Traefik HTTPS 配置

參考

• add-a-tls-certificate-to-the-ingress
• Entry Points Definition
• 使用traefik做爲ingress controller透出集羣中的https後端

1. Traefik

1.1 TLS

# 針對 "traefik"，"cert" 名字必須是 "tls.crt"， "key" 名字必須是 "tls.key"，"traefik-ingress-controller-xxxxx" pod 默認讀取對應名字 
# "-subj" 是可選項
mkdir -p ~/addon/traefik/pki
cd ~/addon/traefik/pki
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=netonline.com"

# "traefik" 應用默認部署在 "kube-system" ，在對應 "namespace" 建立 "secret" 資源
kubectl create secret generic traefik-cert --from-file=/root/addon/traefik/pki/tls.crt --from-file=/root/addon/traefik/pki/tls.key -n kube-system

1.2 ConfigMap

# 如下配置適用於所有采用 "https" 的場景，"http" 訪問會被重定向爲 "https" 
# "traefik.toml" 須要與 "traefik-ingress-controller-xxxxx" pod 中的啓動參數的文件名一致
# "insecureSkipVerify = true" ，此配置指定了 "traefik" 在訪問 "https" 後端時能夠忽略TLS證書驗證錯誤，從而使得 "https" 的後端，能夠像http後端同樣直接經過 "traefik" 透出，如kubernetes dashboard
# "insecureSkipVerify = true" 變動配置須要重啓 pod 纔會生效
cat ~/addon/traefik/traefik.toml 
insecureSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      # 默認路徑，勿修改
      certFile = "/ssl/tls.crt"
      keyFile = "/ssl/tls.key"

# 生成 "configmap" 資源
kubectl create configmap traefik-conf --from-file=/root/addon/traefik/traefik.toml -n kube-system

1.3 編輯 traefik-ds.yaml

# 掛載 "secret" 與 "configmap" 資源
# 添加 "https" 服務端口
# 添加 "traefik-ingress-controller-xxxxx" pod 啓動參數
cat ~/addon/traefik/traefik-ds.yaml 
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      # 掛載 "secret" 與 "configmap" 資源
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      containers:
      - image: traefik:v1.7.12
        name: traefik-ingress-lb
        # 設置掛載點
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        # 添加應用端口
        - name: https
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 8080
          hostPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        # 添加啓動參數 "--configfile=/config/traefik.toml"，注意路徑與文件名與 "configmap" 的對應
        - --configfile=/config/traefik.toml
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    # 添加服務端口
    - protocol: TCP
      port: 443
      name: https
    - protocol: TCP
      port: 8080
      name: admin

# 生成 "traefik" 應用
kubectl apply -f /root/addon/traefik/traefik-ds.yaml

2. Ingress

2.1 Ingress without TLS

# 針對已經設置徹底重定向的 "traefik" ，"ingress" 資源可直接不帶 "tls" 屬性
cat ~/addon/traefik/ui.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  rules:
  - host: traefik.netonline.com
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web

2.2 Ingress with TLS

# 若是須要代理的應用不在 "kube-system" ，須要在對應 "namespace" 建立對應的 "secret"，方便 "tls:secretName" 屬性調用讀取
kubectl create secret generic traefik-cert --from-file=/root/addon/traefik/pki/tls.crt --from-file=/root/addon/traefik/pki/tls.key -n default

# 附帶 "tls:secretName" 屬性的 "ingress" 資源示例
cat ~/addon/traefik/ui.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  tls:
  - secretName: traefik-cert
  rules:
  - host: traefik.netonline.com
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui
          servicePort: 80