什么是 SSL 证书?

安全套接字层 (SSL) 证书(有时称为数字证书)用于在浏览器或用户计算机与服务器或网站之间建立加密连接。SSL 连接可保护在每次访问(称为会话)期间交换的敏感数据(例如信用卡信息),以防被非授权方拦截。SSL 连接可保护在每次访问(称为会话)期间交换的敏感数据(例如信用卡信息),以防被非授权方拦截。

实现目标:

traefik 转发或者提供的域名都能够支持https 请求!

测试环境介绍

K8s 集群
阿里云dns账户:(需要读写dns服务)
ALICLOUD_ACCESS_KEY
ALICLOUD_SECRET_KEY

k8s - yaml 文件如下:

创建用户授权

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-outer-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - extensions
    resources:
    - ingresses/status
    verbs:
    - update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-outer-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-outer-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-outer-ingress-controller
  namespace: kube-system

服务配置

注意: 所有需要启动traefik的节点配置标签如下
traefik: "traefik-outer"

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-outer-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-outer-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-outer-ingress-lb
spec:
  selector:
    matchLabels:
      k8s-app: traefik-outer-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-outer-ingress-lb
        name: traefik-outer-ingress-lb
    spec:
      serviceAccountName: traefik-outer-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      containers:
      - image: traefik:1.7.19
        name: traefik-outer-ingress-lb
        env:
        - name: ALICLOUD_ACCESS_KEY              # 添加环境变量ALICLOUD_ACCESS_KEY
          value: LTAIxxxxxxxxxxxAYfXqk                 # 阿里云RAM账号的access_key
        - name: ALICLOUD_SECRET_KEY              # 添加环境变量ALICLOUD_SECRET_KEY
          value: gfNxxxxxxxxxxxoOslfc                   # 阿里云RAM账号的access_secret
        resources:
          limits:
            cpu: 1000m
            memory: 1024Mi
          requests:
            cpu: 1000m
            memory: 1024Mi
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 8080
          hostPort: 8080
        args:
        - --api
        - --kubernetes
        - --configfile=/traefik.toml
        - --insecureskipverify            #如果后端服务是https协议时不验证其证书
        - --logLevel=INFO                 #日志级别
        - --defaultEntryPoints=http,https #traefik同时开启HTTP和HTTPS服务
        - --entrypoints=Name:https Address::443 TLS #HTTPS服务监听在443端口
        - --entrypoints=Name:http Address::80 #HTTPS服务监听在443端口,与http跳转https配置冲突,只能配置一项;
#        - --entrypoints=Name:http Address::80 Redirect.EntryPoint:https #HTTP监听在80端口,并将流量重定向至https
        - --acme                         #开启证书验证
        - [email protected]   #用于注册的邮箱地址
        - --acme.storage=/tmp/acme.json  #证书申请临时文件存储位置
        - --acme.acmeLogging=true        #打开日志,方便排错
        - --acme.entryPoint=https        #证书类型,必需指向到一个443端口
        - --acme.httpchallenge.entrypoint=http    # 验证域名时使用的协议
        - --acme.dnschallenge                     # 域名验证方式
        - --acme.dnschallenge.provider=alidns     # 域名提供商
        - --acme.dnschallenge.delaybeforecheck=5  # 验证域名延时
        - --acme.onHostRule=true      #自动为acme.entryPoint下的新域名申请证书
        - --acme.domains=ptmind.com   #要申请证书的域名
        - --acme.domains=lingxi365.cn #要申请证书的域名
        - --acme.domains=lingxi.link  #要申请证书的域名
      nodeSelector:
        traefik: "traefik-outer"
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-outer-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-outer-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 443
      name: https
    - protocol: TCP
      port: 8080
      name: admin
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-outer-web-ui
  namespace: kube-system
spec:
  rules:
  - host: traefik.ptmind.com #配置管理页面的域名
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-outer-ingress-service
          servicePort: admin

traefik 命令


--api --kubernetes --configfile=/traefik.toml --insecureskipverify --logLevel=INFO \
--defaultEntryPoints=http,https '--entrypoints=Name:https Address::443 TLS' \
'--entrypoints=Name:http Address::80' --acme --acme.dnschallenge [email protected] \
--acme.storage=/tmp/acme.json --acme.acmeLogging=true --acme.entryPoint=https --acme.httpchallenge.entrypoint=http \
--acme.dnschallenge.provider=alidns --acme.dnschallenge.delaybeforecheck=5 \
--acme.domains=ptmind.com --acme.domains=lingxi365.cn --acme.domains=lingxi.link \
--acme.onHostRule=true

其它参数解释

entryPoint = "https"
# 启用按需证书。如果这个主机名还没有证书,这将会在与一个主机名发起请求的第一个TLS握手中向Let's Encrypt请求一个证书。
# 警告,第一次在请求中获取主机证书会导致TLS握手会非常慢,这会引起Dos***。
# 警告,值得注意的是Let's Encrypt是有请求上限的:https://letsencrypt.org/docs/rate-limits
onDemand = false
# 启用根据前端Host规则来生成证书。这将会为每个具有Host规则的前端生成一个Let's Encrypt的证书。
# 举个例子,一个具有规则的Host:test1.traefik.cn,test2.traefik.cn 将会为主域名test1.traefik.cn与SAN(替代域名) test2.traefik.cn生成一个证书。
onHostRule = true
  [acme.httpChallenge]
  entryPoint="http"