证书准备
- 自己制作
这个不赘述了,网上一大把 - 购买的ssl证书
这里使用的是购买的ssl证书
问题纠正
- 有些说法是traefik证书名字必须是tls(比如: tls.pem, tls.key),这是错误的说法,下面就以非tls名字命名的证书来实现traefik ssl证书的添加
- traefik中ssl和config挂载路径问题
在traefik-deployment.yaml中我们知道需要挂载配置文件目录和证书目录,有说法是不能修改默认的路径,这种说法是不对的,下面就以非默认路径来进行挂载
配置文件说明
- traefik.toml
logLevel = "INFO"
insecuresSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/files/k8s-files/kubernetes/ssl/card/cr.xxxxxx.cn.pem" # 1
keyFile = "/files/k8s-files/kubernetes/ssl/card/cr.xxxxxx.cn.key"
[[entryPoints.https.tls.certificates]]
certFile = "/files/k8s-files/kubernetes/ssl/smart/smart.xxxxx.cn.pem" # 2
keyFile = "/files/k8s-files/kubernetes/ssl/smart/smart.xxxxx.cn.key"
[respondingTimeouts]
readTimeout = "30s"
writeTimeout = "30s"
idleTimeout = "360s"
备注: 上面的1 和 2 两处都是将不同的证书放置于不同的目录(card和smart)下的,这个是k8s比较坑的一点,因为这个证书是需要挂载进traefik容器内部的,如果都将证书放到ssl这一个目录下面而不是ssl下面单独的子目录下面,那么将会覆盖之前的证书,也就是说只有一个证书是可用的。所以这个是这次添加多证书最大的坑。
- traefik-deployment.yaml
这里就只贴上volume和volumeMounts两部分了
containers:
- image: traefik:latest
imagePullPolicy: IfNotPresent
name: traefik-ingress-lb
volumeMounts:
- name: "ssl-cr"
mountPath: "/files/k8s-files/kubernetes/ssl/card"
- name: "ssl-smart"
mountPath: "/files/k8s-files/kubernetes/ssl/smart"
- name: "config"
mountPath: "/files/k8s-files/kubernetes/cfg"
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: admin
containerPort: 8080
- name: zhuanfa
containerPort: 5053
args:
- --api
- --kubernetes
- --logLevel=INFO
- --configfile=/files/k8s-files/kubernetes/cfg/traefik.toml
volumes:
- name: ssl-cr
secret:
secretName: traefik-cert-cr
- name: ssl-smart
secret:
secretName: traefik-cert-smart
- name: config
configMap:
name: traefik-conf
证书生成
以smart.xxxxx.cn为例
cd /files/k8s-files/kubernetes/ssl
kubectl create secret generic traefik-cert-smart --from-file=./smart/smart.xxxxx.cn.pem --from-file=./smart/smart.xxxxx.cn.key -n kube-system
查看traefik-cert-smart这个secret
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
smart.xxxxx.cn.key: base64encode #可以看到这里的名字记录的和我们--from-file指定的名字相同
smart.xxxxx.cn.pem: base64encode
kind: Secret
metadata:
creationTimestamp: "2019-04-21T05:08:16Z"
name: traefik-cert-smart
namespace: kube-system
resourceVersion: "2182167"
selfLink: /api/v1/namespaces/kube-system/secrets/traefik-cert-smart
uid: 789b5e66-63f3-11e9-9d89-00163e03c41e
type: Opaque
重建配置文件,重启traefik
cd /files/k8s-files/kubernetes/cfg
kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
新建一个应用进行测试
- nginx-test-tls.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginxtls
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
template:
metadata:
labels:
app: nginxtls
spec:
containers:
- name: nginxtls
image: nginx:1.12.2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginxtls
labels:
app: nginxtls
namespace: kube-system
spec:
selector:
app: nginxtls
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginxtls
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
spec:
#tls: 注意这里的tls就不要添加了
#- secretName: traefik-cert-smart
rules:
- host: smart.xxxxx.cn
http:
paths:
- path: /
backend:
serviceName: nginxtls
servicePort: 80
kubectl create -f nginx-test-tls.yaml
访问测试
ok,traefik添加多证书到此结束啦!希望能够帮助到你!