What you don't know, traifik

In the previous article, we briefly introduced about   Traefik   For related concepts and component principle mechanism, please refer to: Why traifik ingress?

     As an innovative edge router, it means that Traefik is the guardian of the whole application platform, intercepting and routing each access request: determining which services handle the corresponding requests based on the set logic and rules. For the model portrait of Traefik, please refer to the following:

     Of course, in addition to the service agent characteristics, Traefik   At the same time, it also has a "service discovery" function mechanism, which dynamically detects the back-end service status information and updates the routing rules in real time, so as to achieve the effect of service governance.

     We take   The Docker Provider scenario is used as a reference model to briefly analyze the Traefik ecology, so that we can deeply understand the relevant characteristics of Traefik.

     In the following scenarios, we take the latest version of Traefik v2.5.2 image as an example to deploy and run relevant instances, as shown below:

[administrator@JavaLangOutOfMemory ~] % vi docker-compose.yaml 
version: '3'
services:
  reverse-proxy:
    image: traefik:latest
    # Open the web UI and traifik listens to Docker
    command: --api.insecure=true --providers.docker
    ports:
      # HTTP port
      - "80:80"
      # Web UI port (enabled by -- api.insecure=true)
      - "8080:8080"
    volumes:
      # Traifik listens for Docker events
      - /var/run/docker.sock:/var/run/docker.sock

     Then, we run this instance as follows:

[administrator@JavaLangOutOfMemory ~] % docker-compose up -d reverse-proxy
[administrator@JavaLangOutOfMemory ~] %  curl -i http://192.168.56.114:8080/api/rawdata?jsonHTTP/1.1 200 OKContent-Type: application/jsonDate: Thu, 09 Sep 2021 02:05:08 GMTContent-Length: 1361
HTTP/1.1 200 OK
Content-Type: application/json
Date: Thu, 09 Sep 2021 02:05:08 GMT
Content-Length: 1361

{"routers":{"api@internal":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/api`)","priority":2147483646,"status":"enabled","using":["traefik"]},"dashboard@internal":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(`/`)","priority":2147483645,"status":"enabled","using":["traefik"]},"reverse-proxy-traefik@docker":{"entryPoints":["http"],"service":"reverse-proxy-traefik","rule":"Host(`reverse-proxy-traefik`)","status":"enabled","using":["http"]}},"middlewares":{"dashboard_redirect@internal":{"redirectRegex":{"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/","permanent":true},"status":"enabled","usedBy":["dashboard@internal"]},"dashboard_stripprefix@internal":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]},"status":"enabled","usedBy":["dashboard@internal"]}},"services":{"api@internal":{"status":"enabled","usedBy":["api@internal"]},"dashboard@internal":{"status":"enabled","usedBy":["dashboard@internal"]},"noop@internal":{"status":"enabled"},"reverse-proxy-traefik@docker":{"loadBalancer":{"servers":[{"url":"http://172.20.0.2:80"}],"passHostHeader":true},"status":"enabled","usedBy":["reverse-proxy-traefik@docker"],"serverStatus":{"http://172.20.0.2:80":"UP"}}}}

     At this time, we can also access it through the browser   http://192.168.56.114:8080/api/rawdata   Interface to view the raw data of Traefik's API.

     Next, we deploy a Demo service to create a route based on traifik, as shown below:

version: '3'

services:
  reverse-proxy:
    # Official traifik 2.0 docker image
    image: traefik:latest
    # Open the web UI and tell traifik to listen to Docker
    command: --api.insecure=true --providers.docker
    ports:
      # HTTP port
      - "80:80"
      # Web UI port (enabled by -- api.insecure=true)
      - "8080:8080"
    volumes:
      # This allows traifik to listen for Docker events
      - /var/run/docker.sock:/var/run/docker.sock

  whoami:
    # A container that exposes its IP address through the API
    image: containous/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"

     Based on the Yaml file above, we defined a simple web service named whoami, which will print the relevant information of the deployed machine (IP address, host, etc.). Then we start the whoami service with the following command:

[administrator@JavaLangOutOfMemory ~] % docker-compose up -d whoami

     At this point, we request the Api interface again, and the results are as follows:

[administrator@JavaLangOutOfMemory ~] % curl -i http://192.168.56.114:8080/api/rawdata?jsonHTTP/1.1 200 OKContent-Type: application/jsonDate: Thu, 09 Sep 2021 02:09:25 GMTContent-Length: 1705
HTTP/1.1 200 OK
Content-Type: application/json
Date: Thu, 09 Sep 2021 02:09:25 GMT
Content-Length: 1705

{"routers":{"api@internal":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/api`)","priority":2147483646,"status":"enabled","using":["traefik"]},"dashboard@internal":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(`/`)","priority":2147483645,"status":"enabled","using":["traefik"]},"reverse-proxy-traefik@docker":{"entryPoints":["http"],"service":"reverse-proxy-traefik","rule":"Host(`reverse-proxy-traefik`)","status":"enabled","using":["http"]},"whoami@docker":{"entryPoints":["http"],"service":"whoami-traefik","rule":"Host(`whoami.docker.localhost`)","status":"enabled","using":["http"]}},"middlewares":{"dashboard_redirect@internal":{"redirectRegex":{"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/","permanent":true},"status":"enabled","usedBy":["dashboard@internal"]},"dashboard_stripprefix@internal":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]},"status":"enabled","usedBy":["dashboard@internal"]}},"services":{"api@internal":{"status":"enabled","usedBy":["api@internal"]},"dashboard@internal":{"status":"enabled","usedBy":["dashboard@internal"]},"noop@internal":{"status":"enabled"},"reverse-proxy-traefik@docker":{"loadBalancer":{"servers":[{"url":"http://172.20.0.2:80"}],"passHostHeader":true},"status":"enabled","usedBy":["reverse-proxy-traefik@docker"],"serverStatus":{"http://172.20.0.2:80":"UP"}},"whoami-traefik@docker":{"loadBalancer":{"servers":[{"url":"http://172.20.0.3:80"}],"passHostHeader":true},"status":"enabled","usedBy":["whoami@docker"],"serverStatus":{"http://172.20.0.3:80":"UP"}}}}

     By viewing  / api/rawdata   From the data returned by the interface, we found that Traefik has automatically detected the new container and updated the corresponding configuration. When introducing Traefik earlier, we said that when Traefik detects a new service, it will automatically create the corresponding route, and then we can access the corresponding route. At this time, we use the Curl tool to verify, as shown below:

[administrator@JavaLangOutOfMemory ~] % curl -H Host:whoami.docker.localhost http://127.0.0.1
Hostname: d1078dbb0332
IP: 127.0.0.1
IP: 172.20.0.3
RemoteAddr: 172.20.0.2:37580
GET / HTTP/1.1
Host: whoami.docker.localhost
User-Agent: curl/7.29.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.20.0.1
X-Forwarded-Host: whoami.docker.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 814dfa472b98
X-Real-Ip: 172.20.0.1

     Next, we are right   The whoami service is expanded to verify the load balancing function of Traefik. The specific operations are as follows:

[administrator@JavaLangOutOfMemory ~] % docker-compose up -d --scale whoami=4
traefik_reverse-proxy_1 is up-to-date
Creating traefik_whoami_2 ... done
Creating traefik_whoami_3 ... done
Creating traefik_whoami_4 ... done

     At this point, let's take a look at the container status of our service after the expansion is completed, as shown below:

[administrator@JavaLangOutOfMemory ~] % docker-compose ps         
        Name                        Command               State                                     Ports                                   
---------------------------------------------------------------------------------------------------------------------------------------------
traefik_reverse-proxy_1   /entrypoint.sh --api.insec ...   Up      0.0.0.0:80->80/tcp,:::80->80/tcp, 0.0.0.0:8080->8080/tcp,:::8080->8080/tcp
traefik_whoami_1          /whoami                          Up      80/tcp                                                                    
traefik_whoami_2          /whoami                          Up      80/tcp                                                                    
traefik_whoami_3          /whoami                          Up      80/tcp                                                                    
traefik_whoami_4          /whoami                          Up      80/tc
[administrator@JavaLangOutOfMemory ~] % curl -i http://192.168.56.114:8080/api/rawdata?json 
HTTP/1.1 200 OK
Content-Type: application/json
Date: Thu, 09 Sep 2021 02:28:35 GMT
Content-Length: 1882

{"routers":{"api@internal":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/api`)","priority":2147483646,"status":"enabled","using":["traefik"]},"dashboard@internal":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(`/`)","priority":2147483645,"status":"enabled","using":["traefik"]},"reverse-proxy-traefik@docker":{"entryPoints":["http"],"service":"reverse-proxy-traefik","rule":"Host(`reverse-proxy-traefik`)","status":"enabled","using":["http"]},"whoami@docker":{"entryPoints":["http"],"service":"whoami-traefik","rule":"Host(`whoami.docker.localhost`)","status":"enabled","using":["http"]}},"middlewares":{"dashboard_redirect@internal":{"redirectRegex":{"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/","permanent":true},"status":"enabled","usedBy":["dashboard@internal"]},"dashboard_stripprefix@internal":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]},"status":"enabled","usedBy":["dashboard@internal"]}},"services":{"api@internal":{"status":"enabled","usedBy":["api@internal"]},"dashboard@internal":{"status":"enabled","usedBy":["dashboard@internal"]},"noop@internal":{"status":"enabled"},"reverse-proxy-traefik@docker":{"loadBalancer":{"servers":[{"url":"http://172.20.0.2:80"}],"passHostHeader":true},"status":"enabled","usedBy":["reverse-proxy-traefik@docker"],"serverStatus":{"http://172.20.0.2:80":"UP"}},"whoami-traefik@docker":{"loadBalancer":{"servers":[{"url":"http://172.20.0.4:80"},{"url":"http://172.20.0.5:80"},{"url":"http://172.20.0.3:80"},{"url":"http://172.20.0.6:80"}],"passHostHeader":true},"status":"enabled","usedBy":["whoami@docker"],"serverStatus":{"http://172.20.0.3:80":"UP","http://172.20.0.4:80":"UP","http://172.20.0.5:80":"UP","http://172.20.0.6:80":"UP"}}}}

     At this time, we request 4 times to view the load balancing of Traefik among the four instances. The specific commands are as follows:

[administrator@JavaLangOutOfMemory ~] % curl -H Host:whoami.docker.localhost http://127.0.0.1
# for the first time
Hostname: 50f70b1ccace
IP: 127.0.0.1
IP: 172.20.0.4
RemoteAddr: 172.20.0.2:40000
...
# The second time
Hostname: 8c2204231f98
IP: 127.0.0.1
IP: 172.20.0.5
RemoteAddr: 172.20.0.2:39660
...
# third time
Hostname: d1078dbb0332
IP: 127.0.0.1
IP: 172.20.0.3
RemoteAddr: 172.20.0.2:37600
...
# Fourth time
Hostname: f1cf5b632fde
IP: 127.0.0.1
IP: 172.20.0.6
RemoteAddr: 172.20.0.2:50384
...

     Based on this, we http://192.168.56.114:8080/dashboard/#/ Access the traifik Web   UI to observe different routing requests, services, middleware and other associated information. The details are as follows:

     On the whole homepage, we can see the requests and service types of different protocols supported by Traefik, including HTTP, TCP and UDP. At the same time, different types of Providers are displayed, including Docker and K8S   And other relevant information. Based on the HTTP protocol, you can see the established 4 routing rules, 5 services and 2 custom middleware. Taking middlewars as an example, we can click the "Explore" link in the "middlewars" section based on HTTP protocol to see the link topology call chain formed by the currently deployed applications, as shown below:

     If you are interested in the custom development practice of traifik middleware, please refer to the previous article: Traifik middleware plug-in practice So that everyone can understand the rich functions of traifik.

      The custom renewal function for certificates is also one of the powerful functions of the traifik component. Based on this, we will briefly describe it based on HTTP and DNS respectively.

      Based on the above scenario, the brief activity flow is analyzed as follows:

     Traifik uses ACME (a protocol (a precisely agreed means of communication) to negotiate certificates from LE. It is part of traifik)   Request a domain specific certificate from LE (Let's Encrypt, a service that provides free certificates), such as example.com. LE answers with randomly generated text, which Traefik places in a specific location on the server. LE then asks the DNS Internet server, such as. Com, which points to an IP address. LE views the IP address of the file containing the random text through port 80 / 443.

      If so, this proves that the person requesting the certificate controls both the server and the domain because it shows control over DNS records. The certificate has been issued and is valid for 3 months. When less than 30 days remain, traifik will automatically try to renew it.

      The advantage of HttpChallenge is that it can obtain wildcard certificates. These are all subdomains that are validated  *. In addition, you do not need to open any ports. The related file configuration is as follows:

## STATIC CONFIGURATION
log:
  level: INFO

api:
  insecure: true
  dashboard: true

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  lets-encr:
    acme:
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      storage: acme.json
      email: whatever@gmail.com
      httpChallenge:
        entryPoint: web

      Based on this scenario, Traefik uses ACME to request domain specific certificates from LE, such as example.com. LE answers some randomly generated text, which Traefik uses as a new DNS TXT record. Then, check the example.com DNS record to see if the text exists.

      If it exists, it proves that the person requesting the certificate controls the domain, and the certificate is valid for 3 months. Traifik will automatically attempt to renew when the remaining time is less than 30 days.

      Compared with HttpChallenge  , Traifik needs to be able to automatically update DNS records, so it needs the support of anyone who manages DNS sites. That's why Cloudflare is used. The related file configuration is as follows:

## STATIC CONFIGURATION
log:
  level: INFO

api:
  insecure: true
  dashboard: true

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  lets-encr:
    acme:
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      storage: acme.json
      email: whatever@gmail.com
      httpChallenge:
        entryPoint: web

      In addition to the above features, in Traefik V2.3.x and subsequent versions, a series of latest functions are introduced, including Traefik plug-in system, integration with Traefik Pilot, support for Amazon ECS, etc., so that the functions of Traefik ecological components are richer and more widely used.

      In addition to the example, alarm and monitoring information functions shown above, traifik pilot also supports user-defined "plug-in" development functions. It provides rich plug-in types, which can be adaptively assembled in combination with actual business scenarios, as shown below:

      To sum up, as a cloud native edge router, the traifik function has been able to meet most business scenarios, as well as many industries and applications. Perhaps, in the next version, we will usher in a more powerful   Traifik ecology, including support for Kubernetes Service API newly launched by Google team, and support for mTLS in traifik mesh   The function of. In addition to the above, other potential functional features will emerge with the continuous changes of the market. Finally, let's wait and see

   # reference material

  • https://github.com/DoTheEvo/ 

Original:

https://mp.weixin.qq.com/cgi-bin/home?t=home/index&token=753063752&lang=zh_CN

Tags: Kubernetes Container

Posted on Thu, 18 Nov 2021 05:18:32 -0500 by Crimpage