使用 traefik 配置 https ingress

本文档基于 traefik 配置 https ingress 规则,请先阅读配置基本 ingress。与基本 ingress-controller 相比,需要额外配置 https tls 证书,主要步骤如下:

1.准备 tls 证书

可以使用Let’s Encrypt签发的免费证书,这里为了测试方便使用自签证书 (tls.key/tls.crt),注意CN 配置为 ingress 的域名:

1
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=hello.97hjh.cn"

2.在 kube-system 命名空间创建 secret: traefik-cert,以便后面 traefik-controller 挂载该证书

1
$ kubectl -n kube-system create secret tls traefik-cert --key=tls.key --cert=tls.crt

3.创建 traefik-controller,增加 traefik.toml 配置文件及https 端口暴露等,详见该 yaml 文件

1
$ kubectl apply -f /etc/ansible/manifests/ingress/traefik/tls/traefik-controller.yaml

4.创建 https ingress 例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 创建示例应用
$ kubectl run test-hello --image=nginx:alpine --port=80 --expose
# hello-tls-ingress 示例
apiVersion: networking.k8s.io/v1beta1 
kind: Ingress
metadata:
  name: hello-tls-ingress
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: hello.97hjh.cn
    http:
      paths:
      - backend:
          serviceName: test-hello
          servicePort: 80
  tls:
  - secretName: traefik-cert
# 创建https ingress
$ kubectl apply -f /etc/ansible/manifests/ingress/traefik/tls/hello-tls.ing.yaml
# 注意根据hello示例,需要在default命名空间创建对应的secret: traefik-cert
$ kubectl create secret tls traefik-cert --key=tls.key --cert=tls.crt

5.验证 https 访问

验证 traefik-ingress svc

1
2
3
$ kubectl get svc -n kube-system traefik-ingress-service 
NAME                      TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                                     AGE
traefik-ingress-service   NodePort   10.68.250.253   <none>        80:23456/TCP,443:23457/TCP,8080:35941/TCP   66m

可以看到项目默认使用nodePort 23456暴露traefik 80端口,nodePort 23457暴露 traefik 443端口,因此在客户端 hosts 增加记录 $Node_IP hello.test.com之后,可以在浏览器验证访问如下:

1
https://hello.97hjh.cn:23457

如果你已经配置了转发 ingress nodePort,那么增加对应 hosts记录后,可以验证访问 https://hello.97hjh.cn

配置 dashboard ingress

前提1:k8s 集群的dashboard 已安装

1
2
$ kubectl get svc -n kube-system | grep dashboard
kubernetes-dashboard      NodePort    10.68.211.168   <none>        443:39308/TCP	3d11h

前提2:/etc/ansible/manifests/ingress/traefik/tls/traefik-controller.yaml的配置文件traefik.toml开启了insecureSkipVerify = true

配置 dashboard ingress:kubectl apply -f /etc/ansible/manifests/ingress/traefik/tls/k8s-dashboard.ing.yaml 内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
apiVersion: networking.k8s.io/v1beta1 
kind: Ingress
metadata:
  name:  kubernetes-dashboard
  namespace: kube-system
  annotations:
    traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
  rules:
  - host: k8s.97hjh.cn
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443
  • 注意annotations 配置了 http 跳转 https 功能
  • 注意后端服务是443端口
    访问如图所示:
    image.png

参考