zoukankan      html  css  js  c++  java
  • K8S配置traefik ingressroutes支持TLS

    K8S配置traefik ingressroutes支持TLS

    最终效果

    参考traefik文档ingressroutes部分,刚读时非常令人费解。

    https://docs.traefik.io/https/tls/#certificates-stores

    In Traefik, certificates are grouped together in certificates stores.

    Any store definition other than the default one (named default) will be ignored, and there is thefore only one globally available TLS store.

    这两个描述,直接坑杀了我2天时间。

    一直以为traefik的tls模型是:

    ingressroutes --引用--> tlsstore --引用--> [k8s tls secret]
    

    其实,ingressroutes里,我知道的部分,service和tls都可以直接引用k8s的标准资源。

    • service
    • tls

    假设,我们有如下资源:

    • k8s tls secret
    • k8s service
      • k8s deployment

    我们需要提供如下域名的https接入访问:

    apiVersion: v1
    data:
      tls.crt: .....
      tls.key: .....
    kind: Secret
    metadata:
      name: tls-abc.com
      namespace: default
    type: kubernetes.io/tls
    
    ---
    
    apiVersion: v1
    data:
      tls.crt: .....
      tls.key: .....
    kind: Secret
    metadata:
      name: tls-def.com
      namespace: default
    type: kubernetes.io/tls
    

    deployment and service

    apiVersion: v1
    kind: Service
    metadata:
      name: whoami
      labels:
        app: whoami
    spec:
      ports:
      - port: 80
        targetPort: 80
      selector:
        app: whoami
    
    ---
    
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: whoami
    spec:
      selector:
        matchLabels:
          app: whoami
      replicas: 1
      template:
        metadata:
          labels:
            app: whoami
        spec:
          containers:
          - name: whoami
            image: containous/whoami
            ports:
            - containerPort: 80
    

    IngressRoutes www.abc.com

    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: ir-www.abc.com-https  ## https 单独定义一个,和http分离部署
      namespace: default
    
    spec:
      entryPoints:
        - websecure
      routes:
        - kind: Rule
          match: Host(`www.abc.com`) && PathPrefix(`/`)
          services:
            - kind: Service
              name: whoami
              port: 80
          tls: {}
      tls:
        secretName: tls-abc.com  ## 此处引用k8s secret
    ---
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: ir-www.abc.com-http ## http 单独定义一个,和https分离部署
      namespace: default
    spec:
      entryPoints:
        - web
      routes:
        - kind: Rule
          match: Host(`www.abc.com`) && PathPrefix(`/`)
          services:
            - kind: Service
              name: whoami
              port: 80
    

    IngressRoutes www.def.com

    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: ir-www.def.com-https  ## https 单独定义一个,和http分离部署
      namespace: default
    
    spec:
      entryPoints:
        - websecure
      routes:
        - kind: Rule
          match: Host(`www.def.com`) && PathPrefix(`/api`)
          services:
            - kind: Service
              name: whoami
              port: 80
          tls: {}
      tls:
        secretName: tls-def.com  ## 此处引用k8s secret
    ---
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: ir-www.def.com-http ## http 单独定义一个,和https分离部署
      namespace: default
    spec:
      entryPoints:
        - web
      routes:
        - kind: Rule
          match: Host(`www.def.com`) && PathPrefix(`/api`)
          services:
            - kind: Service
              name: whoami
              port: 80
    
  • 相关阅读:
    4.eureka控制台显示注册的服务IP以及心跳间隔和服务续约时间设置
    3.eureka高可用
    2.注册中心eureka
    1.模拟微服务环境
    oracle视图
    oracle分页查询与Rownum
    IDEA实用配置
    在django使用websocket
    dockerfile镜像设置中文
    python框架day01
  • 原文地址:https://www.cnblogs.com/morya/p/13446653.html
Copyright © 2011-2022 走看看