kubernetes ingress(三): traefik: 多域名及證書配置
目標:
部署三個服務traefik-ui,grafana,prometheus,並經過traefik 反向代理。node
| service | namespaces | domain name | https |
|---|---|---|---|
| traefik-ui | traefik | traefik.qyd.com | Y |
| grafana | kube-system | grafana.dfb.com | N |
| prometheus | kube-system | prometheus.qyd.com | Y |
步驟:
一、部署traefik
相關資源ymlgit
- https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/rbac.yml
- https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/deployment.yml
- https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/configmap.yml
- https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/prometheus-ingress.yml
- https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/grafana-ingress.yml
- https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/traefik-web-ui.yml
建立traefik 這個命名空間,使用configmap 掛載配置。github
kubectl create cm -n traefik traefik-config --from-file=traefik.toml
apiVersion: v1
items:
- apiVersion: v1
data:
traefik.toml: |
graceTimeOut = 10
traefikLogsFile = "/log/traefik.log"
accessLogsFile = "/log/access.log"
logLevel = "INFO"
MaxIdleConnsPerHost = 60
InsecureSkipVerify = true
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*).qyd.com/(.*)"
replacement = "https://$1.qyd.com/$2"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/ssl/qyd/tls.crt"
keyFile = "/ssl/qyd/tls.key"
[[entryPoints.https.tls.certificates]]
certFile = "/ssl/dfb/tls.crt"
keyFile = "/ssl/dfb/tls.key"
[metrics]
[metrics.prometheus]
entryPoint = "traefik"
kind: ConfigMap
metadata:
name: traefik-config
namespace: traefik
kind: List
metadata:
resourceVersion: ""
selfLink: ""
獲取 qyd.com 和dfb.com 兩個域名的證書,並建立secret。web
kubectl create secret generic dfb-tls-cert --from-file=dfb/tls.crt --from-file=dfb/tls.key -n traefik kubectl create secret generic qyd-tls-cert --from-file=qyd/tls.crt --from-file=qyd/tls.key -n traefik
部署traefik-ingreess-controllerdocker
kubectl app -f rbac.yml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: traefik
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: traefik
kubectl apply -f deployment.yml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-controller
namespace: traefik
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
containers:
- args:
- --configFile=/etc/traefik/traefik.yml
- --api
- --kubernetes
image: itanony.com/repository/docker-hosted/test/treafik:v1.7.10
imagePullPolicy: IfNotPresent
name: traefik-ingress-lb
ports:
- containerPort: 80
hostPort: 80
name: http
protocol: TCP
- containerPort: 8080
hostPort: 8080
name: admin
protocol: TCP
- containerPort: 443
hostPort: 443
name: https
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/traefik/
name: config
- mountPath: /ssl/qyd/
name: qyd-cert
- mountPath: /ssl/dfb/
name: dfb-cert
- mountPath: /log/
name: logs
dnsPolicy: ClusterFirst
hostNetwork: true
nodeSelector:
cpu: high
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: traefik-ingress-controller
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
volumes:
- name: qyd-cert
secret:
defaultMode: 420
secretName: qyd-tls-cert
- name: dfb-cert
secret:
defaultMode: 420
secretName: dfb-tls-cert
- configMap:
defaultMode: 420
name: traefik-config
name: config
- hostPath:
path: /var/log/traefik
type: ""
name: logs
注意deployment.yml 中修改images地址。另外由於是測試,故採用nodeselector 只部署到一臺固定的node節點,採用宿主機網絡模式。ingress controller 的高可用留在之後研究。
查看pod 狀態api
kubectl get pods -n traefik
traefik 啓動後會監控一個8080 的端口提供一個管理的web-ui,能夠查看frontend 和backend 的對應關係,及一些基本的監控數據
咱們建立一個ClusterIP 的service,並建立ingress,經過traefik 使用traefik.qyd.com 域名來反向代理瀏覽器
kubectl apply -f traefik-web-ui.yml
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: traefik
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: traefik
spec:
rules:
- host: traefik.qyd.com
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
在本機hosts中添加 traefik.qyd.com 的hosts 記錄解析到traefik 部署的node節點。
經過瀏覽器訪問。頁面正常顯示,而且使用http 訪問時會自動跳轉到https。網絡
部署prometheus 和grafana 代理
這裏只討論經過traefik-ingres 代理prometheus 和grafan。部署過程請Google。app
建立prometheus 和 grafana 的ingress 。 經過traefik 分別使用 prometheus.yd.com 和grafana.dfb.com 反向代理。frontend
注意yml 中namespace,serviceName,servicePort 與本身集羣中服務的名稱一致。
kubectl apply -f grafana-ingress.yml kubectl apply -f prometheus-ingress.yml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: grafana
namespace: kube-system
spec:
rules:
- host: grafana.dfb.com
http:
paths:
- backend:
serviceName: monitoring-grafana
servicePort: 80
path: /
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: prometheus
namespace: kube-system
spec:
rules:
- host: prometheus.qyd.com
http:
paths:
- backend:
serviceName: prometheus
servicePort: prometheus
path: /
一樣在本機hosts 中添加兩個域名的解析記錄。經過瀏覽器訪問正常,prometheus.qyd.com訪問http 會rewrite到https,grafana.dfb.com不會作rewrite。至此部署部分結束
配置解析
多域名 配置https,咱們不須要對每個域名指定證書, 只須要在entrypoints 中指定證書路徑。traefik 會自動根據請求中的主機頭和證書中的CN進行匹配。
生產中可能遇到同一個反向代理下。 有的域名須要啓用https 的強制rewrite。 有些則不能作強制rewrite。traefik 提供entryPoints.http.redirect 經過正則來對須要rewrite 的域名進行正則匹配。 這裏感受有點不靈活。 也可能還有更好的方式。
相關文章
- 1. kubernetes Traefik ingress配置詳解
- 2. Kubernetes traefik Ingress
- 3. Kubernetes(K8S)配置域名訪問 Ingress Controller (Traefik)
- 4. Kubernetes traefik ingress使用
- 5. traefik Ingress https配置
- 6. Kubernetes中安裝traefik ingress
- 7. kubernetes ingress(二) traefik 入門
- 8. k8s traefik ingress tls
- 9. traefik(二) kubernetes 之 traefik配置https
- 10. k8s安裝traefik ingress
- 更多相關文章...
- • 網站 域名 - 網站主機教程
- • Spring Bean的配置及常用屬性 - Spring教程
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
- • IDEA下SpringBoot工程配置文件沒有提示
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. kubernetes Traefik ingress配置詳解
- 2. Kubernetes traefik Ingress
- 3. Kubernetes(K8S)配置域名訪問 Ingress Controller (Traefik)
- 4. Kubernetes traefik ingress使用
- 5. traefik Ingress https配置
- 6. Kubernetes中安裝traefik ingress
- 7. kubernetes ingress(二) traefik 入門
- 8. k8s traefik ingress tls
- 9. traefik(二) kubernetes 之 traefik配置https
- 10. k8s安裝traefik ingress