hyper-v 的ha环境
Using cert-manager to manage Let’s Encrypt TLS certs and running multiple replicas of Traefik v2.
使用证书管理器来管理“加密TLS”证书,并运行Traefik v2的多个副本。
In my previous post, “Quickstart with Traefik v2 on Kubernetes,” I went over a quick 5-minute end-to-end setup of Traefik, Let’s Encrypt, and Cloudflare to handle HTTPS requests on Kubernetes. While that setup with Traefik CRDs is convenient for automatically creating and renewing certs via IngressRoute definitions, it runs with a single instance of Traefik, meaning that it is not highly available. In other words, Traefik becomes the single point of failure for all ingress traffic to your cluster.
在我以前的文章“ Kubernetes上的Traefik v2快速入门 ”中,我介绍了Traefik,Let's Encrypt和Cloudflare的5分钟快速端到端设置,以处理Kubernetes上的HTTPS请求。 尽管使用Traefik CRD进行的设置很方便通过IngressRoute定义自动创建和更新证书,但它仅使用Traefik的单个实例运行,这意味着它的可用性不高。 换句话说,Traefik成为群集中所有入口流量的单点故障。
In Traefik v1, there was beta support for clustering / HA mode using a KV store (e.g. Consul, etcd, etc). However, Traefik v2 removed support for storing ACME/Let’s Encrypt certificates in a KV store, citing bugs with the raft consensus algorithm (#4851, #3487, #5047, #3833). Automatic cert management feature moved to TraefikEE, leaving open-source users to either run a non-HA version or implement a custom solution to certificate management.
在Traefik v1中,使用KV存储(例如Consul,etcd等) 提供了对集群/ HA模式的beta支持 。 但是,Traefik v2取消了对在KV商店中存储ACME / Let的Encrypt证书的支持,并引用了筏式共识算法( #4851 , #3487 , #5047 , #3833 )中的错误。 自动证书管理功能已移至TraefikEE,开放源代码用户可以运行非HA版本或为证书管理实施自定义解决方案。
Traefik documentation recommends using cert-manager as the Certificate Controller and notes limited support for the Ingress Route CRD:
Traefik文档建议使用cert-manager作为证书控制器,并注意对Ingress Route CRD的有限支持:
When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs yet, but this is being worked on by our team. A workaround is to enable the Kubernetes Ingress provider to allow Cert-Manager to create ingress objects to complete the challenges. Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once created, Cert-Manager will keep the certificate renewed.
使用Traefik Kubernetes CRD Provider时,不幸的是Cert-Manager尚不能直接与CRD交互,但是我们的团队正在努力。 一种解决方法是使Kubernetes Ingress提供程序能够允许Cert-Manager创建入口对象来完成挑战。 请注意,这仍然需要手动干预才能通过Cert-Manager创建证书,但是一旦创建,Cert-Manager将保持证书的续订。
This post walks through how to get around this limitation and run Traefik v2 in HA mode on Kubernetes. I will be using Cloudflare as my DNS provider and ACME challenge solver, but feel free to use any other Let’s Encrypt supported providers.
这篇文章介绍了如何解决此限制并在Kubernetes上以HA模式运行Traefik v2。 我将使用Cloudflare作为我的DNS提供程序和ACME挑战解决程序,但请随时使用其他任何受我们加密支持的提供程序。
All of the code is also available on Github:
Github上也提供了所有代码:
先决条件 (Prerequisites)
- Kubernetes Cluster (e.g. GKE) Kubernetes集群(例如GKE)
- Helm v3 头盔v3
- DNS provider (e.g. Cloudflare) DNS提供商(例如Cloudflare)
安装Traefik (Install Traefik)
We will deploy Traefik to traefik namespace:
我们将Traefik部署到traefik命名空间:
$ kubectl create namespace traefikNow let’s deploy Traefik with 3 replicas. You can see the values in traefik/traefik-values.yaml :
现在,让我们部署具有3个副本的Traefik。 您可以在traefik/traefik-values.yaml看到这些值:
$ helm repo add traefik https://containous.github.io/traefik-helm-chart$ helm install -n traefik traefik traefik/traefik -f traefik/traefik-values.yamlWait for the deployments to come up and make note of the Load Balancer IP.
等待部署开始,并记下Load Balancer IP。
安装证书管理器 (Install Cert-Manager)
Cert-manager is an open-source tool to automate the issuance and renewal of TLS certificates:
Cert-manager是一个开源工具,可自动执行TLS证书的发行和续签:
We will install it in the namespace cert-manager:
我们将其安装在名称空间cert-manager :
$ kubectl create namespace cert-managerAdd the Jetstack Helm repo and install CRDs:
添加Jetstack Helm存储库并安装CRD:
$ helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v0.16.0 \
--set installCRDs=trueWait for all the cert-manager pods to come up:
等待所有证书管理器窗格出现:
$ kubectl get pods -n cert-manager -w部署应用 (Deploy an Application)
For the sake of the demo, we will deploy the whoami app in the default namespace (see under whoami directory for deployment, service, and ingress files). You can replace this with your application or well-known Helm chart (e.g. Grafana, Kibana, etc).
为了演示起见,我们将在default名称空间中部署whoami应用程序(有关部署,服务和入口文件,请参见whoami目录下)。 您可以使用您的应用程序或知名的Helm图表(例如Grafana,Kibana等)替换它。
Replace whoami.example.com with your FQDN and deploy:
用您的FQDN替换whoami.example.com并部署:
$ kubectl apply -f whoami创建证书 (Create Certificates)
In order to issue new certificates, we need to first define an Issuer. In this example, I’ll be using Cloudflare for ACME Issuer type, using Let’s Encrypt’s staging server. You can also find other supported configurations (SelfSigned, CA, Vault, Venafi, and External Issuer Types) on the documentation.
为了颁发新证书,我们需要首先定义一个颁发者。 在此示例中,我将使用Let's Encrypt的登台服务器将Cloudflare用于ACME Issuer类型。 您还可以在文档中找到其他受支持的配置 (SelfSigned,CA,Vault,Venafi和外部发行者类型)。
Configure the email and solvers sections in certs/issuer.yaml. To use Cloudflare as DNS01 challenge solver, first create a new API token with the following settings:
在certs/issuer.yaml配置email和solvers部分。 要将Cloudflare用作DNS01挑战求解器,请首先使用以下设置创建一个新的API令牌:
Permissions:
权限 :
Zone - DNS - EditZone - DNS - EditZone - Zone - ReadZone - Zone - Read
Zone Resources:
区域资源 :
Include - All ZonesInclude - All Zones
Mount the token as a Kubernetes secret:
将令牌挂载为Kubernetes机密:
$ kubectl create secret generic cloudflare-token --from-literal=dns-token=<my-api-token>Finally, configure the certificate (modify the commonName, secretName, and dnsNames as needed in certs/whoami-cert.yaml) and deploy:
最后,(修改配置证书commonName , secretName和dnsNames根据需要在certs/whoami-cert.yaml )和部署:
$ kubectl apply -f certs设置DNS (Set Up DNS)
Check if the certificate has been generated:
检查是否已生成证书:
$ kubectl describe certificate whoami-certYou can also look at Traefik’s debug logs to watch the cert become active.
您还可以查看Traefik的调试日志,以查看证书处于活动状态。
Finally, point the DNS record to the IP address of the Load Balancer to see a TLS enabled site backed by HA Traefik + cert-manager. Optionally, you can deploy the HTTPS redirect middleware for completeness.
最后,将DNS记录指向负载均衡器的IP地址,以查看由HA Traefik + cert-manager支持的启用TLS的站点。 (可选)您可以部署HTTPS重定向中间件以确保完整性。
Now we have a HA deployment of Traefik on Kubernetes. The downside to using cert-manager is that the user must now remember to create the cert before deploying the IngressRoute, but achieving HA is more important in production to avoid downtime.
现在,我们在Kubernetes上进行了Traefik的HA部署。 使用cert-manager的不利之处在于,用户现在必须记住在部署IngressRoute之前创建证书,但是在生产中实现HA更为重要,以避免停机。
翻译自: https://medium.com/dev-genius/setup-traefik-v2-for-ha-on-kubernetes-20311204fa6f
hyper-v 的ha环境
扫一扫
2455
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
