背景
之前的文章中,我已经利用kubernetes的traefik服务作为入口,访问了tomcat的相关服务,但之前的文章是通过http的方式来访问的。在现实应用中,为了安全考虑,肯定有https访问的需求,这里我们就通过traefik来实现https的访问。
之前的文章链接:https://blog.51cto.com/icenycmh/2124502
实验操作
一:想开启https,证书是少不了的。可以自己手动建一个证书,或者利用已经有的证书。这里我用已经申请的一个ssl证书,对应的域名为*.gzshapp.com。
二:创建一个secret,保存https证书。
# ll
total 12
-rw-r--r-- 1 root root 5477 Mar 30 16:32 _.gzshapp.com_bundle.crt
-rw-r--r-- 1 root root 1708 Mar 28 14:01 _.gzshapp.com.key
# kubectl create secret generic traefik-cert --from-file=_.gzshapp.com_bundle.crt --from-file=_.gzshapp.com.key -n kube-system把证书拷贝到k8s node节点,本例中,存放证书的目录为:/opt/conf/k8s/ssl/。
三:创建一个configmap,保存traefix的配置。
这里的traefix中配置了把所有http请求全部rewrite为https的规则,并配置相应的证书位置:
# vi traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/opt/conf/k8s/ssl/_.gzshapp.com_bundle.crt"
keyFile = "/opt/conf/k8s/ssl/_.gzshapp.com.key"
# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
把traefik.toml文件拷贝到k8s node节点,本例中,traefik的存放目录为:/opt/conf/k8s/conf/。
四:重新部署Traefix,这里主要是要关联创建的secret和configMap,并挂载相对应的主机目录。
# more traefik-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: traefik-ingress-lb
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 2
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
terminationGracePeriodSeconds: 60
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
hostNetwork: true
restartPolicy: Always
serviceAccountName: ingress
containers:
- image: traefik
name: traefik-ingress-lb
volumeMounts:
- mountPath: "/opt/conf/k8s/ssl"
name: "ssl"
- mountPath: "/opt/conf/k8s/conf"
name: "config"
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8580
hostPort: 8580
args:
- --configFile=/opt/conf/k8s/conf/traefik.toml
- --web
- --web.address=:8580
- --kubernetes
# kubectl apply -f traefik-deployment.yaml 五:测试效果。
这里我们可以登陆traefik-ui界面,可以看到原本http的访问,traefik会直接给我们重定向至https。
由于traefik-ui使用的域名不是我们证书所支持的域名,故这里显示了不安全的提示。这里我修改了之前文章中创建的tomcat-test的ingress,修改其中的域名为证书所支持的域名,再进行一次测试:
# vi ingress-tomcat.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-test-web
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
spec:
rules:
- host: test.gzshapp.com
http:
paths:
- path: /test1/
backend:
serviceName: tomcat-test1
servicePort: 8080
- path: /test2/
backend:
serviceName: tomcat-test2
servicePort: 8080
# kubectl apply -f ingress-tomcat.yaml 这里我们修改ingress的域名为test.gzshapp.com,修改一下host,再访问测试一下:
192.168.232.129 test.gzshapp.com
192.168.232.131 test.gzshapp.com
可以看到我们的配置已经生效了。
其他需求
当然,现实环境中肯定针对不同情况,有很多的不同需求。比如,访问需同时支持http和https、只有部分域名需要https强制跳转,后端代理https的应用等。这里我们可以一个个来根据需求配置traefik。
1:同时支持http和https:(把http中的rewrite代码改掉)
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/opt/scripts/traefik/https/_.gzshapp.com_bundle.crt"
keyFile = "/opt/scripts/traefik/https/_.gzshapp.com.key"2:仅配置部分域名强制跳转https:(在http.redirect中编写对应域名的正则)
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://test.gzshapp.com/(.*)"
replacement = "https://test.gzshapp.com/$1"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/opt/conf/k8s/ssl/_.gzshapp.com_bundle.crt"
keyFile = "/opt/conf/k8s/ssl/_.gzshapp.com.key"3:traefik代理后端https请求:
这里我修改了一下我的tomcat服务,开放了8443的https端口,并修改了一下ingress的配置,如下:
可以看到我新建了一个ingress,域名为test-ssl.gzshapp.com,其中/test1/后端为8443的https服务,/test2为8080的http服务。修改host,用https协议分别访问,结果如下:
可以看到,访问test1的时候,反回了“Bad Gateway”错误。访问test2,则正常。这可能是因为后端的tomcat服务的使用了自签证书的原因,导致了访问失败,也可能是traefik自身的原因,这里不去深究。
这里可以修改traefik的配置,添加insecureSkipVerify = true即可解决这一个问题。这个traefik的配置禁用了对后端的证书检查。
insecureSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/opt/conf/k8s/ssl/_.gzshapp.com_bundle.crt"
keyFile = "/opt/conf/k8s/ssl/_.gzshapp.com.key"