Traefik实现Kubernetes集群服务外部https访问

标签：kubernetes   teaefik https

1、部署 Traefik

由于我们需要将外部对于kubernetes的http请求全都转换成https，不想更改服务的配置以及代码，那我们可以选择在traefik上配置域名证书，这样通过域名对服务的访问将会自动转换成https请求。

1.1创建ClusterRole以及ClusterRoleBinding（Kubernetes1.6+）

ingress-rbac.yaml文件:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ingress
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

1.2 创建secret保存HTTPS证书

证书使用是之前搭建kubernetes集群使用的证书

kubectl create secret generic traefik-cert --from-file=ca-key.pem --from-file=ca.pem -n kube-system

1.3 创建configmap保存Traefik配置文件

traefik.toml内容如下：

defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/ca.pem"
      KeyFile = "/ssl/ca-key.pem"

 kubectl create configmap traefik-conf --from-file=traefik.toml

1.4 部署Traefik

traefik-ingress.yaml文件：

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: traefik-ingress-lb
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      restartPolicy: Always
      serviceAccountName: ingress
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      containers:
      - image: traefik
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        resources:
          limits:
            cpu: 200m
            memory: 30Mi
          requests:
            cpu: 100m
            memory: 20Mi
        ports:
        - containerPort: 80
        - containerPort: 443
        - containerPort: 8580
        args:
        - --web.address=:8580
        - --web
        - --kubernetes
        - --configfile=/config/traefik.toml
---
kind: Service
apiVersion: v1
metadata:
  name: traefik
  namespace: kube-system
spec:
  type: NodePort
  ports:
  - protocol: TCP
    port: 80
    name: http
  - protocol: TCP
    port: 443
    name: https
  selector:
    k8s-app: traefik-ingress-lb

kubectl create -f traefik.yaml

1.6 部署traefik-ui服务及traefik-ui ingress

traefik_ui.yaml文件内容：

apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  type: NodePort
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8580
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  tls:
  - secretName: traefik-cert
  rules:
  - host: traefik-ui.local
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web

1.7 部署ingress

由于之前在k8s中已经部署了my-nginx ,ftontend ,locust-master,icp-web，在这里不在部署了。

ingress.yaml文件内容：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-ingress
  namespace: default
spec:
  rules:
  - host: traefik.nginx.io
    http:
      paths:
      - backend:
          serviceName: my-nginx
          servicePort: 80
        path: /
  - host: traefik.frontend.io
    http:
      paths:
      - backend:
          serviceName: frontend
          servicePort: 80
        path: /
  - host: traefik.locust.io
    http:
      paths:
      - backend:
          serviceName: locust-master
          servicePort: 8089
        path: /
  - host: traefik.xwlp.io
    http:
      paths:
      - backend:
          serviceName: icp-web
          servicePort: 8080
        path: /

kubectl create -f ingress.yaml

1.8 验证

[root@XXXX Traefik_ingress]# curl -k https://traefik.nginx.io
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

[root@XXXX Traefik_ingress]# curl -k https://traefik.xwlp.io/
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="UTF-8" />
        <title>Apache Tomcat/8.5.15</title>
        <link href="favicon.ico" rel="icon" type="image/x-icon" />
        <link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
        <link href="tomcat.css" rel="stylesheet" type="text/css" />
    </head>

参考链接：http://www.mamicode.com/info-detail-2057226.html

本文出自 “探索求知” 博客，请务必保留此出处http://heshengkai.blog.51cto.com/5014551/1981997

Traefik实现Kubernetes集群服务外部https访问

标签：kubernetes   teaefik https

原文地址：http://heshengkai.blog.51cto.com/5014551/1981997