zoukankan html css js c++ java

K8S配置traefik ingressroutes支持TLS

最终效果

参考traefik文档ingressroutes部分，刚读时非常令人费解。

https://docs.traefik.io/https/tls/#certificates-stores

In Traefik, certificates are grouped together in certificates stores.

Any store definition other than the default one (named default) will be ignored, and there is thefore only one globally available TLS store.

这两个描述，直接坑杀了我2天时间。

一直以为traefik的tls模型是:

ingressroutes --引用--> tlsstore --引用--> [k8s tls secret]

其实，ingressroutes里，我知道的部分，service和tls都可以直接引用k8s的标准资源。

service
tls

假设，我们有如下资源：

k8s tls secret
k8s service
- k8s deployment

我们需要提供如下域名的https接入访问：

apiVersion: v1
data:
  tls.crt: .....
  tls.key: .....
kind: Secret
metadata:
  name: tls-abc.com
  namespace: default
type: kubernetes.io/tls

---

apiVersion: v1
data:
  tls.crt: .....
  tls.key: .....
kind: Secret
metadata:
  name: tls-def.com
  namespace: default
type: kubernetes.io/tls

deployment and service

apiVersion: v1
kind: Service
metadata:
  name: whoami
  labels:
    app: whoami
spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: whoami

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: whoami
spec:
  selector:
    matchLabels:
      app: whoami
  replicas: 1
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
      - name: whoami
        image: containous/whoami
        ports:
        - containerPort: 80

IngressRoutes www.abc.com

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ir-www.abc.com-https  ## https 单独定义一个，和http分离部署
  namespace: default

spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`www.abc.com`) && PathPrefix(`/`)
      services:
        - kind: Service
          name: whoami
          port: 80
      tls: {}
  tls:
    secretName: tls-abc.com  ## 此处引用k8s secret
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ir-www.abc.com-http ## http 单独定义一个，和https分离部署
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`www.abc.com`) && PathPrefix(`/`)
      services:
        - kind: Service
          name: whoami
          port: 80

IngressRoutes www.def.com

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ir-www.def.com-https  ## https 单独定义一个，和http分离部署
  namespace: default

spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`www.def.com`) && PathPrefix(`/api`)
      services:
        - kind: Service
          name: whoami
          port: 80
      tls: {}
  tls:
    secretName: tls-def.com  ## 此处引用k8s secret
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ir-www.def.com-http ## http 单独定义一个，和https分离部署
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`www.def.com`) && PathPrefix(`/api`)
      services:
        - kind: Service
          name: whoami
          port: 80

查看全文

相关阅读:
IMail不能发送邮件的解决方法
 asp.net防止刷新重新提交触发后台事件的方法
 你的网站被“白名单”了吗？
网站权限引起的504错误的问题
 asp.net Web Service请求因 HTTP 状态 400 失败: Bad Request的原因
 对现有数据库的表做分区的方法
 测试 Cookie在不同浏览器内容长度限制的测试
 Thinkphp框架中使用memcache缓存的方法
 替换手机号中间数字为*号或隐藏IP最后位
 linux mysql 操作命令

原文地址：https://www.cnblogs.com/morya/p/13446653.html