traefik https配置

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/lusyoe/article/details/81298231

前言

随着https的流行,现在绝大多数网站都转向了https。在kubernetes中使用traefik暴露服务,我们也可以添加上https支持,这样外部就可以通过https访问,进一步提高安全性。

环境

  • kubernetes 1.10.4
  • traefik v1.6

k8s集群部署推荐项目:https://github.com/gjmzj/kubeasz

https证书申请

这里推荐一个开源项目:https://github.com/Neilpang/acme.sh
具体的申请这里就不过多介绍了。

traefik配置

添加traefik.toml文件:

defaultEntryPoints = ["http","https"]
[kubernetes]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"

其中tls.crt和tls.key就是证书文件,注意必须要改为这个文件名。

k8s secret配置

  • 创建secret
    kubectl create secret tls traefik-cert --key tls.key --cert tls.crt -n kube-system

注意:由于secret是不能跨命名空间的,如果应用是部署在default命名空间,那还需要在default命名空间创建一个该secret,去掉上面最后面的-n kube-system即可。

  • 创建configmap
    kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system

k8s traefik部署配置

添加traefik-ingress.yaml文件:

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: Deployment
apiVersion: apps/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      containers:
      - image: traefik:v1.6
        imagePullPolicy: IfNotPresent
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        ports:
        - containerPort: 80
        - containerPort: 443
        args:
        - --web
        - --kubernetes
        - --configfile=/config/traefik.toml
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      # 该端口为 traefik ingress-controller的服务端口
      port: 80
      # 集群hosts文件中设置的 NODE_PORT_RANGE 作为 NodePort的可用范围
      # 从默认20000~40000之间选一个可用端口,让ingress-controller暴露给外部的访问
      nodePort: 80
      name: web
    - protocol: TCP
      # 该端口为 traefik 的管理WEB界面
      port: 8080
      name: admin
    - protocol: TCP
      port: 443
      nodePort: 443
      name: https
  type: NodePort

ingress配置

再配置ingress时,我们在项目原有的基础上添加tls属性即可:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: k8s-example
  annotations:
    kubernetes.io/ingress.class: "traefik"
spec:
  tls:
  - secretName: traefik-cert
  rules:
  - host: k8s-example.luhaoyuan.com
    http:
      paths:
      - backend:
          serviceName: k8s-example
          servicePort: k8s-backend

这个项目的完整示例代码:https://github.com/lusyoe/springboot-k8s-example

阅读更多 登录后自动展开
想对作者说点什么? 我来说一句
相关热词

没有更多推荐了,返回首页