• Traefik的TLS配置

     

      

    生产环境的部署大多采用F5+ Traefik这种方式,因为Traefik的SSL方式相对来说比较慢,因此SSL更多的在F5上开放,而F5到Traefik之间以及后端都是http方式。

    但客户需要在开发和测试环境直接用SSL,因此需要配置。

    遇到一些小坑,记录一下理解

    •  先生成一个secret,记住别搞个一年就过期的啊。
    openssl req 
        -newkey rsa:2048 -nodes -keyout tls.key 
        -x509 -days 3650 -out tls.crt
    • 创建secret
    kubectl create secret generic traefik-cert 
        --from-file=tls.crt 
        --from-file=tls.key -n kube-system

      

    • 创建configmap,此处有坑,/ssl/tls.crt等路径不是我们本地的路径,而是在容器内路径,所以不要去修改!
    # traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"

    如果需要同时打开80和443,需要如下配置文件

    # traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"

    建立起来

    kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system

      

    • traefik.yaml文件

    随便找了段贴上去啊,看详细日志打开

    logLevel=DEBUG
    apiVersion: v1
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 2
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      hostNetwork: true
      containers:
      - image: registry.yourcompany.com/traefik:v1.1.1
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        resources:
          limits:
            cpu: 200m
            memory: 30Mi
          requests:
            cpu: 100m
            memory: 20Mi
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 9002
        args:
        - --configfile=/config/traefik.toml
        - --web
        - --kubernetes
        - --logLevel=DEBUG

      此处的坑是/config/traefik.toml是容器内地址,不是宿主机的路径,不要手贱去修改!

    • 测试

    可以在浏览器上直接测试,也可以用命令行。

    curl -k https://...
  • 相关阅读:
    Python生成验证码
    Django设置
    OpenStack安装后检查流程总结
    利用src.rpm包修改源码后重新制作rpm包
    Python知识点:distutils常用子模块
    libvirt, libvirt-python, libvirtd 关系浅析
    Python知识点: os.popen
    Python知识点: __import__
    修改initrd.img里ko文件的一个小tips
    关于openstack自动化安装的一点思考
  • 原文地址:https://www.cnblogs.com/ericnie/p/8856339.html
Copyright © 2020-2023  润新知