traefik 配置https协议
1. https证书申请
如提供了安全的https协议 可直接使用,如未提供 则需要手动生成
mkdir /etc/kubernetes/sslcd /etc/kubernetes/ssl/openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=47.94.215.234"
参数说明:
- -days 证书有效天数
- -subj “/CN=47.94.215.234” 使用https的域名 这里可以指定某一网端,或者ip,因为没有域名先使用公网ip进行创建证书
2. 创建secrets
# 创建kubectl create secret generic ssl --from-file=tls.crt --from-file=tls.key -n kube-system# 更新kubectl -n kube-system create secret tls tls-rancher-ingress --cert=./tls.crt --key=./tls.key --dry-run -o yaml|kubectl apply -f -
3. 支持https的traefik
3.1 traefik-configmap.yaml
kind: ConfigMapapiVersion: v1metadata:name: traefik-confnamespace: kube-systemdata:traefik.toml: |insecureSkipVerify = truedefaultEntryPoints = ["http","https"][entryPoints][entryPoints.http]address = ":80"[entryPoints.https]address = ":443"[entryPoints.https.tls][[entryPoints.https.tls.certificates]]CertFile = "/ssl/tls.crt"KeyFile = "/ssl/tls.key"
3.2 traefik-rbac.yaml
---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerrules:- apiGroups:- ""resources:- services- endpoints- secretsverbs:- get- list- watch- apiGroups:- extensionsresources:- ingressesverbs:- get- list- watch- apiGroups:- extensionsresources:- ingresses/statusverbs:- update---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: traefik-ingress-controllersubjects:- kind: ServiceAccountname: traefik-ingress-controllernamespace: kube-system
3.3 traefik-deployment.yaml
---apiVersion: v1kind: ServiceAccountmetadata:name: traefik-ingress-controllernamespace: kube-system---kind: DeploymentapiVersion: apps/v1metadata:name: traefik-ingress-controllernamespace: kube-systemlabels:k8s-app: traefik-ingress-lbspec:replicas: 1selector:matchLabels:k8s-app: traefik-ingress-lbtemplate:metadata:labels:k8s-app: traefik-ingress-lbname: traefik-ingress-lbspec:serviceAccountName: traefik-ingress-controllerterminationGracePeriodSeconds: 60containers:- image: traefik:v1.7name: traefik-ingress-lbports:- name: httpcontainerPort: 80- name: httpscontainerPort: 443- name: admincontainerPort: 8080args:- -d- --api- --kubernetes- --logLevel=INFO- --configfile=/config/traefik.tomlvolumeMounts:- mountPath: "/ssl"name: "ssl"- mountPath: "/config"name: "config"volumes:- name: sslsecret:secretName: ssl- name: configconfigMap:name: traefik-conftolerations:- key: node-role.kubernetes.io/masteroperator: "Equal"value: ""effect: NoSchedulenodeSelector:node-role.kubernetes.io/master: ""---kind: ServiceapiVersion: v1metadata:name: traefik-ingress-servicenamespace: kube-systemspec:selector:k8s-app: traefik-ingress-lbports:- protocol: TCPport: 80name: webnodePort: 31006- protocol: TCPport: 8080name: admin- protocol: TCPport: 443name: httpsnodePort: 30443type: NodePort
3.4 traefik-ingress.yaml
---apiVersion: v1kind: Servicemetadata:name: traefik-web-uinamespace: kube-systemspec:selector:k8s-app: traefik-ingress-lbports:- name: webport: 80targetPort: 8080---apiVersion: extensions/v1beta1kind: Ingressmetadata:name: traefik-web-uinamespace: kube-systemspec:rules:- host: traefik-ui.minikubehttp:paths:- path: /backend:serviceName: traefik-web-uiservicePort: web
若有收获,就点个赞吧
0 人点赞
