上篇我们简单介绍了下traefik以及如何http访问, 但是在实际生产环境中不仅仅只是http的转发访问,还有https的转发访问,
前面一篇:traefik基础部署记录,介绍了最简单的http访问traefik,访问过程参考见下:
client --- (via http) ---> traefik ---- (via http) ----> services
现在要实践的是更安全也更复杂的https访问traefik,有两种访问过程,参考见下:
后端service是普通http的
即client与traefik间采用https加密通信,但traefik与svc间则是明文的http通信
client --- (via https) ---> traefik ---- (via http) ----> services
后端service是https的
即client与traefik间采用https加密通信,但traefik与svc也是采用https通信
client --- (via https) ---> traefik ---- (via https) ----> services
下面我们来看看如何实现(伪)https,也就是上面说的第二种访问流程。
首先创建证书,想开启https,证书是少不了的。可以自己手动建一个证书,或者利用已经有的证书。这里我自己创建了一个ssl证书,具体创建流程可参考网上。
[[email protected] ~]# cd /opt/k8s/ssl [[email protected] ssl]# ls ssl.crt ssl.csr ssl.key
上面这个/opt/k8s/ssl目录是我创建的,路径可以随便只要和config文件里面的路径一致就行下面会说到。下面开始配置证书
[[email protected] ssl]# kubectl create secret generic traefik-cert --from-file=ssl.crt --from-file=ssl.key -n kube-system secret "traefik-cert" created
创建一个configmap,保存traefix的配置。这里的traefix中配置了把所有http请求全部rewrite为https的规则,并配置相应的证书位置,同时我这里也创建了一个目录/opt/k8s/conf/。
[[email protected] conf]# cat traefik.toml defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/opt/k8s/ssl/ssl.crt" keyFile = "/opt/k8s/ssl/ssl.key" [[email protected] config]# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system configmap "traefik-conf" created
由于之前配置的是http现在要换成https所以需要更新下Traefik,这里主要是更新下关联创建的secret和configMap,并挂载相对应的主机目录。
安全起见操作之前先备份下(职场好习惯)
[[email protected] k8s]# cp traefik-deployment.yaml traefik-deployment.yaml.bk [[email protected] k8s]# cat traefik-deployment.yaml --- apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress-controller namespace: kube-system --- kind: DaemonSet apiVersion: extensions/v1beta1 metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: selector: matchLabels: k8s-app: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 hostNetwork: true volumes: - name: ssl secret: secretName: traefik-cert - name: config configMap: name: traefik-conf containers: - image: traefik name: traefik-ingress-lb volumeMounts: - mountPath: "/opt/k8s/ssl/" name: "ssl" - mountPath: "/opt/k8s/conf/" name: "config" ports: - name: http containerPort: 80 - name: https containerPort: 443 - name: admin containerPort: 8080 args: - --configFile=/opt/k8s/conf/traefik.toml - --api - --kubernetes - --logLevel=INFO --- kind: Service apiVersion: v1 metadata: name: traefik-ingress-service namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP port: 80 name: web - protocol: TCP port: 443 name: https - protocol: TCP port: 8080 name: admin type: NodePort [[email protected] k8s]# [[email protected] k8s]# kubectl apply -f traefik-deployment.yaml serviceaccount "traefik-ingress-controller" created daemonset.extensions "traefik-ingress-controller" created service "traefik-ingress-service" created
主要变化呢是更新了几个方面:
kind: DaemonSet 官方默认是使用Deployment
hostNetwork: true 开启Node Port端口转发
volumeMounts: 新增volumes挂载点
ports: 新增https443
args: 新增configfile
以及Service层的443 ports
最后我们来测试下是否成功,这里我们可以登陆traefik-ui界面,可以看到原本http的访问,traefik会直接给我们重定向至https。
关于第三种https转发https实现方式这里就不再赘述了后续如果有需要可以在探讨,如果需要的话可以看下am的博客也就是本文参考的资料,写的很详细。
本文博客参考资料:
http://blog.51cto.com/goome/2153703
原文地址:http://blog.51cto.com/devingeng/2154041