traefik(二) kubernetes 之 traefik配置https
前言
上一次對kubernetes配置了 traefik ,若是須要traefik代理https的應用,就須要配置https,下面就針對traefik 的https作配置node
準備工做:
下面的操做在deploy節點操做,此節點同時又被定義爲了個人master節點。web
- 證書:本身生成,或使用機構頒發的證書,
私簽證書命令,須要有安裝OpenSSL:openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=泛域名,如*.abc.com"
我這裏使用了LetsEncrypt的證書,個人tls.crt tls.key存放在了/etc/kubernetes/ssl/,注意名字是tls,否則會報錯,「找不到tls.crt證書文件」vim
cd /etc/kubernetes/ssl/ kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system
檢查一下:api
[root@master conf]# kubectl get secrets -n kube-system | grep traefik traefik-cert Opaque 2 42m traefik-ingress-controller-token-78tll kubernetes.io/service-account-token 3 1h
- traefik.toml
cd /etc/k8s/conf # vim traefik.toml defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/ssl/tls.crt" keyFile = "/ssl/tls.key"
-
configmap:bash
kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
檢查一下:app
[root@master conf]# kubectl get cm -n kube-system | grep traefik
traefik-conf 1 38m
固然也能夠查看詳細的描述信息,命令後輸出的內容比較豐富,這裏省略輸出:ide[root@master conf]# kubectl describe cm traefik-conf -n kube-system
把上述的文件放到node上面對應的目錄,能夠使用下面的腳本快速同步一下ui
#!/bin/bash for i in `seq 11 15` do rsync -av /etc/kubernetes/ssl/tls* 192.168.2.$i:/etc/kubernetes/ssl/ rsync -av /etc/k8s/ 192.168.2.$i:/etc/k8s/ done
關鍵配置文件
[root@master conf]# tree ./ ./ ├── traefik-depoyment.yaml ├── traefik-rbac.yaml ├── traefik.toml └── ui.yaml
- traefik-rbac.yaml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
應用配置:spa
kubectl apply -f traefik-rbac.yaml
- traefik-depoyment.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: true
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
containers:
- image: traefik
name: traefik-ingress-lb
volumeMounts:
- mountPath: "/etc/kubernetes/ssl/" #ssl路徑
name: "ssl"
- mountPath: "/etc/k8s/conf/" #conf路徑
name: "config"
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: admin
containerPort: 8080
args:
- --api
- --kubernetes
- --configfile=/etc/k8s/conf/traefik.toml
nodeSelector:
edgenode: "traefik-proxy" #這裏限制了部署節點,應用了上次的label
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 443
name: https
- protocol: TCP
port: 8080
name: admin
type: NodePort
應用配置:代理
kubectl apply -f traefik-depoyment.yaml
- ui.yaml
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
tls:
- secretName: traefik-cert #引用證書
rules:
- host: tf.abcgogo.com #本身的域名
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
應用配置:
kubectl apply -f ui.yaml
檢查配置輸出
[root@master conf]# kubectl get svc,deployment,pod -o wide -n kube-system | grep traefik service/traefik-ingress-service NodePort 10.68.210.65 <none> 80:34297/TCP,443:22151/TCP,8080:28570/TCP 1h k8s-app=traefik-ingress-lb service/traefik-web-ui ClusterIP 10.68.138.157 <none> 80/TCP 1h k8s-app=traefik-ingress-lb pod/traefik-ingress-controller-fx5g6 1/1 Running 0 1h 192.168.2.11 192.168.2.11 <none> pod/traefik-ingress-controller-nkhmk 1/1 Running 0 1h 192.168.2.12 192.168.2.12 <none> pod/traefik-ingress-controller-r8hlr 1/1 Running 0 1h 192.168.2.13 192.168.2.13 <none>
配置好dns,就能夠看到ui了 
相關文章
- 1. Traefik HTTPS 配置
- 2. traefik Ingress https配置
- 3. kubernetes Traefik ingress配置詳解
- 4. kubernetes ingress(二) traefik 入門
- 5. Kubernetes traefik Ingress
- 6. kubernetes 1.16安裝traefik
- 7. Kubernetes traefik ingress使用
- 8. traefik
- 9. 在Kubernetes上使用Traefik
- 10. Kubernetes中安裝traefik ingress
- 更多相關文章...
- • Eclipse Debug 配置 - Eclipse 教程
- • Maven 環境配置 - Maven教程
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
- • IDEA下SpringBoot工程配置文件沒有提示
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. js中 charCodeAt
- 2. Android中通過ViewHelper.setTranslationY實現View移動控制(NineOldAndroids開源項目)
- 3. 【Android】日常記錄:BottomNavigationView自定義樣式,修改點擊後圖片
- 4. maya 文件檢查 ui和數據分離 (一)
- 5. eclipse 修改項目的jdk版本
- 6. Android InputMethod設置
- 7. Simulink中Bus Selector出現很多? ? ?
- 8. 【Openfire筆記】啓動Mac版Openfire時提示「系統偏好設置錯誤」
- 9. AutoPLP在偏好標籤中的生產與應用
- 10. 數據庫關閉的四種方式
歡迎關注本站公眾號,獲取更多信息
