前言
随着https的流行,现在绝大多数网站都转向了https。在kubernetes中使用traefik暴露服务,我们也可以添加上https支持,这样外部就可以通过https访问,进一步提高安全性。
环境
- kubernetes 1.10.4
- traefik v1.6
k8s集群部署推荐项目:
https证书申请
这里推荐一个开源项目: 具体的申请这里就不过多介绍了。
也可以使用私签证书:
# 私钥
openssl genrsa -out rsa_private_key.pem 2048
# 生成公钥
openssl rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem
openssl req -new -out ca-req.csr -key rsa_private_key.pem
openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey rsa_private_key.pem -days 3650
traefik配置
添加traefik.toml文件:
defaultEntryPoints = ["http","https"]
[kubernetes]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
其中tls.crt和tls.key就是证书文件,注意证书文件名必须为固定。挂载到容器内后就会读到该文件。
私签证书配置:
# 配置traefik-cert cm
kubectl create secret generic traefik-cert --from-file=rsa_private_key.pem --from-file=ca-cert.pem -n kube-system
# 配置traefik.toml
[root@by-deploy01 ingress]# cat traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/ssl/tls.crt"
keyFile = "/ssl/tls.key"
k8s secret配置
- 创建secret
kubectl create secret tls traefik-cert --key tls.key --cert tls.crt -n kube-system
注意:由于secret是不能跨命名空间的,如果应用是部署在default命名空间,那还需要在default命名空间创建一个该secret,去掉上面最后面的-n kube-system即可。
- 创建configmap
kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
k8s traefik部署配置
添加traefik-ingress.yaml文件:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: Deployment
apiVersion: apps/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
containers:
- image: traefik:v1.6
imagePullPolicy: IfNotPresent
name: traefik-ingress-lb
volumeMounts:
- mountPath: "/ssl"
name: "ssl"
- mountPath: "/config"
name: "config"
ports:
- containerPort: 80
- containerPort: 443
args:
- --web
- --kubernetes
- --configfile=/config/traefik.toml
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
# 该端口为 traefik ingress-controller的服务端口
port: 80
# 集群hosts文件中设置的 NODE_PORT_RANGE 作为 NodePort的可用范围
# 从默认20000~40000之间选一个可用端口,让ingress-controller暴露给外部的访问
nodePort: 80
name: web
- protocol: TCP
# 该端口为 traefik 的管理WEB界面
port: 8080
name: admin
- protocol: TCP
port: 443
nodePort: 443
name: https
type: NodePort
ingress配置
再配置ingress时,我们在项目原有的基础上添加tls属性即可:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: k8s-example
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
tls:
- secretName: traefik-cert
rules:
- host: k8s-example.luhaoyuan.com
http:
paths:
- backend:
serviceName: k8s-example
servicePort: k8s-backend
这个项目的完整示例代码:
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/2002.html
