traefik配置dashboard https访问

创建证书
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout k8s.key -out k8s.crt -subj "/CN=k8s.ui.com"
创建secret,保存https证书
# kubectl create secret generic k8s-cert  --from-file=k8s.key --from-file=k8s.crt -n kube-system
secret/k8s-cert created
创建 configmap,保存traefix配置
# vim k8s_conf.yml
kind: ConfigMap
apiVersion: v1
metadata:
  name:  traefik.toml
  namespace: kube-system
data:
  traefik.toml: |
    insecureSkipVerify = true     # 访问https后端的时候可以忽略TLS证书验证错误
    defaultEntryPoints = ["http","https"]  # 同时支持http与https
    [entryPoints]
      [entryPoints.http]
      address = ":80"
        [entryPoints.http.redirect]        
        regex = "^http://k8s.ui.com/(.*)"   # 匹配dashboard域名
        replacement = "https://k8s.ui.com/$1"  # 强制跳转https
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/k8s.crt"      # pod证书位置
          KeyFile = "/ssl/k8s.key"
# kubectl apply  -f k8s_conf.yml 
configmap/traefik.toml created
编写traefik_https.yml文件
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      volumes:
      - name: ssl
        secret:
          secretName: k8s-cert   # 证书
      - name: config
        configMap:
          name: traefik.toml     # configmap
      containers:
      - image: traefik:1.7.9
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8080
        securityContext:
          privileged: true
        args:
        - --configfile=/config/traefik.toml
        - -d
        - --web
        - --kubernetes
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
    - protocol: TCP
      port: 443
      name: https
  type: NodePort
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - port: 80
    targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik.ui.com
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui
          servicePort: 80
# kubectl apply -f traefik_https.yml 
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
serviceaccount/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
daemonset.extensions/traefik-ingress-controller created
service/traefik-web-ui created
ingress.extensions/traefik-web-ui created
此处的坑是/config/traefik.toml是容器内地址,不是宿主机的路径,不要手贱去修改!
创建ingress
# vim k8s_ui.yml
---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: dashboard
namespace: kube-system
annotations:
   kubernetes.io/ingress.class: traefik
spec:
rules:
- host: k8s.ui.com
   http:
     paths:
     - backend:
       path: /
         serviceName: kubernetes-dashboard
         servicePort: 443
# kubectl create -f k8s_ui.yml 
ingress.extensions/dashboard created
《traefik配置dashboard https访问》
《traefik配置dashboard https访问》
点赞

发表评论

电子邮件地址不会被公开。

3 × 5 =