Traefik实现Kubernetes集群服务外部https访问

1、部署 Traefik

由于我们需要将外部对于kubernetes的http请求全都转换成https，不想更改服务的配置以及代码，那我们可以选择在traefik上配置域名证书，这样通过域名对服务的访问将会自动转换成https请求。

1.1创建ClusterRole以及ClusterRoleBinding（Kubernetes1.6+）

ingress-rbac.yaml文件:

apiVersion: v1kind: ServiceAccountmetadata:  name: ingress  namespace: kube-system---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: ingresssubjects:  - kind: ServiceAccount    name: ingress    namespace: kube-systemroleRef:  kind: ClusterRole  name: cluster-admin  apiGroup: rbac.authorization.k8s.io

1.2 创建secret保存HTTPS证书

证书使用是之前搭建kubernetes集群使用的证书

kubectl create secret generic traefik-cert --from-file=ca-key.pem --from-file=ca.pem -n kube-system

1.3 创建configmap保存Traefik配置文件

traefik.toml内容如下：

defaultEntryPoints = ["http","https"][entryPoints]  [entryPoints.http]  address = ":80"    [entryPoints.http.redirect]      entryPoint = "https"  [entryPoints.https]  address = ":443"    [entryPoints.https.tls]      [[entryPoints.https.tls.certificates]]      CertFile = "/ssl/ca.pem"      KeyFile = "/ssl/ca-key.pem"

 kubectl create configmap traefik-conf --from-file=traefik.toml

1.4 部署Traefik

traefik-ingress.yaml文件：

apiVersion: extensions/v1beta1kind: Deploymentmetadata:  name: traefik-ingress-lb  namespace: kube-system  labels:    k8s-app: traefik-ingress-lbspec:  template:    metadata:      labels:        k8s-app: traefik-ingress-lb        name: traefik-ingress-lb    spec:      terminationGracePeriodSeconds: 60      hostNetwork: true      restartPolicy: Always      serviceAccountName: ingress      volumes:      - name: ssl        secret:          secretName: traefik-cert      - name: config        configMap:          name: traefik-conf      containers:      - image: traefik        name: traefik-ingress-lb        volumeMounts:        - mountPath: "/ssl"          name: "ssl"        - mountPath: "/config"          name: "config"        resources:          limits:            cpu: 200m            memory: 30Mi          requests:            cpu: 100m            memory: 20Mi        ports:        - containerPort: 80        - containerPort: 443        - containerPort: 8580        args:        - --web.address=:8580        - --web        - --kubernetes        - --configfile=/config/traefik.toml---kind: ServiceapiVersion: v1metadata:  name: traefik  namespace: kube-systemspec:  type: NodePort  ports:  - protocol: TCP    port: 80    name: http  - protocol: TCP    port: 443    name: https  selector:    k8s-app: traefik-ingress-lb

kubectl create -f traefik.yaml

1.6 部署traefik-ui服务及traefik-ui ingress

traefik_ui.yaml文件内容：

apiVersion: v1kind: Servicemetadata:  name: traefik-web-ui  namespace: kube-systemspec:  type: NodePort  selector:    k8s-app: traefik-ingress-lb  ports:  - name: web    port: 80    targetPort: 8580---apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-web-ui  namespace: kube-systemspec:  tls:  - secretName: traefik-cert  rules:  - host: traefik-ui.local    http:      paths:      - path: /        backend:          serviceName: traefik-web-ui          servicePort: web

1.7 部署ingress

由于之前在k8s中已经部署了my-nginx ,ftontend ,locust-master,icp-web，在这里不在部署了。

ingress.yaml文件内容：

apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-ingress  namespace: defaultspec:  rules:  - host: traefik.nginx.io    http:      paths:      - backend:          serviceName: my-nginx          servicePort: 80        path: /  - host: traefik.frontend.io    http:      paths:      - backend:          serviceName: frontend          servicePort: 80        path: /  - host: traefik.locust.io    http:      paths:      - backend:          serviceName: locust-master          servicePort: 8089        path: /  - host: traefik.xwlp.io    http:      paths:      - backend:          serviceName: icp-web          servicePort: 8080        path: /

kubectl create -f ingress.yaml

1.8 验证

[root@XXXX Traefik_ingress]# curl -k https://traefik.nginx.io<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>    body {        width: 35em;        margin: 0 auto;        font-family: Tahoma, Verdana, Arial, sans-serif;    }</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><p>For online documentation and support please refer to<a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>

[root@XXXX Traefik_ingress]# curl -k https://traefik.xwlp.io/<!DOCTYPE html><html lang="en">    <head>        <meta charset="UTF-8" />        <title>Apache Tomcat/8.5.15</title>        <link href="favicon.ico" rel="icon" type="image/x-icon" />        <link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />        <link href="tomcat.css" rel="stylesheet" type="text/css" />    </head>

参考链接：http://www.mamicode.com/info-detail-2057226.html

本文出自 “探索求知” 博客，请务必保留此出处http://heshengkai.blog.51cto.com/5014551/1981997

Traefik实现Kubernetes集群服务外部https访问

原文地址：http://heshengkai.blog.51cto.com/5014551/1981997