TOC
目前所有的访问都已经转向https了,大势所趋,ssl重要性这里不细说了;我这里是client到traefik加密,后端还是http,有更高要求的时候再来进步优化,先满足功能再说。
traefik http部署我这里省略,详细可参考kubeasz中的ingress部分。
流程示意图
client ---https---> traefik ---http---> svc (本文)
client ---https---> traefik ---https---> svc
生成证书
我这里使用私签证书
# 私钥
openssl genrsa -out rsa_private_key.pem 2048
# 生成公钥
openssl rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem
openssl req -new -out ca-req.csr -key rsa_private_key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZJ
Locality Name (eg, city) [Default City]:HZ
Organization Name (eg, company) [Default Company Ltd]:FR
Organizational Unit Name (eg, section) []:TECH
Common Name (eg, your name or your server's hostname) []:*.xxx.cn
Email Address []:lisen@xxx.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey rsa_private_key.pem -days 3650
新增cm
# 配置traefik-cert cm
kubectl create secret generic traefik-cert --from-file=rsa_private_key.pem --from-file=ca-cert.pem -n kube-system
# 配置traefik.toml
[root@by-deploy01 ingress]# cat traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/opt/k8s/ssl/ca-cert.pem"
keyFile = "/opt/k8s/ssl/rsa_private_key.pem"
# 配置traefik-conf cm
kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
kubectl get cm -n kube-system
deploy引用
kind: Deployment
apiVersion: apps/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik:v1.6
imagePullPolicy: IfNotPresent
name: traefik-ingress-lb
args:
- --configFile=/opt/k8s/conf/traefik.toml
- --web
- --kubernetes
volumeMounts:
- mountPath: "/opt/k8s/ssl/"
name: "ssl"
- mountPath: "/opt/k8s/conf/"
name: "config"
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: admin
containerPort: 8080
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
# 生效
kubectl apply -f traefik_deploy.yaml
修改svc增加443端口
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
# 该端口为 traefik ingress-controller的服务端口
port: 80
# 集群hosts文件中设置的 NODE_PORT_RANGE 作为 NodePort的可用范围
# 从默认20000~40000之间选一个可用端口,让ingress-controller暴露给外部的访问
nodePort: 23455
name: web
- protocol: TCP
port: 443
name: https
nodePort: 23456
- protocol: TCP
# 该端口为 traefik 的管理WEB界面
port: 8080
name: admin
type: NodePort
# 生效
kubectl apply -f traefik_svc.yaml
至此配置完成可以用浏览器测试下!