K8S集群Ingress https實踐
阿新 • • 發佈:2018-05-24
k8s ingress https tls sni
前文介紹使用ingress結合traefik實現了入口的動靜分離,本文將在前文基礎上實現ingress的https配置。
為了簡單且高效,建議應用容器化部署之後,https卸載在ingress這一級實現。通俗一點來說就是用戶到ingress的連接走https協議,ingress到後端服務的連接走https協議。
我們對https的配置要求也比較簡單,主要如下:
1、http自動重定向到https
2、https支持虛擬主機(TLS SNI)
一、初始環境準備
1、這裏為了方便測試,把前文配置的網站動態部分路由規則都拿掉,僅保留靜態部分
2、配置hosts解析記錄
3、http訪問測試
二、準備證書文件和配置文件
1、這裏將兩個站點的四個證書文件統一放到一個secret裏面去維護
# kubectl create secret generic traefik-cert --from-file=star_59iedu_com.key --from-file=star_59iedu_com.pem --from-file=star_yingjigl_com.key --from-file=star_yingjigl_com.pem -n kube-system
2、配置http重定向到https,同時支持多個https虛擬主機(TLS SNI)
# cat traefik.toml defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] CertFile = "/ssl/star_59iedu_com.pem" KeyFile = "/ssl/star_59iedu_com.key" [[entryPoints.https.tls.certificates]] certFile = "/ssl/star_yingjigl_com.pem" keyFile = "/ssl/star_yingjigl_com.key"
# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
三、修改traefik配置文件
主要需要添加config和ssl volumes,其他的配置(例如:rabc、service、ingress等)保持不變,具體配置可參考前文,前文傳送門:http://blog.51cto.com/ylw6006/2073718
# cat traefik-deployment.yaml apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress-controller namespace: kube-system --- kind: Deployment apiVersion: extensions/v1beta1 metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: replicas: 2 selector: matchLabels: k8s-app: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller hostNetwork: true nodeSelector: traefik: proxy terminationGracePeriodSeconds: 60 volumes: - name: ssl secret: secretName: traefik-cert - name: config configMap: name: traefik-conf containers: - image: traefik name: traefik-ingress-lb volumeMounts: - mountPath: "/ssl" name: "ssl" - mountPath: "/config" name: "config" ports: - name: web containerPort: 80 hostPort: 80 - name: admin containerPort: 8081 args: - --configfile=/config/traefik.toml - --web - --web.address=:8081 - --kubernetes
# kubectl apply -f traefik-deployment.yaml
四、訪問測試與驗證
參考文檔:
其他的需求,例如gzip壓縮,tls版本和加密算法,rewrite重定向等配置也可以參考此文檔
https://docs.traefik.io/configuration/entrypoints/#basic
K8S集群Ingress https實踐