1、部署 Traefik

由于我们需要将外部对于kubernetes的http请求全都转换成https,不想更改服务的配置以及代码,那我们可以选择在traefik上配置域名证书,这样通过域名对服务的访问将会自动转换成https请求。

1.1创建ClusterRole以及ClusterRoleBinding(Kubernetes1.6+)

ingress-rbac.yaml文件:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ingress
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

1.2 创建secret保存HTTPS证书

证书使用是之前搭建kubernetes集群使用的证书

 

kubectl create secret generic traefik-cert --from-file=ca-key.pem --from-file=ca.pem -n kube-system

1.3 创建configmap保存Traefik配置文件

traefik.toml内容如下:

defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      `entryPoints`.`https`.`tls`.`certificates`
      CertFile = "/ssl/ca.pem"
      KeyFile = "/ssl/ca-key.pem"
 kubectl create configmap traefik-conf --from-file=traefik.toml

1.4 部署Traefik

traefik-ingress.yaml文件:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: traefik-ingress-lb
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      restartPolicy: Always
      serviceAccountName: ingress
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      containers:
      - p_w_picpath: traefik
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        resources:
          limits:
            cpu: 200m
            memory: 30Mi
          requests:
            cpu: 100m
            memory: 20Mi
        ports:
        - containerPort: 80
        - containerPort: 443
        - containerPort: 8580
        args:
        - --web.address=:8580
        - --web
        - --kubernetes
        - --configfile=/config/traefik.toml
---
kind: Service
apiVersion: v1
metadata:
  name: traefik
  namespace: kube-system
spec:
  type: NodePort
  ports:
  - protocol: TCP
    port: 80
    name: http
  - protocol: TCP
    port: 443
    name: https
  selector:
    k8s-app: traefik-ingress-lb
kubectl create -f traefik.yaml

1.6 部署traefik-ui服务及traefik-ui ingress

traefik_ui.yaml文件内容:

apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  type: NodePort
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8580
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  tls:
  - secretName: traefik-cert
  rules:
  - host: traefik-ui.local
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web

1.7 部署ingress

由于之前在k8s中已经部署了my-nginx ,ftontend ,locust-master,icp-web,在这里不在部署了。

ingress.yaml文件内容:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-ingress
  namespace: default
spec:
  rules:
  - host: traefik.nginx.io
    http:
      paths:
      - backend:
          serviceName: my-nginx
          servicePort: 80
        path: /
  - host: traefik.frontend.io
    http:
      paths:
      - backend:
          serviceName: frontend
          servicePort: 80
        path: /
  - host: traefik.locust.io
    http:
      paths:
      - backend:
          serviceName: locust-master
          servicePort: 8089
        path: /
  - host: traefik.xwlp.io
    http:
      paths:
      - backend:
          serviceName: icp-web
          servicePort: 8080
        path: /
kubectl create -f ingress.yaml

1.8 验证

[root@XXXX Traefik_ingress]# curl -k https://traefik.nginx.io



Welcome to nginx!




Welcome to nginx!


If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.


For online documentation and support please refer to
nginx.org.

Commercial support is available at
nginx.com.


Thank you for using nginx.



[root@XXXX Traefik_ingress]# curl -k https://traefik.xwlp.io/


    
        
        Apache Tomcat/8.5.15
        
        
        
    

参考链接:http://www.mamicode.com/info-detail-2057226.html