1. 创建 traefik secret tls 证书, 注意不是 secret generic, 每一个namespace都要创建
kubectl create secret tls traefik-cert --key /tmp/traefik/cinyi.com.key --cert /tmp/traefik/cinyi.com.cer -n kube-system
2. 创建traefik.toml文件,并且引入到configmap中
[root@master1 traefik]# cat traefik.toml insecureSkipVerify = true defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] # 默认路径,勿修改 certFile = "/ssl/tls.crt" keyFile = "/ssl/tls.key
创建 configmap
kubectl create configmap traefik-conf --from-file=/tmp/traefik/traefik.toml -n kube-system
3. rbac授权
[root@master1 traefik]# cat traefik-rbac.yaml --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses/status verbs: - update --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system
4. traefik 采用deaemonset 模式部署, 挂载secret 和 configmap资源,添加了https 端口,args 添加了 --configfile=/config/traefik.toml 参数
[root@master1 traefik]# cat traefik-rbac.yaml --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses/status verbs: - update --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system [root@master1 traefik]# cat traefik-ds.yaml --- apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress-controller namespace: kube-system --- kind: DaemonSet apiVersion: apps/v1 metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: selector: matchLabels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 volumes: - name: ssl secret: secretName: traefik-cert - name: config configMap: name: traefik-conf containers: - image: 172.16.230.84/source/traefik:v1.7 name: traefik-ingress-lb volumeMounts: - mountPath: "/ssl" name: "ssl" - mountPath: "/config" name: "config" ports: - name: http containerPort: 80 hostPort: 80 - name: admin containerPort: 8080 hostPort: 18080 - name: https containerPort: 443 hostPort: 443 securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --configfile=/config/traefik.toml - --api - --kubernetes - --logLevel=INFO --- kind: Service apiVersion: v1 metadata: name: traefik-ingress-service namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP port: 80 name: web - protocol: TCP port: 8080 name: admin - protocol: TCP port: 443 name: https
5. Ingress without TLS
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: hipempifefrontend80 namespace: senyint spec: rules: - host: hip.cinyi.com http: paths: - path: / backend: serviceName: hipempifefrontend servicePort: 80
6. Ingress TLS
[root@master1 traefik]# cat hipempifefrontend_443.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: hipempifefrontend-web namespace: senyint annotations: kubernetes.io/ingress.class: traefik spec: tls: - secretName: traefik-cert rules: - host: fengjian.cinyi.com http: paths: - backend: serviceName: hipempifefrontend servicePort: 80
参考
https://www.cnblogs.com/netonline/archive/2019/06/20/10968046.html