安裝trefik-ingress
- 創(chuàng)建安裝trefik rbac
cat >rbac.yml<<EOF
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
EOF
kubectl apply -f rbac.yml
- 創(chuàng)建traefik配置
cat >traefik.toml<<EOF
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
EOF
kubectl create -n kube-system configmap traefik-conf --from-file=traefik.toml
- 安裝traefik
cat >traefik.yaml<<EOF
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-controller
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik #關(guān)鍵參數(shù)
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: roles
operator: In
values:
- master
- etcd
volumes:
- name: config
configMap:
name: traefik-conf
containers:
- args:
- --api
- --kubernetes
- --logLevel=DEBUG
- --configfile=/config/traefik.toml
image: traefik
imagePullPolicy: Always
name: traefik-ingress-lb
ports:
- containerPort: 80
hostPort: 80
name: http
protocol: TCP
- containerPort: 443
hostPort: 443
name: https
protocol: TCP
- containerPort: 8080
hostPort: 8091
name: admin
protocol: TCP
resources: {}
volumeMounts:
- mountPath: "/config"
name: "config"
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
procMount: Default
restartPolicy: Always
serviceAccount: traefik-ingress-controller
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
templateGeneration: 1
updateStrategy:
type: OnDelete
EOF
安裝cert-manager
helm repo add jetstack https://charts.jetstack.io
kubectl apply \
-f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation="true"
helm install --name cert-manager --namespace cert-manage jetstack/cert-manager --version v0.7.0
參考鏈接:https://hub.helm.sh/charts/jetstack/cert-manager/v0.7.0
創(chuàng)建traefik ingress
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: traefik #關(guān)鍵參數(shù)
name: kiali-ingress
namespace: istio-system
spec:
rules:
- host: "kiali.xxx.com"
http:
paths:
- path: /
backend:
serviceName: kiali
servicePort: 20001
tls:
- hosts:
- kiali.xxx.com
secretName: kiali-cert
做DNS解析
創(chuàng)建clusterissuer
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: shancang.chen@xxx.com
privateKeySecretRef:
name: letsencrypt-prod
http01: {}
創(chuàng)建證書
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: kiali
namespace: istio-system
spec:
secretName: kiali-cert
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- kiali.xxx.com
acme:
config:
- http01:
ingressClass: traefik
domains:
- kiali.xxx.com
