上篇我们简单介绍了下traefik以及如何http访问, 但是在实际生产环境中不仅仅只是http的转发访问,还有https的转发访问,
前面一篇:traefik基础部署记录,介绍了最简单的http访问traefik,访问过程参考见下:
client --- (via http) ---> traefik ---- (via http) ----> services
现在要实践的是更安全也更复杂的https访问traefik,有两种访问过程,参考见下:
后端service是普通http的 即client与traefik间采用https加密通信,但traefik与svc间则是明文的http通信
client --- (via https) ---> traefik ---- (via http) ----> services
后端service是https的 即client与traefik间采用https加密通信,但traefik与svc也是采用https通信
client --- (via https) ---> traefik ---- (via https) ----> services
下面我们来看看如何实现(伪)https,也就是上面说的第二种访问流程。
首先创建证书,想开启https,证书是少不了的。可以自己手动建一个证书,或者利用已经有的证书。这里我自己创建了一个ssl证书,具体创建流程可参考网上。
[root@k8smaster ~]# cd /opt/k8s/ssl
[root@k8smaster ssl]# ls
ssl.crt ssl.csr ssl.key
上面这个/opt/k8s/ssl目录是我创建的,路径可以随便只要和config文件里面的路径一致就行下面会说到。下面开始配置证书
[root@k8smaster ssl]# kubectl create secret generic traefik-cert --from-file=ssl.crt --from-file=ssl.key -n kube-system
secret "traefik-cert" created
创建一个configmap,保存traefix的配置。这里的traefix中配置了把所有http请求全部rewrite为https的规则,并配置相应的证书位置,同时我这里也创建了一个目录/opt/k8s/conf/。
[root@k8smaster conf]# cat traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/opt/k8s/ssl/ssl.crt"
keyFile = "/opt/k8s/ssl/ssl.key"
[root@k8smaster config]# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
configmap "traefik-conf" created
由于之前配置的是http现在要换成https所以需要更新下Traefik,这里主要是更新下关联创建的secret和configMap,并挂载相对应的主机目录。
安全起见操作之前先备份下(职场好习惯)
[root@k8smaster k8s]# cp traefik-deployment.yaml traefik-deployment.yaml.bk
[root@k8smaster k8s]# cat traefik-deployment.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: true
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
containers:
- image: traefik
name: traefik-ingress-lb
volumeMounts:
- mountPath: "/opt/k8s/ssl/"
name: "ssl"
- mountPath: "/opt/k8s/conf/"
name: "config"
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: admin
containerPort: 8080
args:
- --configFile=/opt/k8s/conf/traefik.toml
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 443
name: https
- protocol: TCP
port: 8080
name: admin
type: NodePort
[root@k8smaster k8s]#
[root@k8smaster k8s]# kubectl apply -f traefik-deployment.yaml
serviceaccount "traefik-ingress-controller" created
daemonset.extensions "traefik-ingress-controller" created
service "traefik-ingress-service" created
主要变化呢是更新了几个方面:
kind: DaemonSet 官方默认是使用Deployment
hostNetwork: true 开启Node Port端口转发
volumeMounts: 新增volumes挂载点
ports: 新增https443
args: 新增configfile
以及Service层的443 ports
最后我们来测试下是否成功,这里我们可以登陆traefik-ui界面,可以看到原本http的访问,traefik会直接给我们重定向至https。
关于第三种https转发https实现方式这里就不再赘述了后续如果有需要可以在探讨,如果需要的话可以看下am的博客也就是本文参考的资料,写的很详细。
本文博客参考资料: