kubernetes ingress(三): traefik: 多域名及證書配置

目標:

部署三個服務traefik-ui,grafana,prometheus,並經過traefik 反向代理。node

service namespaces domain name https
traefik-ui traefik traefik.qyd.com Y
grafana kube-system grafana.dfb.com N
prometheus kube-system prometheus.qyd.com Y

步驟:

一、部署traefik

相關資源ymlgit

建立traefik 這個命名空間,使用configmap 掛載配置。github

kubectl create cm -n traefik  traefik-config --from-file=traefik.toml
apiVersion: v1
items:
- apiVersion: v1
  data:
    traefik.toml: |
      graceTimeOut = 10
      traefikLogsFile = "/log/traefik.log"
      accessLogsFile = "/log/access.log"
      logLevel = "INFO"
      MaxIdleConnsPerHost = 60
      InsecureSkipVerify = true
      defaultEntryPoints = ["https","http"]
      [entryPoints]
        [entryPoints.http]
        address = ":80"
              [entryPoints.http.redirect]
              regex = "^http://(.*).qyd.com/(.*)"
              replacement = "https://$1.qyd.com/$2"

      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          certFile = "/ssl/qyd/tls.crt"
          keyFile = "/ssl/qyd/tls.key"
          [[entryPoints.https.tls.certificates]]
          certFile = "/ssl/dfb/tls.crt"
          keyFile = "/ssl/dfb/tls.key"
      [metrics]
        [metrics.prometheus]
          entryPoint = "traefik"


  kind: ConfigMap
  metadata:
    name: traefik-config
    namespace: traefik
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

獲取 qyd.com 和dfb.com 兩個域名的證書,並建立secret。web

kubectl create secret generic dfb-tls-cert --from-file=dfb/tls.crt --from-file=dfb/tls.key -n traefik
kubectl create secret generic qyd-tls-cert --from-file=qyd/tls.crt --from-file=qyd/tls.key -n traefik

部署traefik-ingreess-controllerdocker

kubectl app -f rbac.yml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - extensions
    resources:
    - ingresses/status
    verbs:
    - update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: traefik
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: traefik
kubectl apply -f deployment.yml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    k8s-app: traefik-ingress-lb
  name: traefik-ingress-controller
  namespace: traefik
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      containers:
      - args:
        - --configFile=/etc/traefik/traefik.yml
        - --api
        - --kubernetes
        image: itanony.com/repository/docker-hosted/test/treafik:v1.7.10
        imagePullPolicy: IfNotPresent
        name: traefik-ingress-lb
        ports:
        - containerPort: 80
          hostPort: 80
          name: http
          protocol: TCP
        - containerPort: 8080
          hostPort: 8080
          name: admin
          protocol: TCP
        - containerPort: 443
          hostPort: 443
          name: https
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/traefik/
          name: config
        - mountPath: /ssl/qyd/
          name: qyd-cert
        - mountPath: /ssl/dfb/
          name: dfb-cert
        - mountPath: /log/
          name: logs
      dnsPolicy: ClusterFirst
      hostNetwork: true
      nodeSelector:
        cpu: high
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik-ingress-controller
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
      - name: qyd-cert
        secret:
          defaultMode: 420
          secretName: qyd-tls-cert
      - name: dfb-cert
        secret:
          defaultMode: 420
          secretName: dfb-tls-cert
      - configMap:
          defaultMode: 420
          name: traefik-config
        name: config
      - hostPath:
          path: /var/log/traefik
          type: ""
        name: logs

注意deployment.yml 中修改images地址。另外由於是測試,故採用nodeselector 只部署到一臺固定的node節點,採用宿主機網絡模式。ingress controller 的高可用留在之後研究。
查看pod 狀態api

kubectl get pods -n traefik

traefik 啓動後會監控一個8080 的端口提供一個管理的web-ui,能夠查看frontend 和backend 的對應關係,及一些基本的監控數據
咱們建立一個ClusterIP 的service,並建立ingress,經過traefik 使用traefik.qyd.com 域名來反向代理瀏覽器

kubectl apply -f traefik-web-ui.yml
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: traefik
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: traefik
spec:
  rules:
  - host: traefik.qyd.com
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web

在本機hosts中添加 traefik.qyd.com 的hosts 記錄解析到traefik 部署的node節點。
經過瀏覽器訪問。頁面正常顯示,而且使用http 訪問時會自動跳轉到https。網絡

部署prometheus 和grafana 代理

這裏只討論經過traefik-ingres 代理prometheus 和grafan。部署過程請Google。app

建立prometheus 和 grafana 的ingress 。 經過traefik 分別使用 prometheus.yd.com 和grafana.dfb.com 反向代理。frontend

注意yml 中namespace,serviceName,servicePort 與本身集羣中服務的名稱一致。

kubectl apply -f grafana-ingress.yml
kubectl apply -f prometheus-ingress.yml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: grafana
  namespace: kube-system
spec:
  rules:
  - host: grafana.dfb.com
    http:
      paths:
      - backend:
          serviceName: monitoring-grafana
          servicePort: 80
        path: /

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: prometheus
  namespace: kube-system
spec:
  rules:
  - host: prometheus.qyd.com
    http:
      paths:
      - backend:
          serviceName: prometheus
          servicePort: prometheus
        path: /

一樣在本機hosts 中添加兩個域名的解析記錄。經過瀏覽器訪問正常,prometheus.qyd.com訪問http 會rewrite到https,grafana.dfb.com不會作rewrite。至此部署部分結束

配置解析

多域名 配置https,咱們不須要對每個域名指定證書, 只須要在entrypoints 中指定證書路徑。traefik 會自動根據請求中的主機頭和證書中的CN進行匹配。
生產中可能遇到同一個反向代理下。 有的域名須要啓用https 的強制rewrite。 有些則不能作強制rewrite。traefik 提供entryPoints.http.redirect 經過正則來對須要rewrite 的域名進行正則匹配。 這裏感受有點不靈活。 也可能還有更好的方式。

相關文章
相關標籤/搜索