【云计算】解析Traefik HTTPS 配置-职坐标

【云计算】解析Traefik HTTPS 配置

从安 2019-06-25 来源：阅读 1378 评论 0

摘要：本篇文章主要讲述【云计算】解析Traefik HTTPS 配置，希望阅读本篇文章以后大家有所收获，帮助大家对相关内容的理解更加深入。

本篇文章主要讲述【云计算】解析Traefik HTTPS 配置，希望阅读本篇文章以后大家有所收获，帮助大家对相关内容的理解更加深入。

【云计算】解析Traefik HTTPS 配置

1.Traefik

1.1 TLS

# 针对 "traefik"，"cert" 名字必须是 "tls.crt"， "key" 名字必须是 "tls.key"，"traefik-ingress-controller-xxxxx" pod 默认读取对应名字 # "-subj" 是可选项
mkdir -p ~/addon/traefik/pki
cd ~/addon/traefik/pki
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=netonline.com"
# "traefik" 应用默认部署在 "kube-system" ，在对应 "namespace" 创建 "secret" 资源
kubectl create secret generic traefik-cert --from-file=/root/addon/traefik/pki/tls.crt --from-file=/root/addon/traefik/pki/tls.key -n kube-system

1.2 ConfigMap

# 以下配置适用于全部采用 "https" 的场景，"http" 访问会被重定向为 "https" # "traefik.toml" 需要与 "traefik-ingress-controller-xxxxx" pod 中的启动参数的文件名一致# "insecureSkipVerify = true" ，此配置指定了 "traefik" 在访问 "https" 后端时可以忽略TLS证书验证错误，从而使得 "https" 的后端，可以像http后端一样直接通过 "traefik" 透出，如kubernetes dashboard# "insecureSkipVerify = true" 变更配置需要重启 pod 才会生效
cat ~/addon/traefik/traefik.toml
insecureSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      # 默认路径，勿修改
      certFile = "/ssl/tls.crt"
      keyFile = "/ssl/tls.key"
# 生成 "configmap" 资源
kubectl create configmap traefik-conf --from-file=/root/addon/traefik/traefik.toml -n kube-system

1.3 编辑 traefik-ds.yaml

# 挂载 "secret" 与 "configmap" 资源# 添加 "https" 服务端口# 添加 "traefik-ingress-controller-xxxxx" pod 启动参数cat ~/addon/traefik/traefik-ds.yaml ---apiVersion: v1kind: ServiceAccountmetadata: name: traefik-ingress-controller namespace: kube-system---kind: DaemonSetapiVersion: extensions/v1beta1metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lbspec: template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60

# 挂载 "secret" 与 "configmap" 资源 volumes: - name: ssl secret: secretName: traefik-cert - name: config configMap: name: traefik-conf containers: - image: traefik:v1.7.12 name: traefik-ingress-lb

# 设置挂载点 volumeMounts: - mountPath: "/ssl" name: "ssl" - mountPath: "/config" name: "config" ports: - name: http containerPort: 80 hostPort: 80

# 添加应用端口 - name: https containerPort: 443 hostPort: 443 - name: admin containerPort: 8080 hostPort: 8080 securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args:

# 添加启动参数 "--configfile=/config/traefik.toml"，注意路径与文件名与 "configmap" 的对应 - --configfile=/config/traefik.toml - --api - --kubernetes - --logLevel=INFO---kind: ServiceapiVersion: v1metadata: name: traefik-ingress-service namespace: kube-systemspec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP port: 80 name: web

# 添加服务端口 - protocol: TCP port: 443 name: https - protocol: TCP port: 8080 name: admin

# 生成 "traefik" 应用kubectl apply -f /root/addon/traefik/traefik-ds.yaml

2. Ingress

2.1 Ingress without TLS

# 针对已经设置完全重定向的 "traefik" ，"ingress" 资源可直接不带 "tls" 属性cat ~/addon/traefik/ui.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata: name: traefik-web-ui namespace: kube-systemspec: rules: - host: traefik.netonline.com http: paths: - path: / backend: serviceName: traefik-web-ui servicePort: web

2.2 Ingress with TLS

# 如果需要代理的应用不在 "kube-system" ，需要在对应 "namespace" 创建对应的 "secret"，方便 "tls:secretName" 属性调用读取kubectl create secret generic traefik-cert --from-file=/root/addon/traefik/pki/tls.crt --from-file=/root/addon/traefik/pki/tls.key -n default

# 附带 "tls:secretName" 属性的 "ingress" 资源示例cat ~/addon/traefik/ui.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata: name: traefik-web-ui namespace: kube-system annotations:

kubernetes.io/ingress.class: traefikspec: tls: - secretName: traefik-cert rules: - host: traefik.netonline.com http: paths: - backend: serviceName: traefik-web-ui servicePort: 80

本文由职坐标整理发布，学习更多的相关知识，请关注职坐标IT知识库！

什么叫大数据云计算的应用如何使用云计算

本文由 @从安发布于职坐标。未经许可，禁止转载。