碼上快樂

相關內容    簡體    繁體

Traefik的TLS配置

本文轉載自   查看原文   2018-04-16 15:59   2409    kubernetes/ Docker

 

 

  

生產環境的部署大多采用F5+ Traefik這種方式,因為Traefik的SSL方式相對來說比較慢,因此SSL更多的在F5上開放,而F5到Traefik之間以及后端都是http方式。

但客戶需要在開發和測試環境直接用SSL,因此需要配置。

 

遇到一些小坑,記錄一下理解

  •  先生成一個secret,記住別搞個一年就過期的啊。
openssl req \
        -newkey rsa:2048 -nodes -keyout tls.key \
        -x509 -days 3650 -out tls.crt

 

  • 創建secret
kubectl create secret generic traefik-cert \
        --from-file=tls.crt \
        --from-file=tls.key -n kube-system

  

  • 創建configmap,此處有坑,/ssl/tls.crt等路徑不是我們本地的路徑,而是在容器內路徑,所以不要去修改!
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"

如果需要同時打開80和443,需要如下配置文件

# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"

 

建立起來

kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system

  

  • traefik.yaml文件

隨便找了段貼上去啊,看詳細日志打開

logLevel=DEBUG
apiVersion: v1
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 2
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      hostNetwork: true
      containers:
      - image: registry.yourcompany.com/traefik:v1.1.1
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        resources:
          limits:
            cpu: 200m
            memory: 30Mi
          requests:
            cpu: 100m
            memory: 20Mi
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 9002
        args:
        - --configfile=/config/traefik.toml
        - --web
        - --kubernetes
        - --logLevel=DEBUG

  此處的坑是/config/traefik.toml是容器內地址,不是宿主機的路徑,不要手賤去修改!

 

  • 測試

可以在瀏覽器上直接測試,也可以用命令行。

curl -k https://...

 

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 K8S配置traefik ingressroutes支持TLS k8s traefik ingress tls Traefik HTTPS 配置 traefik Ingress https配置 traefik配置https k8s-Ingress tls和path的使用-traefik(1.7.20) kubernetes Traefik ingress配置詳解 kubernetes ingress(三): traefik: 多域名及證書配置 mosquitto ---配置SSL/TLS ETCD TLS 配置的坑
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM