1.安装 heml
helm 安装方式可以参考官方文档。

2.安装traefik

# values.yaml 
image.tag: "v2.5.3"
deployment:
  kind: DaemonSet
  additionalVolumes: 
    - name: traefik-access-log
      hostPath:
        path: /data/logs/traefik
        type: DirectoryOrCreate
  # 初始化容器，用来修改日志目录的权限
  initContainers: 
    - name: volume-permissions
      image: busybox:1.31.1
      command: ["sh", "-c", "chmod -Rv 755 /data/ && chown -R 65532.65532 /data/"]
      volumeMounts:
        - name: traefik-access-log
          mountPath: /data
ingressClass:
  enabled: true
  isDefaultClass: true
  fallbackApiVersion: "v1"
# 推荐使用域名访问
ingressRoute.dashboard.enabled: false
additionalVolumeMounts: 
  - name: traefik-access-log
    mountPath: /var/log/traefik
logs:
  general.level: WARN
  # 访问日志配置
  access:
    enabled: true
    # 缓冲的行数
    bufferingSize: 100
    # 指定哪些日志被记录
    # 目前不支持过滤掉内部健康检查的日志，并且日志自定义能力很弱，
    # 如果前端有LB，那么还得通过 proxyprotocol 获取客户端IP，很麻烦
    # 流量下，如果前端有一个Nginx作为LB，甚至可以考虑关闭traefik的日志
    filters: 
      statuscodes: "100,300-302,400-404,500-505"    # 状态码范围
      retryattempts: true                           # 是否重试
      minduration: 10ms                             # 响应超过10ms
globalArguments:
  - "--global.checknewversion"
  - "--global.sendanonymoususage"
  # 从traefik到后端pod的访问中，不校验pod中的TLS证书，这对自签证书的pod很管用
  - "--serversTransport.insecureSkipVerify=true"
  # 指定访问日志的写入路径，可以用来让 filebeat 采集
  # 日志轮转是需要cronjob定时发送 USR1 信号给traefik
  - "--accesslog.filepath=/var/log/traefik/access.log"
  # 访问日志中的时间戳以容器时区为准
  - "--accesslog.fields.names.StartUTC=drop"
env: 
  # 指定traefik的时区
  - name: TZ
    value: Asia/Shanghai
# 想要性能更高，甚至可以直接使用节点的网络空间
ports:
  traefik:
    port: 9000
    # 生产环境不推荐暴露9000端口
    expose: false
    exposedPort: 9000
    protocol: TCP
  web:
    port: 8000
    hostPort: 80
    expose: true
    exposedPort: 80
    protocol: TCP
    # redirectTo: websecure
  websecure:
    port: 8443
    hostPort: 443
    expose: true
    exposedPort: 443
  metrics:
    port: 9100
    expose: false
    exposedPort: 9100
    protocol: TCP  
service:
  type: ClusterIP
resources: 
  requests:
    cpu: "100m"
    memory: "512Mi"
  limits:
    cpu: "1000m"
    memory: "1024Mi"
# 针对指定的 node 才部署 traefik
nodeSelector: 
  ingressControllerNode: "yes"
  ingressController: "traefik"

[root@maxiaoke ~]# kubectl get node
NAME          STATUS                     ROLES    AGE   VERSION
10.0.160.10   Ready,SchedulingDisabled   master   12d   v1.20.10
10.0.160.13   Ready                      node     12d   v1.20.10
10.0.160.30   Ready,SchedulingDisabled   master   12d   v1.20.10
10.0.160.32   Ready                      node     12d   v1.20.10
10.0.160.50   Ready,SchedulingDisabled   master   12d   v1.20.10
10.0.160.51   Ready                      node     12d   v1.20.10
# 标记作为IngressController的节点, 之所以增加IngressController=traefik，是后续可能会部署多个ingress controller
[root@maxiaoke ~]# kubectl label nodes 10.0.160.10 ingressControllerNode=yes ingressController=traefik
[root@maxiaoke ~]# kubectl label nodes 10.0.160.30 ingressControllerNode=yes ingressController=traefik
[root@maxiaoke ~]# kubectl label nodes 10.0.160.50 ingressControllerNode=yes ingressController=traefik
[root@maxiaoke ~]# kubectl create namespace traefik
[root@maxiaoke ~]# helm repo add traefik https://helm.traefik.io/traefik
[root@maxiaoke ~]# helm repo update
[root@maxiaoke ~]# helm install -n traefik traefik traefik/traefik -f /tmp/values.yaml
[root@maxiaoke ~]# kubectl get pod -n traefik -o wide
NAME            READY   STATUS    RESTARTS   AGE   IP            NODE          NOMINATED NODE   READINESS GATES
traefik-2mdzt   1/1     Running   0          13h   10.200.1.18   10.0.160.10   <none>           <none>
traefik-42k4f   1/1     Running   0          13h   10.200.2.17   10.0.160.50   <none>           <none>
traefik-kg7v6   1/1     Running   0          13h   10.200.0.17   10.0.160.30   <none>           <none>

3.配置负载均衡器
一般使用ingress controller监听在节点的80后者443端口，80负责HTTP流量，443负责HTTPS流量。用户从集群外面访问集群内业务的API，从安全角度考虑，建议强制走HTTPS协议到达负载均衡器，从负载均衡器到后端ingress controller，可以走HTTP或者HTTPS，推荐在做好安全工作的前提下，推荐走HTTP。针对需要走HTTPS的流量，在负载均衡器上使用更高优先级的虚拟机主机，将流量转发到 ingress controller 的https接口。

# /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 65535;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    log_format access '$time_local|$http_x_real_ip|$remote_addr|$http_x_forwarded_for|$upstream_addr|$upstream_connect_time|$upstream_response_time|'
                      '$request_method|$server_protocol|$host|$request_uri|$http_referer|$http_user_agent|$proxy_host|$status' ;
    access_log  /var/log/nginx/http-access.log  main;
    error_log /var/log/nginx/http-error.log error;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/http/*.conf;
}
stream {
    log_format stream '$time_local|$remote_addr|$protocol|$bytes_sent|$bytes_received|$upstream_addr|$upstream_connect_time|$status'
    access_log  /var/log/nginx/stream-access.log  stream;
    error_log /var/log/nginx/stream-error.log error;
    include /etc/nginx/conf.d/stream/*.conf;
}

# 配置默认的转发规则
# /etc/nginx/conf.d/http/default.conf
server {
    listen 0.0.0.0:80 backlog=2048 ;
    server_name *.huanle.com ;
    access_log /var/log/nginx/http-k8s-local-01.log access ;
    rewrite (.*) https://$host$1 redirect ;
}
server {
    listen 0.0.0.0:443 ssl backlog=2048 ;
    server_name *.huanle.com ;
    access_log /var/log/nginx/http-k8s-local-01.log access ;
    keepalive_timeout 100s ;
    keepalive_requests 200 ;
    ssl_certificate ssl_key/huanle.crt ;
    ssl_certificate_key ssl_key/huanle.key ;
    ssl_ciphers HIGH:!aNULL:!MD5 ;
    ssl_session_cache shared:SSL:30m ;  ## 设置SSL session缓存
    ssl_session_timeout 10m ;
    location / {
        proxy_pass http://k8s-local-01-http ;
        proxy_connect_timeout 3 ;
        proxy_read_timeout    10 ;
        proxy_send_timeout    10 ;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr ;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
    }
}

# /etc/nginx/conf.d/http/upstream.conf
upstream k8s-local-01-http {
    server 10.0.160.10:80 max_fails=2 fail_timeout=3s;
    server 10.0.160.30:80 max_fails=2 fail_timeout=3s;
    server 10.0.160.50:80 max_fails=2 fail_timeout=3s;
}
upstream k8s-local-01-https {
    server 10.0.160.10:443 max_fails=2 fail_timeout=3s;
    server 10.0.160.30:443 max_fails=2 fail_timeout=3s;
    server 10.0.160.50:443 max_fails=2 fail_timeout=3s;
}