如何使用traefik入口控制器在kubernetes裸机上设置https
[英]How to set up https on kubernetes bare metal using traefik ingress controller
问题描述
I'm running a kubernetes cluster which consists of three nodes and brilliantly works, but it's time to make my web application secure, so I deployed an ingress controller(traefik). 
我正在运行一个由三个节点组成的kubernetes集群,并且运行良好,但是现在是时候确保我的Web应用程序安全了,所以我部署了一个入口控制器(traefik)。 But I was unable to find instructions for setting up https on it. 但是我找不到在其上设置https的说明。 I know most of things I will have to do, like setting up a "secret"(container with certs) etc. but I was wondering how to configure my ingress controller and all files related to it so I would be able to use secure connection 我知道我将要做的大多数事情,例如设置“秘密”(带有证书的容器)等,但是我想知道如何配置我的入口控制器和与其相关的所有文件,以便能够使用安全连接
I have already configured ingress controller and created some frontends and backends. 我已经配置了入口控制器并创建了一些前端和后端。 Also I configured nginx server(It's actually a web application I'm running) to work on 443 port 我还配置了nginx服务器(实际上是我正在运行的Web应用程序)以在443端口上工作
My web application deployment 我的Web应用程序部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: nginx
replicas: 3 # tells deployment to run 3 pods matching the template
template: # create pods using pod definition in this template
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: ilchub/my-nginx
ports:
- containerPort: 443
tolerations:
- key: "primary"
operator: Equal
value: "true"
effect: "NoSchedule"
Traefik ingress controller deployment code Traefik入口控制器部署代码
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
- name: https
containerPort: secure
- name: admin
containerPort: 8080
args:
- --api
- --kubernetes
- --logLevel=INFO
Ingress for traefik dashboard traefik仪表板的入口
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
rules:
- host: cluster.aws.ctrlok.dev
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
External expose related config 外部公开相关配置
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
nodePort: 30036
name: web
- protocol: TCP
port: 443
nodePort: 30035
name: secure
- protocol: TCP
port: 8080
nodePort: 30034
name: admin
type: NodePort
What I want to do is securing my application which is already running. 我要做的是保护已经运行的应用程序。 Final result has to be a webpage running over https 最终结果必须是在https上运行的网页
1 个解决方案
解决方案1
0 2019-07-10 11:40:35
Actually you have 3 ways to configure Traefik to use https to communicate with backend pods: 实际上,您可以通过3种方式将Traefik配置为使用https与后端Pod通信:
- If the service port defined in the ingress spec is 443 (note that you can still use targetPort to use a different port on your pod). 如果在入口规范中定义的服务端口是443(请注意,您仍然可以使用targetPort在Pod上使用其他端口)。
- If the service port defined in the ingress spec has a name that starts with https (such as https-api, https-web or just https). 如果入口规范中定义的服务端口的名称以https开头(例如https-api,https-web或仅https)。
- If the ingress spec includes the annotation ingress.kubernetes.io/protocol: https. 如果入口规范包含注释ingress.kubernetes.io/protocol:https。
If either of those configuration options exist, then the backend communication protocol is assumed to be TLS, and will connect via TLS automatically. 如果存在任何一个配置选项,则假定后端通信协议为TLS,并将自动通过TLS连接。
Also additional authentication annotations should be added to the Ingress object, like: 另外,还应将其他身份验证注释添加到Ingress对象,例如:
ingress.kubernetes.io/auth-tls-secret: secret
And of course, add a TLS Certificate to the Ingress 当然, 向入口添加TLS证书
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.