[关闭]
@yangwenbo 2021-09-05T23:00:36.000000Z 字数 4979 阅读 699

Kubernetes

ingress拓宽篇

1. 生成 CA 证书

在现在大部分场景下面我们都会使用 https 来访问我们的服务,这节课我们将使用一个自签名的证书,当然你有在一些正规机构购买的 CA 证书是最好的,这样任何人访问你的服务的时候都是受浏览器信任的证书。使用下面的 openssl 命令生成 CA 证书:

  1. #一键回车
  2. [root@node01 ~]# openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
  3. Generating a 2048 bit RSA private key
  4. .....................................+++
  5. .............................................................................+++
  6. writing new private key to 'tls.key'
  7. -----
  8. You are about to be asked to enter information that will be incorporated
  9. into your certificate request.
  10. What you are about to enter is what is called a Distinguished Name or a DN.
  11. There are quite a few fields but you can leave some blank
  12. For some fields there will be a default value,
  13. If you enter '.', the field will be left blank.
  14. -----
  15. Country Name (2 letter code) [XX]:
  16. State or Province Name (full name) []:
  17. Locality Name (eg, city) [Default City]:
  18. Organization Name (eg, company) [Default Company Ltd]:
  19. Organizational Unit Name (eg, section) []:
  20. Common Name (eg, your name or your server's hostname) []:

现在我们有了证书,我们可以使用 kubectl 创建一个 secret 对象来存储上面的证书:

  1. [root@node01 ~]# kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system
  2. secret "traefik-cert" created
  1. [root@node01 ~]# mkdir /ssl
  2. [root@node01 ~]# cp -a tls.* /ssl/
  3. [root@node01 ~]# ls /ssl/
  4. tls.crt tls.key

2. 配置 Traefik

前面我们使用的是 Traefik 的默认配置,现在我们来配置 Traefik,让其支持 https:

  1. [root@node01 ~]# vim traefik.toml
  2. [root@node01 ~]# cat traefik.toml
  3. defaultEntryPoints = ["http", "https"]
  4. [entryPoints]
  5. [entryPoints.http]
  6. address = ":80"
  7. [entryPoints.http.redirect]
  8. entryPoint = "https"
  9. [entryPoints.https]
  10. address = ":443"
  11. [entryPoints.https.tls]
  12. [[entryPoints.https.tls.certificates]]
  13. CertFile = "/ssl/tls.crt"
  14. KeyFile = "/ssl/tls.key"
  1. [root@node01 ~]# mkdir /config
  2. [root@node01 ~]# cp -a traefik.toml /config/

上面的配置文件中我们配置了 http 和 https 两个入口,并且配置了将 http 服务强制跳转到 https 服务,这样我们所有通过 traefik 进来的服务都是 https 的,要访问 https 服务,当然就得配置对应的证书了,可以看到我们指定了 CertFile 和 KeyFile 两个文件,由于 traefik pod 中并没有这两个证书,所以我们要想办法将上面生成的证书挂载到 Pod 中去,是不是前面我们讲解过 secret 对象可以通过 volume 形式挂载到 Pod 中?至于上面的 traefik.toml 这个文件我们要怎么让 traefik pod 能够访问到呢?还记得我们前面讲过的 ConfigMap 吗?我们是不是可以将上面的 traefik.toml 配置文件通过一个 ConfigMap 对象挂载到 traefik pod 中去:

  1. [root@node01 ~]# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
  2. configmap "traefik-conf" created

3. 使用 RBAC 安全认证方式

为安全起见我们这里使用 RBAC 安全认证方式:(rbac.yaml):

  1. [root@node01 ~]# vim rbac.yaml
  2. [root@node01 ~]# cat rbac.yaml
  3. ---
  4. apiVersion: v1
  5. kind: ServiceAccount
  6. metadata:
  7. name: traefik-ingress-controller
  8. namespace: kube-system
  9. ---
  10. kind: ClusterRole
  11. apiVersion: rbac.authorization.k8s.io/v1beta1
  12. metadata:
  13. name: traefik-ingress-controller
  14. rules:
  15. - apiGroups:
  16. - ""
  17. resources:
  18. - services
  19. - endpoints
  20. - secrets
  21. verbs:
  22. - get
  23. - list
  24. - watch
  25. - apiGroups:
  26. - extensions
  27. resources:
  28. - ingresses
  29. verbs:
  30. - get
  31. - list
  32. - watch
  33. ---
  34. kind: ClusterRoleBinding
  35. apiVersion: rbac.authorization.k8s.io/v1beta1
  36. metadata:
  37. name: traefik-ingress-controller
  38. roleRef:
  39. apiGroup: rbac.authorization.k8s.io
  40. kind: ClusterRole
  41. name: traefik-ingress-controller
  42. subjects:
  43. - kind: ServiceAccount
  44. name: traefik-ingress-controller
  45. namespace: kube-system

直接在集群中创建即可:

  1. [root@node01 ~]# kubectl create -f rbac.yaml
  2. serviceaccount "traefik-ingress-controller" created
  3. clusterrole.rbac.authorization.k8s.io "traefik-ingress-controller" created
  4. clusterrolebinding.rbac.authorization.k8s.io "traefik-ingress-controller" created

4. 修改traefik pod 的 yaml 文件

现在就可以更改下上节课的 traefik pod 的 yaml 文件了:

  1. [root@node01 ~]# vim traefik.yaml
  2. [root@node01 ~]# cat traefik.yaml
  3. kind: Deployment
  4. apiVersion: apps/v1
  5. metadata:
  6. name: traefik-ingress-controller
  7. namespace: kube-system
  8. labels:
  9. k8s-app: traefik-ingress-lb
  10. spec:
  11. replicas: 1
  12. selector:
  13. matchLabels:
  14. k8s-app: traefik-ingress-lb
  15. template:
  16. metadata:
  17. labels:
  18. k8s-app: traefik-ingress-lb
  19. name: traefik-ingress-lb
  20. spec:
  21. serviceAccountName: traefik-ingress-controller
  22. terminationGracePeriodSeconds: 60
  23. volumes:
  24. - name: ssl
  25. secret:
  26. secretName: traefik-cert
  27. - name: config
  28. configMap:
  29. name: traefik-conf
  30. tolerations:
  31. - operator: "Exists"
  32. nodeSelector:
  33. kubernetes.io/hostname: master
  34. containers:
  35. - image: traefik:v1.7.17
  36. name: traefik-ingress-lb
  37. volumeMounts:
  38. - mountPath: "/ssl"
  39. name: "ssl"
  40. - mountPath: "/config"
  41. name: "config"
  42. ports:
  43. - name: http
  44. containerPort: 80
  45. hostPort: 80
  46. - name: https
  47. containerPort: 443
  48. hostPort: 443
  49. - name: admin
  50. containerPort: 8080
  51. args:
  52. - --configfile=/config/traefik.toml
  53. - --api
  54. - --kubernetes
  55. - --logLevel=INFO
  56. ---
  57. kind: Service
  58. apiVersion: v1
  59. metadata:
  60. name: traefik-ingress-service
  61. namespace: kube-system
  62. spec:
  63. selector:
  64. k8s-app: traefik-ingress-lb
  65. ports:
  66. - protocol: TCP
  67. port: 80
  68. name: web
  69. - protocol: TCP
  70. port: 8080
  71. name: admin
  72. type: NodePort

和之前的比较,我们增加了 443 的端口配置,以及启动参数中通过 configfile 指定了 traefik.toml 配置文件,这个配置文件是通过 volume 挂载进来的。然后更新下 traefik pod:

  1. [root@node01 ~]# kubectl create -f traefik.yaml
  2. deployment.apps "traefik-ingress-controller" created
  3. service "traefik-ingress-service" created

5. 创建 ingress 对象

现在我们是通过 NodePort 来访问 traefik 的 Dashboard 的,那怎样通过 ingress 来访问呢? 首先,需要创建一个 ingress 对象:(ingress.yaml)

  1. [root@node01 ~]# vim ingress.yaml
  2. [root@node01 ~]# cat ingress.yaml
  3. apiVersion: extensions/v1beta1
  4. kind: Ingress
  5. metadata:
  6. name: traefik-web-ui
  7. namespace: kube-system
  8. annotations:
  9. kubernetes.io/ingress.class: traefik
  10. spec:
  11. rules:
  12. - host: traefik.haimaxy.com
  13. http:
  14. paths:
  15. - backend:
  16. serviceName: traefik-ingress-service
  17. servicePort: 8080

然后为 traefik dashboard 创建对应的 ingress 对象:

  1. [root@node01 ~]# kubectl create -f ingress.yaml
  2. ingress.extensions "traefik-web-ui" created

6. 验证

http://traefik.haimaxy.com
图片.png-139kB

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注