前面一篇:traefik基础部署记录,介绍了最简单的http访问traefik,访问过程参考见下:
client --- (via http) ---> traefik ---- (via http) ----> services
现在要实践的是更安全也更复杂的https访问traefik,有两种访问过程,参考见下:
后端service是普通http的
即client与traefik间采用https加密通信,但traefik与svc间则是明文的http通信
client --- (via https) ---> traefik ---- (via http) ----> services
后端service是https的
即client与traefik间采用https加密通信,但traefik与svc也是采用https通信
client --- (via https) ---> traefik ---- (via https) ----> services
下面我们来看看如何实现(伪)https,也就是上面说的第二种访问流程。
首先创建证书,想开启https,证书是少不了的。可以自己手动建一个证书,或者利用已经有的证书。这里我自己创建了一个ssl证书,具体创建流程可参考网上。
[root@k8smaster ~]# cd /opt/k8s/ssl[root@k8smaster ssl]# lsssl.crt ssl.csr ssl.key
上面这个/opt/k8s/ssl目录是我创建的,路径可以随便只要和config文件里面的路径一致就行下面会说到。下面开始配置证书
[root@k8smaster ssl]# kubectl create secret generic traefik-cert --from-file=ssl.crt --from-file=ssl.key -n kube-systemsecret "traefik-cert" created
创建一个configmap,保存traefix的配置。这里的traefix中配置了把所有http请求全部rewrite为https的规则,并配置相应的证书位置,同时我这里也创建了一个目录/opt/k8s/conf/。
[root@k8smaster conf]# cat traefik.toml defaultEntryPoints = ["http","https"][entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/opt/k8s/ssl/ssl.crt" keyFile = "/opt/k8s/ssl/ssl.key" [root@k8smaster config]# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-systemconfigmap "traefik-conf" created
由于之前配置的是http现在要换成https所以需要更新下Traefik,这里主要是更新下关联创建的secret和configMap,并挂载相对应的主机目录。
安全起见操作之前先备份下(职场好习惯)
[root@k8smaster k8s]# cp traefik-deployment.yaml traefik-deployment.yaml.bk[root@k8smaster k8s]# cat traefik-deployment.yaml ---apiVersion: v1kind: ServiceAccountmetadata: name: traefik-ingress-controller namespace: kube-system---kind: DaemonSetapiVersion: extensions/v1beta1metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lbspec: selector: matchLabels: k8s-app: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 hostNetwork: true volumes: - name: ssl secret: secretName: traefik-cert - name: config configMap: name: traefik-conf containers: - image: traefik name: traefik-ingress-lb volumeMounts: - mountPath: "/opt/k8s/ssl/" name: "ssl" - mountPath: "/opt/k8s/conf/" name: "config" ports: - name: http containerPort: 80 - name: https containerPort: 443 - name: admin containerPort: 8080 args: - --configFile=/opt/k8s/conf/traefik.toml - --api - --kubernetes - --logLevel=INFO---kind: ServiceapiVersion: v1metadata: name: traefik-ingress-service namespace: kube-systemspec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP port: 80 name: web - protocol: TCP port: 443 name: https - protocol: TCP port: 8080 name: admin type: NodePort[root@k8smaster k8s]# [root@k8smaster k8s]# kubectl apply -f traefik-deployment.yamlserviceaccount "traefik-ingress-controller" createddaemonset.extensions "traefik-ingress-controller" createdservice "traefik-ingress-service" created
主要变化呢是更新了几个方面:
kind: DaemonSet 官方默认是使用Deployment
hostNetwork: true 开启Node Port端口转发
volumeMounts: 新增volumes挂载点
ports: 新增https443
args: 新增configfile
以及Service层的443 ports
最后我们来测试下是否成功,这里我们可以登陆traefik-ui界面,可以看到原本http的访问,traefik会直接给我们重定向至https。
关于第三种https转发https实现方式这里就不再赘述了后续如果有需要可以在探讨,如果需要的话可以看下am的博客也就是本文参考的资料,写的很详细。
本文博客参考资料:
http://blog.51cto.com/goome/2153703
深入玩转K8S之如何访问业务应用(Traefik-ingress配置https篇)
原文地址:http://blog.51cto.com/devingeng/2154041