--- # Traefik 完整部署配置 # kubectl create namespace traefik # 包含 RBAC、Deployment、Service、IngressClass 和 Let's Encrypt SSL # tags: traefik, ingress, ssl, https, let's encrypt, acme, kubernetes, master-node # description: Traefik 反向代理完整配置,部署在 master 节点,包含自动 SSL 证书支持(Let's Encrypt) # title: Traefik 完整部署配置 - 含 SSL 证书(Master 节点部署) # createdAt: 2025-11-26 --- # PersistentVolume 用于存储 ACME 证书数据 apiVersion: v1 kind: PersistentVolume metadata: name: traefik-acme-pv spec: capacity: storage: 1Gi accessModes: - ReadWriteOnce hostPath: path: /data/traefik-acme storageClassName: local-storage --- # PersistentVolumeClaim 用于申请证书存储空间 apiVersion: v1 kind: PersistentVolumeClaim metadata: name: traefik-acme-pvc namespace: traefik spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: local-storage --- apiVersion: v1 kind: ServiceAccount metadata: name: traefik namespace: traefik --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets - nodes - configmaps verbs: - get - list - watch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us - traefik.io resources: - ingressroutes - ingressroutetcps - ingressrouteudps - middlewares - middlewaretcps - tlsoptions - tlsstores - traefikservices - serverstransports - serverstransporttcps verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik namespace: traefik --- apiVersion: apps/v1 kind: Deployment metadata: name: traefik namespace: traefik labels: app: traefik spec: replicas: 1 selector: matchLabels: app: traefik template: metadata: labels: app: traefik spec: serviceAccountName: traefik nodeSelector: kubernetes.io/hostname: kevisual # 节点主机名是 kevisual containers: - name: traefik image: traefik:latest args: - --api.insecure=true - --providers.kubernetescrd - --entrypoints.web.address=:80 - --entrypoints.websecure.address=:443 # Let's Encrypt 配置 - --certificatesresolvers.letsencrypt.acme.email=root@kevisual.cn - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json - --certificatesresolvers.letsencrypt.acme.httpchallenge=true - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web # 使用 Let's Encrypt 生产环境(如果测试,使用 caserver) # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory - --log.level=DEBUG ports: - name: web containerPort: 80 - name: websecure containerPort: 443 - name: admin containerPort: 8080 volumeMounts: - name: acme-storage mountPath: /acme volumes: - name: acme-storage persistentVolumeClaim: claimName: traefik-acme-pvc --- apiVersion: v1 kind: Service metadata: name: traefik namespace: traefik spec: type: NodePort selector: app: traefik ports: - name: web port: 80 targetPort: 80 nodePort: 30080 # 外部通过 30080 访问 HTTP # nodePort: 80 - name: websecure port: 443 targetPort: 443 nodePort: 30443 # 外部通过 30443 访问 HTTPS # nodePort: 443 - name: admin port: 8080 targetPort: 8080 nodePort: 30808 # Dashboard --- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: traefik spec: controller: traefik.io/ingress-controller --- # Traefik Dashboard IngressRoute - HTTPS only apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard namespace: traefik spec: entryPoints: - websecure routes: - match: Host(`traefik.kevisual.cn`) kind: Rule services: - name: api@internal kind: TraefikService tls: certResolver: letsencrypt