k3s 基础 —— 配置 traefik dashboard
访问 traefik dashboard(配置证书访问请直接跳到最后一部分:配置 webscure 关联 https 证书访问)
端口转发
# 访问地址 http://192.168.0.201:9000/dashboard/#/
kubectl -n kube-system port-forward $(kubectl -n kube-system get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000 --address 0.0.0.0
配置域名
1、创建 ingress 配置文件 traefik-dashboard-web.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-web
namespace: kube-system
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`traefik.domain.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
services:
- kind: TraefikService
name: api@internal # 固定值,不用修改
2、执行部署
kubectl apply -f traefik-dashboard-web.yaml
3、配置 DNS 解析,指向 traefik 所在服务器。随后访问 http://traefik.domain.com/dashboard/#/
4、basic 认证
① 创建 secret
apiVersion: v1
kind: Secret
metadata:
name: traefik-basic-secret
namespace: kube-system
type: kubernetes.io/basic-auth
data:
# base64
username: dXNlcg== # username: user
password: cGFzc3dvcmQ= # password: password
② 创建 middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-basic-auth
namespace: kube-system
spec:
basicAuth:
secret: traefik-basic-secret
③ 修改 ingressroute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-web
namespace: kube-system
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`traefik.domain.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
middlewares:
- name: traefik-basic-auth
namespace: kube-system
services:
- kind: TraefikService
name: api@internal # 固定值,不用修改
开启跨命名空间访问
默认情况 traefik ingress 是不开启此项功能的,需要手动启用
新增配置文件 traefik-config.yaml
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
globalArguments:
- "--providers.kubernetescrd.allowCrossNamespace=true"
部署
kubectl apply -f traefik-config.yaml
配置 webscure 关联 https 证书访问
这里使用 DNS Challenge 的方式申请证书,以阿里云举例:
① 创建 aliyun access key 关联的 secret
kubectl create secret generic alidns-ak-secret --from-literal=ALICLOUD_ACCESS_KEY=<your_key> --from-literal=ALICLOUD_SECRET_KEY=<your_secret> -n kube-system
② 修改 traefik 配置
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
globalArguments:
- "--providers.kubernetescrd.allowCrossNamespace=true"
persistence:
enabled: true
name: data
accessMode: ReadWriteOnce
size: 128Mi
storageClass: local-path
path: /data
certResolvers:
myletsencrypt:
email: your@gmail.com
storage: /data/acme.json
dnsChallenge:
provider: alidns
delayBeforeCheck: 10
securityContext:
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
envFrom:
- secretRef:
name: alidns-ak-secret
ports:
websecure:
tls:
certResolver: myletsencrypt
domains:
- main: domain.com
sans:
- '*.domain.com'
注:
Email 请替换成自己的。
请添加必要的A记录,以将域名映射到当前服务器
执行部署
kubectl apply -f traefik-config.yaml
③ 为 traefik-dashboard 添加 https 访问
修改 ingress 配置文件 traefik-dashboard-web.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-web
namespace: kube-system
spec:
entryPoints:
- websecure # 将 web 替换成 websecure。后续其它模块的 IngressRoute 亦可通过此替换获得 https 访问入口)
routes:
- kind: Rule
match: Host(`traefik.domain.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
services:
- kind: TraefikService
name: api@internal # 固定值,不用修改
执行部署
kubectl apply -f traefik-dashboard-web.yaml
