證書准備
- 自己制作
這個不贅述了,網上一大把 - 購買的ssl證書
這里使用的是購買的ssl證書
問題糾正
- 有些說法是traefik證書名字必須是tls(比如: tls.pem, tls.key),這是錯誤的說法,下面就以非tls名字命名的證書來實現traefik ssl證書的添加
- traefik中ssl和config掛載路徑問題
在traefik-deployment.yaml中我們知道需要掛載配置文件目錄和證書目錄,有說法是不能修改默認的路徑,這種說法是不對的,下面就以非默認路徑來進行掛載
配置文件說明
- traefik.toml
logLevel = "INFO"
insecuresSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/files/k8s-files/kubernetes/ssl/card/cr.xxxxxx.cn.pem" # 1
keyFile = "/files/k8s-files/kubernetes/ssl/card/cr.xxxxxx.cn.key"
[[entryPoints.https.tls.certificates]]
certFile = "/files/k8s-files/kubernetes/ssl/smart/smart.xxxxx.cn.pem" # 2
keyFile = "/files/k8s-files/kubernetes/ssl/smart/smart.xxxxx.cn.key"
[respondingTimeouts]
readTimeout = "30s"
writeTimeout = "30s"
idleTimeout = "360s"
備注: 上面的1 和 2 兩處都是將不同的證書放置於不同的目錄(card和smart)下的,這個是k8s比較坑的一點,因為這個證書是需要掛載進traefik容器內部的,如果都將證書放到ssl這一個目錄下面而不是ssl下面單獨的子目錄下面,那么將會覆蓋之前的證書,也就是說只有一個證書是可用的。所以這個是這次添加多證書最大的坑。
- traefik-deployment.yaml
這里就只貼上volume和volumeMounts兩部分了
containers:
- image: traefik:latest
imagePullPolicy: IfNotPresent
name: traefik-ingress-lb
volumeMounts:
- name: "ssl-cr"
mountPath: "/files/k8s-files/kubernetes/ssl/card"
- name: "ssl-smart"
mountPath: "/files/k8s-files/kubernetes/ssl/smart"
- name: "config"
mountPath: "/files/k8s-files/kubernetes/cfg"
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: admin
containerPort: 8080
- name: zhuanfa
containerPort: 5053
args:
- --api
- --kubernetes
- --logLevel=INFO
- --configfile=/files/k8s-files/kubernetes/cfg/traefik.toml
volumes:
- name: ssl-cr
secret:
secretName: traefik-cert-cr
- name: ssl-smart
secret:
secretName: traefik-cert-smart
- name: config
configMap:
name: traefik-conf
證書生成
以smart.xxxxx.cn為例
cd /files/k8s-files/kubernetes/ssl
kubectl create secret generic traefik-cert-smart --from-file=./smart/smart.xxxxx.cn.pem --from-file=./smart/smart.xxxxx.cn.key -n kube-system
查看traefik-cert-smart這個secret
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
smart.xxxxx.cn.key: base64encode #可以看到這里的名字記錄的和我們--from-file指定的名字相同
smart.xxxxx.cn.pem: base64encode
kind: Secret
metadata:
creationTimestamp: "2019-04-21T05:08:16Z"
name: traefik-cert-smart
namespace: kube-system
resourceVersion: "2182167"
selfLink: /api/v1/namespaces/kube-system/secrets/traefik-cert-smart
uid: 789b5e66-63f3-11e9-9d89-00163e03c41e
type: Opaque
重建配置文件,重啟traefik
cd /files/k8s-files/kubernetes/cfg
kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
新建一個應用進行測試
- nginx-test-tls.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginxtls
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
template:
metadata:
labels:
app: nginxtls
spec:
containers:
- name: nginxtls
image: nginx:1.12.2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginxtls
labels:
app: nginxtls
namespace: kube-system
spec:
selector:
app: nginxtls
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginxtls
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
spec:
#tls: 注意這里的tls就不要添加了
#- secretName: traefik-cert-smart
rules:
- host: smart.xxxxx.cn
http:
paths:
- path: /
backend:
serviceName: nginxtls
servicePort: 80
kubectl create -f nginx-test-tls.yaml
訪問測試
ok,traefik添加多證書到此結束啦!希望能夠幫助到你!