zoukankan      html  css  js  c++  java
  • traefik配置https

    traefik https使用

            之前已经使用traefik服务作为入口,测试并访问了tomcat应用,之前是通过http来访问的,而我们在yaml文件里面也添加8443端口用于https访问,在实际环境中我们也是需要
    https来进行访问应用,通过traefik实现https,traefik http应用

    操作实践

            这里我用了公司的证书,就是为了贴近真实,也满足测试需求,创建一个secret,保存https证书,如果没有证书,可以使用以下方式进行生成证书

    签证书

            没有证书可以使用命令生产证书

    1
    2
    # mkdir certs
    # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout xxlaila.cn.key -out xxlaila.cn.crt -subj "/CN=*.xxlaila.cn"

    部署准备

    traefik.toml

    • http 和https共同存在

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      defaultEntryPoints = ["http","https"]
      [entryPoints]
      [entryPoints.http]
      address = ":80"
      entryPoint = "https"
      [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/certs/xxlaila.cn.crt"
      keyFile = "/certs/xxlaila.cn.key"
    • 所有http请求全部rewrite为https的规则

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      defaultEntryPoints = ["http","https"]
      [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
      entryPoint = "https"
      [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/certs/xxlaila.cn.crt"
      keyFile = "/certs/xxlaila.cn.key"
    • 部分域名强制跳转https

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      defaultEntryPoints = ["http","https"]
      [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
      regex = "^http://traefix.xxlaila.cn/(.*)"
      replacement = "https://traefix.xxlaila.cn/$1"
      [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/certs/xxlaila.cn.crt"
      keyFile = "/certs/xxlaila.cn.key"

    创建证书secret

    1
    2
    3
    4
    5
    6
    #  kubectl create secret generic traefik-cert --from-file=certs/xxlaila.cn.crt --from-file=certs/xxlaila.cn.key --from-file=certs/dev.xxlaila.cn.crt --from-file=certs/dev.xxlaila.cn.key --from-file=certs/test.xxlaila.cn.crt --from-file=certs/test.xxlaila.cn.key  -n kube-system
    secret/traefik-cert created

    # kubectl get secret traefik-cert -n kube-system
    NAME TYPE DATA AGE
    traefik-cert Opaque 2 26s
    • traefik-cert.yaml
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      证书base64加密
      # cat dev.xxlaila.cn.crt |base64 |tr -d ' '

      # cat > traefik-cert.yaml<<EOF
      ---
      kind: Secert
      apiVersion: v1
      metadata:
      name: traefik-cert
      namespace: kube-system
      data:
      "dev.xxlaila.cn.crt":
      "dev.xxlaila.cn.key":
      "test.xxlaila.cn.crt"
      "test.xxlaila.cn.key":
      "xxlaila.cn.crt":
      "xxlaila.cn.key":
      type:
      - Opaque

      EOF

    创建configmap保存traefix的配置

    • traefik.toml
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      37
      38
      # cat > traefik.toml<<EOF
      defaultEntryPoints = ["http","https"]
      [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true

      [entryPoints.http.whitelist]
      sourceRange = ["172.21.0.0/16", "172.16.0.0/16"]
      useXForwardedFor = true

      [entryPoints.http.redirect]
      entryPoint = "https"
      [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/opt/traefix/certs/xxlaila.cn.crt"
      keyFile = "/opt/traefix/certs/xxlaila.cn.key"
      [[entryPoints.https.tls.certificates]]
      certFile = "/opt/traefix/certs/dev.xxlaila.cn.crt"
      keyFile = "/opt/traefix/certs/dev.xxlaila.cn.key"
      [[entryPoints.https.tls.certificates]]
      certFile = "/opt/traefix/certs/test.xxlaila.cn.crt"
      keyFile = "/opt/traefix/certs/test.xxlaila.cn.key"

      # rules
      filename = "/opt/traefix/conf/rules.toml"
      watch = true

      EOF

      # kubectl create configmap traefik-conf --from-file=conf/traefik.toml -n kube-system
      configmap/traefik-conf created

      # kubectl get configmap traefik-conf -n kube-system
      NAME DATA AGE
      traefik-conf 1 25s

    重新部署Traefix

            重新部署Traefix主要是要关联创建的secret和configMap,并挂载相对应的主机目录。

    deployment 方式部署

            修改片段

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    # vim traefik-deployment.yaml 
    ---
    kind: Deployment
    apiVersion: extensions/v1beta1
    metadata:
    name: traefik-ingress-controller
    namespace: kube-system
    labels:
    k8s-app: traefik-ingress-lb
    spec:
    replicas: 1
    selector:
    matchLabels:
    k8s-app: traefik-ingress-lb
    template:
    metadata:
    labels:
    k8s-app: traefik-ingress-lb
    name: traefik-ingress-lb
    spec:
    serviceAccountName: traefik-ingress-controller
    terminationGracePeriodSeconds: 60
    hostNetwork: true
    dnsPolicy: ClusterFirstWithHostNet
    volumes:
    - name: ssl
    secret:
    secretName: traefik-cert
    - name: config
    configMap:
    name: traefik-conf
    defaultMode: 0644
    items:
    - key: traefik.toml
    path: traefik.toml
    containers:
    - image: traefik:v1.7
    name: traefik-ingress-lb
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - mountPath: "/certs"
    name: "ssl"
    - mountPath: "/etc/traefik.toml"
    subPath: "traefik.toml"
    name: "config"
    ports:
    - name: http
    containerPort: 80
    - name: admin
    containerPort: 8080
    securityContext:
    capabilities:
    drop:
    - ALL
    add:
    - NET_BIND_SERVICE
    args:
    - --api
    - --web
    - --api.dashboard
    - --web.metrics
    - --metrics.prometheus
    - --web.metrics.prometheus
    - --kubernetes
    - --logLevel=INFO
    - --traefiklog
    - --traefiklog.format=json
    - --accesslog
    - --accesslog.format=json
    - --accessLog.fields.headers.defaultMode=redact
    - --insecureskipverify=true
    - --configFile=/etc/traefik.toml
    - --defaultentrypoints=http,https
    - --entrypoints=Name:https Address::443 TLS
    - --entrypoints=Name:http Address::80
    nodeSelector:
    IngressProxy: "true"
    tolerations:
    - effect: NoSchedule
    key: node-role.kubernetes.io/ingress
    operator: Equal
    • 执行创建
      1
      # kubectl apply -f traefik-deployment.yaml

    测试ui

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    # cat >ui.yaml<<EOF 
    ---
    apiVersion: v1
    kind: Service
    metadata:
    name: traefik-web-ui
    namespace: kube-system
    spec:
    selector:
    k8s-app: traefik-ingress-lb
    ports:
    - name: web
    port: 80
    targetPort: 8080
    ---
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
    name: traefik-web-ui
    namespace: kube-system
    annotations:
    kubernetes.io/ingress.class: traefik
    #traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    #traefik.ingress.kubernetes.io/redirect-entry-point: https
    spec:
    #tls:
    # - secretName: traefik-cert
    rules:
    - host: traefik.xxlaila.cn
    http:
    paths:
    - path: /
    backend:
    serviceName: traefik-web-ui
    servicePort: web
    EOF
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    # cat >ui-test.yaml <<EOF
    ---
    apiVersion: v1
    kind: Service
    metadata:
    name: traefik-web-ui-test
    namespace: kube-system
    spec:
    selector:
    k8s-app: traefik-ingress-lb
    ports:
    - name: web
    port: 80
    targetPort: 8080
    ---
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
    name: traefik-web-ui-test
    namespace: kube-system
    annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    spec:
    #tls:
    # - secretName: traefik-cert
    rules:
    - host: traefik.test.xxlaila.cn
    http:
    paths:
    - path: /
    backend:
    serviceName: traefik-web-ui
    servicePort: web
    EOF

    注:
    tls: traefikm默认加载的证书是tls开头的crt、key证书。如果只有一个证书,可以这么设置。多个域名证书需要设定不同的secret名称,在tls引用的时候根据不同的域名指定不同secret名称
    redirect-entry-point: 该域名强制跳转https

    traefik 代理外部服务

            traefix对外部应用提供服务,这里以公司的一个应用app和harbor为列,

    java app

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    # cat > java-app.yaml
    apiVersion: v1
    kind: Service
    metadata:
    labels:
    k8s-app: app-biz
    name: app-biz
    namespace: default
    annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/affinity: "true"
    traefik.ingress.kubernetes.io/load-balancer-method: drr
    spec:
    clusterIP: None
    ports:
    - name: http
    port: 8030
    protocol: TCP
    targetPort: 8030
    sessionAffinity: None
    type: ClusterIP
    ---
    apiVersion: v1
    kind: Endpoints
    metadata:
    labels:
    k8s-app: app-biz
    name: app-biz
    namespace: default
    subsets:
    - addresses:
    - ip: 172.22.1.1
    - ip: 172.22.1.2
    ports:
    - name: http
    port: 8030
    protocol: TCP
    ---
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
    name: app-biz
    namespace: default
    annotations:
    kubernetes.io/ingress.class: traefik
    traefik.frontend.rule.type: PathPrefixStrip
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    spec:
    rules:
    - host: app-biz.test.xxlaila.cn
    http:
    paths:
    - path: /
    backend:
    serviceName: app-biz
    servicePort: 8030
    EOF

    harbor

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    # cat >harbor.yaml<<EOF
    apiVersion: v1
    kind: Service
    metadata:
    labels:
    k8s-app: harbor
    name: harbor
    namespace: default
    annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/affinity: "true"
    #traefik.ingress.kubernetes.io/load-balancer-method: drr
    spec:
    clusterIP: None
    ports:
    - name: http
    port: 80
    protocol: TCP
    targetPort: 80
    sessionAffinity: None
    type: ClusterIP
    ---
    apiVersion: v1
    kind: Endpoints
    metadata:
    labels:
    k8s-app: harbor
    name: harbor
    namespace: default
    subsets:
    - addresses:
    - ip: 172.21.16.90
    ports:
    - name: http
    port: 80
    protocol: TCP
    ---
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
    name: harbor
    namespace: default
    annotations:
    kubernetes.io/ingress.class: traefik
    traefik.frontend.rule.type: PathPrefixStrip
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
    spec:
    rules:
    - host: harbor.xxlaila.cn
    http:
    paths:
    - path: /
    backend:
    serviceName: harbor
    servicePort: 80
    EOF

    curl验证证书:curl --resolve 'xxx.xxx.xxx:127.0.0.1' https://xxx.xxx.xxx/ -vvv

  • 相关阅读:
    js遍历Object所有属性
    使用JAVA开发微信公众平台(一)——环境搭建与开发接入
    使用Vue.js实现列表选中效果
    c#以POST方式模拟提交表单
    vue项目里的日期格式化
    Hadoop概念学习系列之Hadoop、Spark学习路线(很值得推荐)
    CentOS下的Mysql的安装和使用
    CentOS中zip压缩和unzip解压缩命令详解
    vue路由跳转传参数
    Linux上安装Hadoop集群(CentOS7+hadoop-2.8.0)
  • 原文地址:https://www.cnblogs.com/qinghe123/p/13667677.html
Copyright © 2011-2022 走看看