traefik配置https
traefik https使用
之前已经使用traefik服务作为入口,测试并访问了tomcat应用,之前是通过http来访问的,而我们在yaml文件里面也添加8443端口用于https访问,在实际环境中我们也是需要
https来进行访问应用,通过traefik实现https,traefik http应用
操作实践
这里我用了公司的证书,就是为了贴近真实,也满足测试需求,创建一个secret,保存https证书,如果没有证书,可以使用以下方式进行生成证书
签证书
没有证书可以使用命令生产证书
1
|
# mkdir certs
|
部署准备
traefik.toml
-
http 和https共同存在
1
2
3
4
5
6
7
8
9
10
11defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/xxlaila.cn.crt"
keyFile = "/certs/xxlaila.cn.key" -
所有http请求全部rewrite为https的规则
1
2
3
4
5
6
7
8
9
10
11
12defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/xxlaila.cn.crt"
keyFile = "/certs/xxlaila.cn.key" -
部分域名强制跳转https
1
2
3
4
5
6
7
8
9
10
11
12
13defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://traefix.xxlaila.cn/(.*)"
replacement = "https://traefix.xxlaila.cn/$1"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/xxlaila.cn.crt"
keyFile = "/certs/xxlaila.cn.key"
创建证书secret
1
|
# kubectl create secret generic traefik-cert --from-file=certs/xxlaila.cn.crt --from-file=certs/xxlaila.cn.key --from-file=certs/dev.xxlaila.cn.crt --from-file=certs/dev.xxlaila.cn.key --from-file=certs/test.xxlaila.cn.crt --from-file=certs/test.xxlaila.cn.key -n kube-system
|
- traefik-cert.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21证书base64加密
# cat dev.xxlaila.cn.crt |base64 |tr -d '\n'
# cat > traefik-cert.yaml<<EOF
---
kind: Secert
apiVersion: v1
metadata:
name: traefik-cert
namespace: kube-system
data:
"dev.xxlaila.cn.crt":
"dev.xxlaila.cn.key":
"test.xxlaila.cn.crt"
"test.xxlaila.cn.key":
"xxlaila.cn.crt":
"xxlaila.cn.key":
type:
- Opaque
EOF
创建configmap保存traefix的配置
- traefik.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38# cat > traefik.toml<<EOF
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.whitelist]
sourceRange = ["172.21.0.0/16", "172.16.0.0/16"]
useXForwardedFor = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/opt/traefix/certs/xxlaila.cn.crt"
keyFile = "/opt/traefix/certs/xxlaila.cn.key"
[[entryPoints.https.tls.certificates]]
certFile = "/opt/traefix/certs/dev.xxlaila.cn.crt"
keyFile = "/opt/traefix/certs/dev.xxlaila.cn.key"
[[entryPoints.https.tls.certificates]]
certFile = "/opt/traefix/certs/test.xxlaila.cn.crt"
keyFile = "/opt/traefix/certs/test.xxlaila.cn.key"
# rules
filename = "/opt/traefix/conf/rules.toml"
watch = true
EOF
# kubectl create configmap traefik-conf --from-file=conf/traefik.toml -n kube-system
configmap/traefik-conf created
# kubectl get configmap traefik-conf -n kube-system
NAME DATA AGE
traefik-conf 1 25s
重新部署Traefix
重新部署Traefix主要是要关联创建的secret和configMap,并挂载相对应的主机目录。
deployment 方式部署
修改片段
1
|
# vim traefik-deployment.yaml
|
- 执行创建
1
# kubectl apply -f traefik-deployment.yaml
测试ui
1
|
# cat >ui.yaml<<EOF
|
1
|
# cat >ui-test.yaml <<EOF
|
注:
tls: traefikm默认加载的证书是tls开头的crt、key证书。如果只有一个证书,可以这么设置。多个域名证书需要设定不同的secret名称,在tls引用的时候根据不同的域名指定不同secret名称
redirect-entry-point: 该域名强制跳转https
traefik 代理外部服务
traefix对外部应用提供服务,这里以公司的一个应用app和harbor为列,
java app
1
|
# cat > java-app.yaml
|
harbor
1
|
# cat >harbor.yaml<<EOF
|
curl验证证书:curl --resolve 'xxx.xxx.xxx:127.0.0.1' https://xxx.xxx.xxx/ -vvv