ingress_backend == "traefik"'
  ignore_errors: true

+# Traefik v2
+- block:
+    - block:
+        - name: 尝试推送离线 traefik v2 镜像（若执行失败，可忽略）
+          copy: src={{ base_dir }}/down/{{ traefik_v2_offline }} dest=/opt/kube/images/{{ traefik_v2_offline }}
+          when: 'traefik_offline in download_info.stdout'
+    
+        - name: 获取traefik离线镜像推送情况
+          command: "ls /opt/kube/images"
+          register: image_info
+    
+        - name: 导入 traefik的离线镜像（若执行失败，可忽略）
+          shell: "{{ bin_dir }}/docker load -i /opt/kube/images/{{ traefik_v2_offline }}"
+          when: 'traefik_v2_offline in image_info.stdout and CONTAINER_RUNTIME == "docker"'
+
+        - name: 导入 traefik的离线镜像（若执行失败，可忽略）
+          shell: "{{ bin_dir }}/ctr -n=k8s.io images import /opt/kube/images/{{ traefik_v2_offline }}"
+          when: 'traefik_v2_offline in image_info.stdout and CONTAINER_RUNTIME == "containerd"'
+
+    - name: 创建 traefik部署
+      shell: "{{ base_dir }}/bin/kubectl apply -f {{ base_dir }}/manifests/ingress/traefik/traefik-ingress-v2.yaml"
+      connection: local
+      run_once: true
+  when: 'ingress_backend == "traefik_v2"'
+  ignore_errors: true
+
 - block:
    - block:
        - name: 尝试推送离线 nginx-ingress镜像（若执行失败，可忽略）
--- a/roles/cluster-addon/tasks/main.yml
+++ b/roles/cluster-addon/tasks/main.yml
@ -108,8 +108,8 @@
  when: '"kubernetes-dashboard" not in pod_info.stdout and dashboard_install == "yes"'
  ignore_errors: true

-#- import_tasks: ingress.yml
-#  when: '"ingress-controller" not in pod_info.stdout and ingress_install == "yes"'
+- import_tasks: ingress.yml
+  when: '"ingress-controller" not in pod_info.stdout and ingress_install == "yes"'

 #- block:
 #    - block:
--- a/tools/easzup
+++ b/tools/easzup
@ -27,6 +27,7 @@ dashboardMetricsScraperVer=v1.0.6
 flannelVer=v0.13.0-amd64
 metricsVer=v0.3.6
 pauseVer=3.2
+traefikVer=v2.4

 function download_docker() {
  echo -e "[INFO] \033[33mdownloading docker binaries\033[0m $DOCKER_VER"
@ -237,6 +238,10 @@ function get_offline_image() {
    docker pull easzlab/kubeasz:${KUBEASZ_VER} && \
    docker save -o ${imageDir}/kubeasz_${KUBEASZ_VER}.tar easzlab/kubeasz:${KUBEASZ_VER}
  fi
+  if [[ ! -f "$imageDir/kubeasz_$traefikVer.tar" ]];then
+    docker pull traefik:${traefikVer} && \
+    docker save -o ${imageDir}/traefik_${traefikVer}.tar traefik:${traefikVer}
+  fi
 }

 function download_all() {