kubernetes ingress(三): traefik: 多域名及证书配置
<h2 id="目标">目标:</h2><p>部署三个服务traefik-ui,grafana,prometheus,并通过traefik 反向代理。</p>
<table>
<thead>
<tr>
<th>service</th>
<th>namespaces</th>
<th>domain name</th>
<th>https</th>
</tr>
</thead>
<tbody>
<tr>
<td>traefik-ui</td>
<td>traefik</td>
<td>traefik.qyd.com</td>
<td>Y</td>
</tr>
<tr>
<td>grafana</td>
<td>kube-system</td>
<td>grafana.dfb.com</td>
<td>N</td>
</tr>
<tr>
<td>prometheus</td>
<td>kube-system</td>
<td>prometheus.qyd.com</td>
<td>Y</td>
</tr>
</tbody>
</table>
<h2 id="步骤">步骤:</h2>
<h3 id="1部署traefik">1、部署traefik</h3>
<p>相关资源yml</p>
<ul>
<li>https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/rbac.yml</li>
<li>https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/deployment.yml</li>
<li>https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/configmap.yml</li>
<li>https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/prometheus-ingress.yml</li>
<li>https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/grafana-ingress.yml</li>
<li>https://github.com/xiaocaisgit/k8sAbout/blob/master/traefik/traefik-web-ui.yml</li>
</ul>
<p>创建traefik 这个命名空间,使用configmap 挂载配置。</p>
<pre><code>kubectl create cm -n traefiktraefik-config --from-file=traefik.toml
</code></pre>
<pre><code>apiVersion: v1
items:
- apiVersion: v1
data:
traefik.toml: |
graceTimeOut = 10
traefikLogsFile = "/log/traefik.log"
accessLogsFile = "/log/access.log"
logLevel = "INFO"
MaxIdleConnsPerHost = 60
InsecureSkipVerify = true
defaultEntryPoints = ["https","http"]
address = ":80"
regex = "^http://(.*).qyd.com/(.*)"
replacement = "https://$1.qyd.com/$2"
address = ":443"
[]
certFile = "/ssl/qyd/tls.crt"
keyFile = "/ssl/qyd/tls.key"
[]
certFile = "/ssl/dfb/tls.crt"
keyFile = "/ssl/dfb/tls.key"
entryPoint = "traefik"
kind: ConfigMap
metadata:
name: traefik-config
namespace: traefik
kind: List
metadata:
resourceVersion: ""
selfLink: ""
</code></pre>
<p>获取 qyd.com 和dfb.com 两个域名的证书,并创建secret。</p>
<pre><code>kubectl create secret generic dfb-tls-cert --from-file=dfb/tls.crt --from-file=dfb/tls.key -n traefik
kubectl create secret generic qyd-tls-cert --from-file=qyd/tls.crt --from-file=qyd/tls.key -n traefik
</code></pre>
<p>部署traefik-ingreess-controller</p>
<pre><code>kubectl app -f rbac.yml
</code></pre>
<pre><code>---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: traefik
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: traefik
</code></pre>
<pre><code>kubectl apply -f deployment.yml
</code></pre>
<pre><code>apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-controller
namespace: traefik
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
containers:
- args:
- --configFile=/etc/traefik/traefik.yml
- --api
- --kubernetes
image: itanony.com/repository/docker-hosted/test/treafik:v1.7.10
imagePullPolicy: IfNotPresent
name: traefik-ingress-lb
ports:
- containerPort: 80
hostPort: 80
name: http
protocol: TCP
- containerPort: 8080
hostPort: 8080
name: admin
protocol: TCP
- containerPort: 443
hostPort: 443
name: https
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/traefik/
name: config
- mountPath: /ssl/qyd/
name: qyd-cert
- mountPath: /ssl/dfb/
name: dfb-cert
- mountPath: /log/
name: logs
dnsPolicy: ClusterFirst
hostNetwork: true
nodeSelector:
cpu: high
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: traefik-ingress-controller
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
volumes:
- name: qyd-cert
secret:
defaultMode: 420
secretName: qyd-tls-cert
- name: dfb-cert
secret:
defaultMode: 420
secretName: dfb-tls-cert
- configMap:
defaultMode: 420
name: traefik-config
name: config
- hostPath:
path: /var/log/traefik
type: ""
name: logs
</code></pre>
<p>注意deployment.yml 中修改images地址。另外因为是测试,故采用nodeselector 只部署到一台固定的node节点,采用宿主机网络模式。ingress controller 的高可用留在以后研究。<br>
查看pod 状态</p>
<pre><code>kubectl get pods -n traefik
</code></pre>
<p>traefik 启动后会监控一个8080 的端口提供一个管理的web-ui,可以查看frontend 和backend 的对应关系,及一些基本的监控数据<br>
我们创建一个ClusterIP 的service,并创建ingress,通过traefik 使用traefik.qyd.com 域名来反向代理</p>
<pre><code>kubectl apply -f traefik-web-ui.yml
</code></pre>
<pre><code>apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: traefik
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: traefik
spec:
rules:
- host: traefik.qyd.com
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
</code></pre>
<p>在本机hosts中添加 traefik.qyd.com 的hosts 记录解析到traefik 部署的node节点。<br>
通过浏览器访问。页面正常显示,并且使用http 访问时会自动跳转到https。</p>
<h3 id="部署prometheus-和grafana-代理">部署prometheus 和grafana 代理</h3>
<blockquote>
<p>这里只讨论通过traefik-ingres 代理prometheus 和grafan。部署过程请Google。</p>
</blockquote>
<p>创建prometheus 和 grafana 的ingress 。 通过traefik 分别使用 prometheus.yd.com 和grafana.dfb.com 反向代理。</p>
<blockquote>
<p>注意yml 中namespace,serviceName,servicePort 与自己集群中服务的名称一致。</p>
</blockquote>
<pre><code>kubectl apply -f grafana-ingress.yml
kubectl apply -f prometheus-ingress.yml
</code></pre>
<pre><code>apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: grafana
namespace: kube-system
spec:
rules:
- host: grafana.dfb.com
http:
paths:
- backend:
serviceName: monitoring-grafana
servicePort: 80
path: /
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: prometheus
namespace: kube-system
spec:
rules:
- host: prometheus.qyd.com
http:
paths:
- backend:
serviceName: prometheus
servicePort: prometheus
path: /
</code></pre>
<p>同样在本机hosts 中添加两个域名的解析记录。通过浏览器访问正常,prometheus.qyd.com访问http 会rewrite到https,grafana.dfb.com不会做rewrite。至此部署部分结束</p>
<h2 id="配置解析">配置解析</h2>
<p>多域名 配置https,我们不需要对每一个域名指定证书, 只需要在entrypoints 中指定证书路径。traefik 会自动根据请求中的主机头和证书中的CN进行匹配。<br>
生产中可能遇到同一个反向代理下。 有的域名需要启用https 的强制rewrite。 有些则不能做强制rewrite。traefik 提供<em>entryPoints.http.redirect</em> 通过正则来对需要rewrite 的域名进行正则匹配。 这里感觉有点不灵活。 也可能还有更好的方式。</p>
</div>
<div id="MySignature" role="contentinfo">
<div>作者:轻易科技</div>
<div>出处:OPS</div>
<div>本文版权归作者和博客园共有,欢迎转载,但必须给出原文链接,并保留此段声明,否则保留追究法律责任的权利。 </div><br><br>
来源:https://www.cnblogs.com/itanony/p/11037519.html
頁:
[1]