Traefik的TLS配置
阿新 • • 發佈:2018-04-16
ntp art tom gre nts labels start poi selector
生產環境的部署大多采用F5+ Traefik這種方式,因為Traefik的SSL方式相對來說比較慢,因此SSL更多的在F5上開放,而F5到Traefik之間以及後端都是http方式。
但客戶需要在開發和測試環境直接用SSL,因此需要配置。
創建secret
kubectl create secret generic traefik-cert --from-file=ca-key.pem --from-file=ca.pem -n kube-system
創建configmap
defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address= ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] CertFile = "/ssl/ca.pem" KeyFile = "/ssl/ca-key.pem"
kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
Ingress.yaml文件
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: traefik-ingress-lb namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: terminationGracePeriodSeconds:60 hostNetwork: true restartPolicy: Always serviceAccountName: ingress volumes: - name: ssl secret: secretName: traefik-cert - name: config configMap: name: traefik-conf containers: - image: traefik name: traefik-ingress-lb volumeMounts: - mountPath: "/ssl" name: "ssl" - mountPath: "/config" name: "config" resources: limits: cpu: 200m memory: 30Mi requests: cpu: 100m memory: 20Mi ports: - containerPort: 80 - containerPort: 443 - containerPort: 8580 args: - --web.address=:8580 - --web - --kubernetes - --configfile=/config/traefik.toml --- kind: Service apiVersion: v1 metadata: name: traefik namespace: kube-system spec: type: NodePort ports: - protocol: TCP port: 80 name: http - protocol: TCP port: 443 name: https selector: k8s-app: traefik-ingress-lb
測試
curl -k https://...
Traefik的TLS配置