K8S配置traefik ingressroutes支持TLS

最終效果

參考traefik文檔ingressroutes部分，剛讀時非常令人費解。

https://docs.traefik.io/https/tls/#certificates-stores

In Traefik, certificates are grouped together in certificates stores.

Any store definition other than the default one (named default) will be ignored, and there is thefore only one globally available TLS store.

這兩個描述，直接坑殺了我2天時間。

一直以為traefik的tls模型是:

ingressroutes --引用--> tlsstore --引用--> [k8s tls secret]

其實，ingressroutes里，我知道的部分，service和tls都可以直接引用k8s的標准資源。

• service
• tls

假設，我們有如下資源：

• k8s tls secret
• k8s service
  • k8s deployment

我們需要提供如下域名的https接入訪問：

• https://www.abc.com
• https://api.ddd.com

apiVersion: v1
data:
  tls.crt: .....
  tls.key: .....
kind: Secret
metadata:
  name: tls-abc.com
  namespace: default
type: kubernetes.io/tls

---

apiVersion: v1
data:
  tls.crt: .....
  tls.key: .....
kind: Secret
metadata:
  name: tls-def.com
  namespace: default
type: kubernetes.io/tls

deployment and service

apiVersion: v1
kind: Service
metadata:
  name: whoami
  labels:
    app: whoami
spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: whoami

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: whoami
spec:
  selector:
    matchLabels:
      app: whoami
  replicas: 1
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
      - name: whoami
        image: containous/whoami
        ports:
        - containerPort: 80

IngressRoutes www.abc.com

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ir-www.abc.com-https  ## https 單獨定義一個，和http分離部署
  namespace: default

spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`www.abc.com`) && PathPrefix(`/`)
      services:
        - kind: Service
          name: whoami
          port: 80
      tls: {}
  tls:
    secretName: tls-abc.com  ## 此處引用k8s secret
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ir-www.abc.com-http ## http 單獨定義一個，和https分離部署
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`www.abc.com`) && PathPrefix(`/`)
      services:
        - kind: Service
          name: whoami
          port: 80

IngressRoutes www.def.com

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ir-www.def.com-https  ## https 單獨定義一個，和http分離部署
  namespace: default

spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`www.def.com`) && PathPrefix(`/api`)
      services:
        - kind: Service
          name: whoami
          port: 80
      tls: {}
  tls:
    secretName: tls-def.com  ## 此處引用k8s secret
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ir-www.def.com-http ## http 單獨定義一個，和https分離部署
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`www.def.com`) && PathPrefix(`/api`)
      services:
        - kind: Service
          name: whoami
          port: 80