traefik配置https

traefik https使用

        之前已经使用traefik服务作为入口,测试并访问了tomcat应用,之前是通过http来访问的,而我们在yaml文件里面也添加8443端口用于https访问,在实际环境中我们也是需要
https来进行访问应用,通过traefik实现https,traefik http应用

操作实践

        这里我用了公司的证书,就是为了贴近真实,也满足测试需求,创建一个secret,保存https证书,如果没有证书,可以使用以下方式进行生成证书

签证书

        没有证书可以使用命令生产证书

1
2
# mkdir certs
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout xxlaila.cn.key -out xxlaila.cn.crt -subj "/CN=*.xxlaila.cn"

部署准备

traefik.toml

  • http 和https共同存在

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    defaultEntryPoints = ["http","https"]
    [entryPoints]
    [entryPoints.http]
    address = ":80"
    entryPoint = "https"
    [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]
    [[entryPoints.https.tls.certificates]]
    certFile = "/certs/xxlaila.cn.crt"
    keyFile = "/certs/xxlaila.cn.key"
  • 所有http请求全部rewrite为https的规则

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    defaultEntryPoints = ["http","https"]
    [entryPoints]
    [entryPoints.http]
    address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
    [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]
    [[entryPoints.https.tls.certificates]]
    certFile = "/certs/xxlaila.cn.crt"
    keyFile = "/certs/xxlaila.cn.key"
  • 部分域名强制跳转https

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    defaultEntryPoints = ["http","https"]
    [entryPoints]
    [entryPoints.http]
    address = ":80"
    [entryPoints.http.redirect]
    regex = "^http://traefix.xxlaila.cn/(.*)"
    replacement = "https://traefix.xxlaila.cn/$1"
    [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]
    [[entryPoints.https.tls.certificates]]
    certFile = "/certs/xxlaila.cn.crt"
    keyFile = "/certs/xxlaila.cn.key"

创建证书secret

1
2
3
4
5
6
#  kubectl create secret generic traefik-cert --from-file=certs/xxlaila.cn.crt --from-file=certs/xxlaila.cn.key --from-file=certs/dev.xxlaila.cn.crt --from-file=certs/dev.xxlaila.cn.key --from-file=certs/test.xxlaila.cn.crt --from-file=certs/test.xxlaila.cn.key  -n kube-system
secret/traefik-cert created

# kubectl get secret traefik-cert -n kube-system
NAME TYPE DATA AGE
traefik-cert Opaque 2 26s
  • traefik-cert.yaml
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    证书base64加密
    # cat dev.xxlaila.cn.crt |base64 |tr -d '\n'

    # cat > traefik-cert.yaml<<EOF
    ---
    kind: Secert
    apiVersion: v1
    metadata:
    name: traefik-cert
    namespace: kube-system
    data:
    "dev.xxlaila.cn.crt":
    "dev.xxlaila.cn.key":
    "test.xxlaila.cn.crt"
    "test.xxlaila.cn.key":
    "xxlaila.cn.crt":
    "xxlaila.cn.key":
    type:
    - Opaque

    EOF

创建configmap保存traefix的配置

  • traefik.toml
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    # cat > traefik.toml<<EOF
    defaultEntryPoints = ["http","https"]
    [entryPoints]
    [entryPoints.http]
    address = ":80"
    compress = true

    [entryPoints.http.whitelist]
    sourceRange = ["172.21.0.0/16", "172.16.0.0/16"]
    useXForwardedFor = true

    [entryPoints.http.redirect]
    entryPoint = "https"
    [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]
    [[entryPoints.https.tls.certificates]]
    certFile = "/opt/traefix/certs/xxlaila.cn.crt"
    keyFile = "/opt/traefix/certs/xxlaila.cn.key"
    [[entryPoints.https.tls.certificates]]
    certFile = "/opt/traefix/certs/dev.xxlaila.cn.crt"
    keyFile = "/opt/traefix/certs/dev.xxlaila.cn.key"
    [[entryPoints.https.tls.certificates]]
    certFile = "/opt/traefix/certs/test.xxlaila.cn.crt"
    keyFile = "/opt/traefix/certs/test.xxlaila.cn.key"

    # rules
    filename = "/opt/traefix/conf/rules.toml"
    watch = true

    EOF

    # kubectl create configmap traefik-conf --from-file=conf/traefik.toml -n kube-system
    configmap/traefik-conf created

    # kubectl get configmap traefik-conf -n kube-system
    NAME DATA AGE
    traefik-conf 1 25s

重新部署Traefix

        重新部署Traefix主要是要关联创建的secret和configMap,并挂载相对应的主机目录。

deployment 方式部署

        修改片段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# vim traefik-deployment.yaml 
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
defaultMode: 0644
items:
- key: traefik.toml
path: traefik.toml
containers:
- image: traefik:v1.7
name: traefik-ingress-lb
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: "/certs"
name: "ssl"
- mountPath: "/etc/traefik.toml"
subPath: "traefik.toml"
name: "config"
ports:
- name: http
containerPort: 80
- name: admin
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --web
- --api.dashboard
- --web.metrics
- --metrics.prometheus
- --web.metrics.prometheus
- --kubernetes
- --logLevel=INFO
- --traefiklog
- --traefiklog.format=json
- --accesslog
- --accesslog.format=json
- --accessLog.fields.headers.defaultMode=redact
- --insecureskipverify=true
- --configFile=/etc/traefik.toml
- --defaultentrypoints=http,https
- --entrypoints=Name:https Address::443 TLS
- --entrypoints=Name:http Address::80
nodeSelector:
IngressProxy: "true"
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/ingress
operator: Equal
  • 执行创建
    1
    # kubectl apply -f traefik-deployment.yaml

测试ui

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# cat >ui.yaml<<EOF 
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
#traefik.ingress.kubernetes.io/frontend-entry-points: http,https
#traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
#tls:
# - secretName: traefik-cert
rules:
- host: traefik.xxlaila.cn
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# cat >ui-test.yaml <<EOF
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui-test
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui-test
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/frontend-entry-points: http,https
traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
#tls:
# - secretName: traefik-cert
rules:
- host: traefik.test.xxlaila.cn
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
EOF

注:
tls: traefikm默认加载的证书是tls开头的crt、key证书。如果只有一个证书,可以这么设置。多个域名证书需要设定不同的secret名称,在tls引用的时候根据不同的域名指定不同secret名称
redirect-entry-point: 该域名强制跳转https

traefik 代理外部服务

        traefix对外部应用提供服务,这里以公司的一个应用app和harbor为列,

java app

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# cat > java-app.yaml
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: app-biz
name: app-biz
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/affinity: "true"
traefik.ingress.kubernetes.io/load-balancer-method: drr
spec:
clusterIP: None
ports:
- name: http
port: 8030
protocol: TCP
targetPort: 8030
sessionAffinity: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
labels:
k8s-app: app-biz
name: app-biz
namespace: default
subsets:
- addresses:
- ip: 172.22.1.1
- ip: 172.22.1.2
ports:
- name: http
port: 8030
protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: app-biz
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
traefik.ingress.kubernetes.io/frontend-entry-points: http,https
traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
rules:
- host: app-biz.test.xxlaila.cn
http:
paths:
- path: /
backend:
serviceName: app-biz
servicePort: 8030
EOF

harbor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# cat >harbor.yaml<<EOF
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: harbor
name: harbor
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/affinity: "true"
#traefik.ingress.kubernetes.io/load-balancer-method: drr
spec:
clusterIP: None
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
sessionAffinity: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
labels:
k8s-app: harbor
name: harbor
namespace: default
subsets:
- addresses:
- ip: 172.21.16.90
ports:
- name: http
port: 80
protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: harbor
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
traefik.ingress.kubernetes.io/frontend-entry-points: http,https
traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
rules:
- host: harbor.xxlaila.cn
http:
paths:
- path: /
backend:
serviceName: harbor
servicePort: 80
EOF

curl验证证书:curl --resolve 'xxx.xxx.xxx:127.0.0.1' https://xxx.xxx.xxx/ -vvv

 

posted @ 2020-09-14 16:51  一米八大高个儿  阅读(3721)  评论(0编辑  收藏  举报