mirror of https://github.com/easzlab/kubeasz.git
161 lines
3.8 KiB
YAML
161 lines
3.8 KiB
YAML
apiVersion: v1
|
||
kind: ConfigMap
|
||
metadata:
|
||
name: traefik-conf
|
||
namespace: kube-system
|
||
data:
|
||
traefik.toml: |
|
||
# 设置insecureSkipVerify = true,可以配置backend为443(比如dashboard)的ingress规则
|
||
insecureSkipVerify = true
|
||
defaultEntryPoints = ["http", "https"]
|
||
[entryPoints]
|
||
[entryPoints.http]
|
||
address = ":80"
|
||
### 配置http 强制跳转 https
|
||
#[entryPoints.http.redirect]
|
||
# entryPoint = "https"
|
||
### 配置只信任trustedIPs传递过来X-Forwarded-*,默认全部信任;为了防止客户端地址伪造,需开启这个
|
||
#[entryPoints.http.forwardedHeaders]
|
||
# trustedIPs = ["10.1.0.0/16", "172.20.0.0/16", "192.168.1.3"]
|
||
[entryPoints.https]
|
||
address = ":443"
|
||
[entryPoints.https.tls]
|
||
[[entryPoints.https.tls.certificates]]
|
||
CertFile = "/ssl/tls.crt"
|
||
KeyFile = "/ssl/tls.key"
|
||
---
|
||
kind: Deployment
|
||
apiVersion: apps/v1
|
||
metadata:
|
||
name: traefik-ingress-controller
|
||
namespace: kube-system
|
||
labels:
|
||
k8s-app: traefik-ingress-lb
|
||
spec:
|
||
replicas: 1
|
||
selector:
|
||
matchLabels:
|
||
k8s-app: traefik-ingress-lb
|
||
template:
|
||
metadata:
|
||
labels:
|
||
k8s-app: traefik-ingress-lb
|
||
name: traefik-ingress-lb
|
||
spec:
|
||
serviceAccountName: traefik-ingress-controller
|
||
terminationGracePeriodSeconds: 60
|
||
volumes:
|
||
- name: ssl
|
||
secret:
|
||
secretName: traefik-cert
|
||
- name: config
|
||
configMap:
|
||
name: traefik-conf
|
||
#nodeSelector:
|
||
# node-role.kubernetes.io/traefik: "true"
|
||
containers:
|
||
- image: traefik:v1.7.12
|
||
imagePullPolicy: IfNotPresent
|
||
name: traefik-ingress-lb
|
||
volumeMounts:
|
||
- mountPath: "/ssl"
|
||
name: "ssl"
|
||
- mountPath: "/config"
|
||
name: "config"
|
||
resources:
|
||
limits:
|
||
cpu: 1000m
|
||
memory: 800Mi
|
||
requests:
|
||
cpu: 500m
|
||
memory: 600Mi
|
||
args:
|
||
- --configfile=/config/traefik.toml
|
||
- --api
|
||
- --kubernetes
|
||
- --logLevel=INFO
|
||
securityContext:
|
||
capabilities:
|
||
drop:
|
||
- ALL
|
||
add:
|
||
- NET_BIND_SERVICE
|
||
ports:
|
||
- name: http
|
||
containerPort: 80
|
||
hostPort: 80
|
||
- name: https
|
||
containerPort: 443
|
||
hostPort: 443
|
||
---
|
||
kind: Service
|
||
apiVersion: v1
|
||
metadata:
|
||
name: traefik-ingress-service
|
||
namespace: kube-system
|
||
spec:
|
||
selector:
|
||
k8s-app: traefik-ingress-lb
|
||
ports:
|
||
- protocol: TCP
|
||
# 该端口为 traefik ingress-controller的服务端口
|
||
port: 80
|
||
# 集群hosts文件中设置的 NODE_PORT_RANGE 作为 NodePort的可用范围
|
||
# 从默认20000~40000之间选一个可用端口,让ingress-controller暴露给外部的访问
|
||
nodePort: 23456
|
||
name: http
|
||
- protocol: TCP
|
||
#
|
||
port: 443
|
||
nodePort: 23457
|
||
name: https
|
||
- protocol: TCP
|
||
# 该端口为 traefik 的管理WEB界面
|
||
port: 8080
|
||
name: admin
|
||
type: NodePort
|
||
---
|
||
kind: ClusterRole
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
metadata:
|
||
name: traefik-ingress-controller
|
||
rules:
|
||
- apiGroups:
|
||
- ""
|
||
resources:
|
||
- pods
|
||
- services
|
||
- endpoints
|
||
- secrets
|
||
verbs:
|
||
- get
|
||
- list
|
||
- watch
|
||
- apiGroups:
|
||
- extensions
|
||
resources:
|
||
- ingresses
|
||
verbs:
|
||
- get
|
||
- list
|
||
- watch
|
||
---
|
||
kind: ClusterRoleBinding
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
metadata:
|
||
name: traefik-ingress-controller
|
||
roleRef:
|
||
apiGroup: rbac.authorization.k8s.io
|
||
kind: ClusterRole
|
||
name: traefik-ingress-controller
|
||
subjects:
|
||
- kind: ServiceAccount
|
||
name: traefik-ingress-controller
|
||
namespace: kube-system
|
||
---
|
||
apiVersion: v1
|
||
kind: ServiceAccount
|
||
metadata:
|
||
name: traefik-ingress-controller
|
||
namespace: kube-system
|