Traefik的TLS配置

 

  

生产环境的部署大多采用F5+ Traefik这种方式，因为Traefik的SSL方式相对来说比较慢，因此SSL更多的在F5上开放，而F5到Traefik之间以及后端都是http方式。

但客户需要在开发和测试环境直接用SSL，因此需要配置。

遇到一些小坑，记录一下理解

•  先生成一个secret,记住别搞个一年就过期的啊。

openssl req 
        -newkey rsa:2048 -nodes -keyout tls.key 
        -x509 -days 3650 -out tls.crt

• 创建secret

kubectl create secret generic traefik-cert 
        --from-file=tls.crt 
        --from-file=tls.key -n kube-system

  

• 创建configmap,此处有坑，/ssl/tls.crt等路径不是我们本地的路径，而是在容器内路径，所以不要去修改！

# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"

如果需要同时打开80和443,需要如下配置文件

# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"

建立起来

kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system

  

• traefik.yaml文件

随便找了段贴上去啊，看详细日志打开

logLevel=DEBUG

apiVersion: v1
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 2
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      hostNetwork: true
      containers:
      - image: registry.yourcompany.com/traefik:v1.1.1
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        resources:
          limits:
            cpu: 200m
            memory: 30Mi
          requests:
            cpu: 100m
            memory: 20Mi
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 9002
        args:
        - --configfile=/config/traefik.toml
        - --web
        - --kubernetes
        - --logLevel=DEBUG

  此处的坑是/config/traefik.toml是容器内地址，不是宿主机的路径，不要手贱去修改！

• 测试

可以在浏览器上直接测试，也可以用命令行。

curl -k https://...