kubernets Traefik 的HTTP 和HTTPS

k8s 的ingress+traefik原理細(xì)說(shuō)

ingress 本質(zhì)上就是一個(gè)nginx或者traefik 代理俩檬。他將用戶的請(qǐng)求該域名的請(qǐng)求轉(zhuǎn)發(fā)到后端的service豁辉。

做LB 實(shí)際上是kubernets的Service踢匣。

部署原理

daemonset 方式部署 traffic或者nginx,讓其監(jiān)聽在80端口和443端口樟蠕，默認(rèn)是隨機(jī)端口，通過hostport可以指定端口

K8S 中必須 Create Role Based Access 蛋疼稠腊，

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

daemonset 例子

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik
        name: traefik-ingress-lb
        args:
        - --web
        - --kubernetes
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: NodePort

創(chuàng)建DaemonSet

Kubectl create -f ds.yaml

kubectl --namespace=kube-system get pods

NAME                                         READY     STATUS    RESTARTS   AGE
kube-addon-manager-minikubevm                1/1       Running   0          4h
kubernetes-dashboard-s8krj                   1/1       Running   0          4h
traefik-ingress-controller-678226159-eqseo   1/1       Running   0          7m

構(gòu)建UI

apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - port: 80
    targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik-ui.minikube
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui
          servicePort: 80

轉(zhuǎn)發(fā)規(guī)則

---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
 name: stilton
 labels:
   app: cheese
   cheese: stilton
spec:
 replicas: 2
 selector:
   matchLabels:
     app: cheese
     task: stilton
 template:
   metadata:
     labels:
       app: cheese
       task: stilton
       version: v0.0.1
   spec:
     containers:
     - name: cheese
       image: errm/cheese:stilton
       ports:
       - containerPort: 80
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
 name: cheddar
 labels:
   app: cheese
   cheese: cheddar
spec:
 replicas: 2
 selector:
   matchLabels:
     app: cheese
     task: cheddar
 template:
   metadata:
     labels:
       app: cheese
       task: cheddar
       version: v0.0.1
   spec:
     containers:
     - name: cheese
       image: errm/cheese:cheddar
       ports:
       - containerPort: 80
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
 name: wensleydale
 labels:
   app: cheese
   cheese: wensleydale
spec:
 replicas: 2
 selector:
   matchLabels:
     app: cheese
     task: wensleydale
 template:
   metadata:
     labels:
       app: cheese
       task: wensleydale
       version: v0.0.1
   spec:
     containers:
     - name: cheese
       image: errm/cheese:wensleydale
       ports:
       - containerPort: 80

基于https

沿用上文的Role Based Access(RBAC)

首先得厘清幾個(gè)概念

Secret, 保存密鑰文件东跪，我們這次把pem畸陡，key等文件通過這種方式傳入pod 內(nèi)

# 創(chuàng)建一個(gè)名為 ak-cert secret文件
kubectl create secret generic mjb-cert --from-file=/server.pem --from-file=server.key

ConfigMap,配置文件鹰溜，創(chuàng)建一個(gè)配置文件,和secret一樣，通過volumes方式掛載到容器內(nèi)

cat traefik.toml 
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/mjb/server.pem"
      KeyFile = "/mjb/server.key"

掛載方法


#定義volumes
volumes:
      - name: mjb
        secret:
          secretName: ak-cert
      - name: config
        configMap:
          name: traefik-conf
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ## 掛載
        volumeMounts:
        - mountPath: "/mjb"
          name: "mjb"
        - mountPath: "/config"
          name: "config"

部署daemonset

[root@master https]# cat dae.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
      - name: mjb
        secret:
          secretName: mjb-cert
      - name: config
        configMap:
          name: traefik-conf
      containers:
      - image: traefik
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/mjb"
          name: "mjb"
        - mountPath: "/config"
          name: "config"
        ports:
        - name: web
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 8580
        args:
        - --web
        - --kubernetes
        - --web.address=:8580
        - --configfile=/config/traefik.toml
---
kind: Service
apiVersion: v1
metadata:
  name: traefik
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - protocol: TCP
    port: 80
    name: http
  - protocol: TCP
    port: 443
    name: https
  - protocol: TCP
    port: 8580
    name: admin
  type: NodePort

部署基于https的UI

apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - port: 80
    targetPort: 8580
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  tls:
    - secretName: traefik-cert
  rules:
  - host: ui.domain.com
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui
          servicePort: 80

訪問測(cè)試 ui.domain.com, 對(duì)了上文的證書需自己準(zhǔn)備丁恭，如果沒有可以生成

openssl req -newkey rsa:2048 -nodes -keyout domain.com.key  -x509 -days 365 -out domain.com.crt

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者

人面猴
序言：七十年代末曹动，一起剝皮案震驚了整個(gè)濱河市，隨后出現(xiàn)的幾起案子牲览，更是在濱河造成了極大的恐慌墓陈，老刑警劉巖，帶你破解...
沈念sama閱讀 210,914評(píng)論 6贊 490
死咒
序言：濱河連續(xù)發(fā)生了三起死亡事件第献，死亡現(xiàn)場(chǎng)離奇詭異贡必，居然都是意外死亡，警方通過查閱死者的電腦和手機(jī)庸毫，發(fā)現(xiàn)死者居然都...
沈念sama閱讀 89,935評(píng)論 2贊 383
救了他兩次的神仙讓他今天三更去死
文/潘曉璐我一進(jìn)店門仔拟，熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái)，“玉大人飒赃，你說(shuō)我怎么就攤上這事理逊。” “怎么了盒揉？”我有些...
開封第一講書人閱讀 156,531評(píng)論 0贊 345
道士緝兇錄：失蹤的賣姜人
文/不壞的土叔我叫張陵，是天一觀的道長(zhǎng)兑徘。經(jīng)常有香客問我刚盈，道長(zhǎng)，這世上最難降的妖魔是什么挂脑？我笑而不...
開封第一講書人閱讀 56,309評(píng)論 1贊 282
?港島之戀（遺憾婚禮）
正文為了忘掉前任藕漱，我火速辦了婚禮，結(jié)果婚禮上崭闲，老公的妹妹穿的比我還像新娘肋联。我一直安慰自己，他們只是感情好刁俭，可當(dāng)我...
茶點(diǎn)故事閱讀 65,381評(píng)論 5贊 384
惡毒庶女頂嫁案：這布局不是一般人想出來(lái)的
文/花漫我一把揭開白布橄仍。她就那樣靜靜地躺著，像睡著了一般牍戚。火紅的嫁衣襯著肌膚如雪侮繁。梳的紋絲不亂的頭發(fā)上，一...
開封第一講書人閱讀 49,730評(píng)論 1贊 289
城市分裂傳說(shuō)
那天如孝，我揣著相機(jī)與錄音宪哩，去河邊找鬼。笑死第晰，一個(gè)胖子當(dāng)著我的面吹牛锁孟，可吹牛的內(nèi)容都是我干的彬祖。我是一名探鬼主播，決...
沈念sama閱讀 38,882評(píng)論 3贊 404
雙鴛鴦連環(huán)套：你想象不到人心有多黑
文/蒼蘭香墨我猛地睜開眼品抽，長(zhǎng)吁一口氣：“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼储笑！你這毒婦竟也來(lái)了？” 一聲冷哼從身側(cè)響起桑包，我...
開封第一講書人閱讀 37,643評(píng)論 0贊 266
萬(wàn)榮殺人案實(shí)錄
序言：老撾萬(wàn)榮一對(duì)情侶失蹤南蓬，失蹤者是張志新（化名）和其女友劉穎，沒想到半個(gè)月后哑了，有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體赘方，經(jīng)...
沈念sama閱讀 44,095評(píng)論 1贊 303
?護(hù)林員之死
正文獨(dú)居荒郊野嶺守林人離奇死亡，尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛以下內(nèi)容為張勛視角年9月15日...
茶點(diǎn)故事閱讀 36,448評(píng)論 2贊 325
?白月光啟示錄
正文我和宋清朗相戀三年弱左，在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了窄陡。大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
茶點(diǎn)故事閱讀 38,566評(píng)論 1贊 339
活死人
序言：一個(gè)原本活蹦亂跳的男人離奇死亡拆火，死狀恐怖跳夭，靈堂內(nèi)的尸體忽然破棺而出，到底是詐尸還是另有隱情们镜，我是刑警寧澤币叹，帶...
沈念sama閱讀 34,253評(píng)論 4贊 328
?日本核電站爆炸內(nèi)幕
正文年R本政府宣布，位于F島的核電站模狭，受9級(jí)特大地震影響颈抚，放射性物質(zhì)發(fā)生泄漏。R本人自食惡果不足惜嚼鹉，卻給世界環(huán)境...
茶點(diǎn)故事閱讀 39,829評(píng)論 3贊 312
男人毒藥：我在死后第九天來(lái)索命
文/蒙蒙一贩汉、第九天我趴在偏房一處隱蔽的房頂上張望。院中可真熱鬧锚赤，春花似錦匹舞、人聲如沸。這莊子的主人今日做“春日...
開封第一講書人閱讀 30,715評(píng)論 0贊 21
一樁弒父案赐稽，背后竟有這般陰謀
文/蒼蘭香墨我抬頭看了看天上的太陽(yáng)。三九已至酒贬，卻和暖如春又憨，著一層夾襖步出監(jiān)牢的瞬間，已是汗流浹背锭吨。一陣腳步聲響...
開封第一講書人閱讀 31,945評(píng)論 1贊 264
情欲美人皮
我被黑心中介騙來(lái)泰國(guó)打工蠢莺，沒想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留，地道東北人零如。一個(gè)月前我還...
沈念sama閱讀 46,248評(píng)論 2贊 360
代替公主和親
正文我出身青樓躏将，卻偏偏與公主長(zhǎng)得像锄弱，于是被迫代替她去往敵國(guó)和親。傳聞我的和親對(duì)象是個(gè)殘疾皇子祸憋，可洞房花燭夜當(dāng)晚...
茶點(diǎn)故事閱讀 43,440評(píng)論 2贊 348

kubernets Traefik 的HTTP 和HTTPS

k8s 的ingress+traefik原理細(xì)說(shuō)

部署原理

轉(zhuǎn)發(fā)規(guī)則

基于https

推薦閱讀更多精彩內(nèi)容