traefik配置https

traefik https使用

        之前已經使用traefik服務作為入口，測試並訪問了tomcat應用，之前是通過http來訪問的，而我們在yaml文件里面也添加8443端口用於https訪問，在實際環境中我們也是需要
https來進行訪問應用，通過traefik實現https，traefik http應用

操作實踐

        這里我用了公司的證書，就是為了貼近真實，也滿足測試需求，創建一個secret，保存https證書，如果沒有證書，可以使用以下方式進行生成證書

簽證書

        沒有證書可以使用命令生產證書

1 2	# mkdir certs # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout xxlaila.cn.key -out xxlaila.cn.crt -subj "/CN=*.xxlaila.cn"

部署准備

traefik.toml

• http 和https共同存在

  1 2 3 4 5 6 7 8 9 10 11

  defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address = ":80" entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/certs/xxlaila.cn.crt" keyFile = "/certs/xxlaila.cn.key"

• 所有http請求全部rewrite為https的規則

  1 2 3 4 5 6 7 8 9 10 11 12

  defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/certs/xxlaila.cn.crt" keyFile = "/certs/xxlaila.cn.key"

• 部分域名強制跳轉https

  1 2 3 4 5 6 7 8 9 10 11 12 13

  defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] regex = "^http://traefix.xxlaila.cn/(.*)" replacement = "https://traefix.xxlaila.cn/$1" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/certs/xxlaila.cn.crt" keyFile = "/certs/xxlaila.cn.key"

創建證書secret

1 2 3 4 5 6

# kubectl create secret generic traefik-cert --from-file=certs/xxlaila.cn.crt --from-file=certs/xxlaila.cn.key --from-file=certs/dev.xxlaila.cn.crt --from-file=certs/dev.xxlaila.cn.key --from-file=certs/test.xxlaila.cn.crt --from-file=certs/test.xxlaila.cn.key -n kube-system secret/traefik-cert created # kubectl get secret traefik-cert -n kube-system NAME TYPE DATA AGE traefik-cert Opaque 2 26s

• traefik-cert.yaml

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

  證書base64加密 # cat dev.xxlaila.cn.crt |base64 |tr -d '\n' # cat > traefik-cert.yaml<<EOF --- kind: Secert apiVersion: v1 metadata: name: traefik-cert namespace: kube-system data: "dev.xxlaila.cn.crt": "dev.xxlaila.cn.key": "test.xxlaila.cn.crt" "test.xxlaila.cn.key": "xxlaila.cn.crt": "xxlaila.cn.key": type: - Opaque EOF

創建configmap保存traefix的配置

• traefik.toml

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

  # cat > traefik.toml<<EOF defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address = ":80" compress = true [entryPoints.http.whitelist] sourceRange = ["172.21.0.0/16", "172.16.0.0/16"] useXForwardedFor = true [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/opt/traefix/certs/xxlaila.cn.crt" keyFile = "/opt/traefix/certs/xxlaila.cn.key" [[entryPoints.https.tls.certificates]] certFile = "/opt/traefix/certs/dev.xxlaila.cn.crt" keyFile = "/opt/traefix/certs/dev.xxlaila.cn.key" [[entryPoints.https.tls.certificates]] certFile = "/opt/traefix/certs/test.xxlaila.cn.crt" keyFile = "/opt/traefix/certs/test.xxlaila.cn.key" # rules filename = "/opt/traefix/conf/rules.toml" watch = true EOF # kubectl create configmap traefik-conf --from-file=conf/traefik.toml -n kube-system configmap/traefik-conf created # kubectl get configmap traefik-conf -n kube-system NAME DATA AGE traefik-conf 1 25s

重新部署Traefix

        重新部署Traefix主要是要關聯創建的secret和configMap，並掛載相對應的主機目錄。

deployment 方式部署

        修改片段

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81

# vim traefik-deployment.yaml --- kind: Deployment apiVersion: extensions/v1beta1 metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: replicas: 1 selector: matchLabels: k8s-app: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 hostNetwork: true dnsPolicy: ClusterFirstWithHostNet volumes: - name: ssl secret: secretName: traefik-cert - name: config configMap: name: traefik-conf defaultMode: 0644 items: - key: traefik.toml path: traefik.toml containers: - image: traefik:v1.7 name: traefik-ingress-lb imagePullPolicy: IfNotPresent volumeMounts: - mountPath: "/certs" name: "ssl" - mountPath: "/etc/traefik.toml" subPath: "traefik.toml" name: "config" ports: - name: http containerPort: 80 - name: admin containerPort: 8080 securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --api - --web - --api.dashboard - --web.metrics - --metrics.prometheus - --web.metrics.prometheus - --kubernetes - --logLevel=INFO - --traefiklog - --traefiklog.format=json - --accesslog - --accesslog.format=json - --accessLog.fields.headers.defaultMode=redact - --insecureskipverify=true - --configFile=/etc/traefik.toml - --defaultentrypoints=http,https - --entrypoints=Name:https Address::443 TLS - --entrypoints=Name:http Address::80 nodeSelector: IngressProxy: "true" tolerations: - effect: NoSchedule key: node-role.kubernetes.io/ingress operator: Equal

• 執行創建

  1	# kubectl apply -f traefik-deployment.yaml

測試ui

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

# cat >ui.yaml<<EOF --- apiVersion: v1 kind: Service metadata: name: traefik-web-ui namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - name: web port: 80 targetPort: 8080 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-web-ui namespace: kube-system annotations: kubernetes.io/ingress.class: traefik #traefik.ingress.kubernetes.io/frontend-entry-points: http,https #traefik.ingress.kubernetes.io/redirect-entry-point: https spec: #tls: # - secretName: traefik-cert rules: - host: traefik.xxlaila.cn http: paths: - path: / backend: serviceName: traefik-web-ui servicePort: web EOF

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

# cat >ui-test.yaml <<EOF --- apiVersion: v1 kind: Service metadata: name: traefik-web-ui-test namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - name: web port: 80 targetPort: 8080 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-web-ui-test namespace: kube-system annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/frontend-entry-points: http,https traefik.ingress.kubernetes.io/redirect-entry-point: https spec: #tls: # - secretName: traefik-cert rules: - host: traefik.test.xxlaila.cn http: paths: - path: / backend: serviceName: traefik-web-ui servicePort: web EOF

注:
tls: traefikm默認加載的證書是tls開頭的crt、key證書。如果只有一個證書，可以這么設置。多個域名證書需要設定不同的secret名稱，在tls引用的時候根據不同的域名指定不同secret名稱
redirect-entry-point: 該域名強制跳轉https

traefik 代理外部服務

        traefix對外部應用提供服務，這里以公司的一個應用app和harbor為列，

java app

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58

# cat > java-app.yaml apiVersion: v1 kind: Service metadata: labels: k8s-app: app-biz name: app-biz namespace: default annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/affinity: "true" traefik.ingress.kubernetes.io/load-balancer-method: drr spec: clusterIP: None ports: - name: http port: 8030 protocol: TCP targetPort: 8030 sessionAffinity: None type: ClusterIP --- apiVersion: v1 kind: Endpoints metadata: labels: k8s-app: app-biz name: app-biz namespace: default subsets: - addresses: - ip: 172.22.1.1 - ip: 172.22.1.2 ports: - name: http port: 8030 protocol: TCP --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: app-biz namespace: default annotations: kubernetes.io/ingress.class: traefik traefik.frontend.rule.type: PathPrefixStrip traefik.ingress.kubernetes.io/frontend-entry-points: http,https traefik.ingress.kubernetes.io/redirect-entry-point: https spec: rules: - host: app-biz.test.xxlaila.cn http: paths: - path: / backend: serviceName: app-biz servicePort: 8030 EOF

harbor

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57

# cat >harbor.yaml<<EOF apiVersion: v1 kind: Service metadata: labels: k8s-app: harbor name: harbor namespace: default annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/affinity: "true" #traefik.ingress.kubernetes.io/load-balancer-method: drr spec: clusterIP: None ports: - name: http port: 80 protocol: TCP targetPort: 80 sessionAffinity: None type: ClusterIP --- apiVersion: v1 kind: Endpoints metadata: labels: k8s-app: harbor name: harbor namespace: default subsets: - addresses: - ip: 172.21.16.90 ports: - name: http port: 80 protocol: TCP --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: harbor namespace: default annotations: kubernetes.io/ingress.class: traefik traefik.frontend.rule.type: PathPrefixStrip traefik.ingress.kubernetes.io/frontend-entry-points: http,https traefik.ingress.kubernetes.io/redirect-entry-point: https spec: rules: - host: harbor.xxlaila.cn http: paths: - path: / backend: serviceName: harbor servicePort: 80 EOF

curl驗證證書：curl --resolve 'xxx.xxx.xxx:127.0.0.1' https://xxx.xxx.xxx/ -vvv