[关闭]
@yangwenbo 2021-09-05T23:00:36.000000Z 字数 4979 阅读 699

Kubernetes

ingress拓宽篇

1. 生成 CA 证书

在现在大部分场景下面我们都会使用 https 来访问我们的服务,这节课我们将使用一个自签名的证书,当然你有在一些正规机构购买的 CA 证书是最好的,这样任何人访问你的服务的时候都是受浏览器信任的证书。使用下面的 openssl 命令生成 CA 证书:

  1. #一键回车
  2. [root@node01 ~]# openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
  3. Generating a 2048 bit RSA private key
  4. .....................................+++
  5. .............................................................................+++
  6. writing new private key to 'tls.key'
  7. -----
  8. You are about to be asked to enter information that will be incorporated
  9. into your certificate request.
  10. What you are about to enter is what is called a Distinguished Name or a DN.
  11. There are quite a few fields but you can leave some blank
  12. For some fields there will be a default value,
  13. If you enter '.', the field will be left blank.
  14. -----
  15. Country Name (2 letter code) [XX]:
  16. State or Province Name (full name) []:
  17. Locality Name (eg, city) [Default City]:
  18. Organization Name (eg, company) [Default Company Ltd]:
  19. Organizational Unit Name (eg, section) []:
  20. Common Name (eg, your name or your server's hostname) []:

现在我们有了证书,我们可以使用 kubectl 创建一个 secret 对象来存储上面的证书:

  1. [root@node01 ~]# kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system
  2. secret "traefik-cert" created
  1. [root@node01 ~]# mkdir /ssl
  2. [root@node01 ~]# cp -a tls.* /ssl/
  3. [root@node01 ~]# ls /ssl/
  4. tls.crt  tls.key

2. 配置 Traefik

前面我们使用的是 Traefik 的默认配置,现在我们来配置 Traefik,让其支持 https:

  1. [root@node01 ~]# vim traefik.toml
  2. [root@node01 ~]# cat traefik.toml 
  3. defaultEntryPoints = ["http", "https"]
  5. [entryPoints]
  6.   [entryPoints.http]
  7.   address = ":80"
  8.     [entryPoints.http.redirect]
  9.       entryPoint = "https"
  10.   [entryPoints.https]
  11.   address = ":443"
  12.     [entryPoints.https.tls]
  13.       [[entryPoints.https.tls.certificates]]
  14.       CertFile = "/ssl/tls.crt"
  15.       KeyFile = "/ssl/tls.key"
  1. [root@node01 ~]# mkdir /config
  2. [root@node01 ~]# cp -a traefik.toml /config/

上面的配置文件中我们配置了 http 和 https 两个入口,并且配置了将 http 服务强制跳转到 https 服务,这样我们所有通过 traefik 进来的服务都是 https 的,要访问 https 服务,当然就得配置对应的证书了,可以看到我们指定了 CertFile 和 KeyFile 两个文件,由于 traefik pod 中并没有这两个证书,所以我们要想办法将上面生成的证书挂载到 Pod 中去,是不是前面我们讲解过 secret 对象可以通过 volume 形式挂载到 Pod 中?至于上面的 traefik.toml 这个文件我们要怎么让 traefik pod 能够访问到呢?还记得我们前面讲过的 ConfigMap 吗?我们是不是可以将上面的 traefik.toml 配置文件通过一个 ConfigMap 对象挂载到 traefik pod 中去:

  1. [root@node01 ~]# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
  2. configmap "traefik-conf" created

3. 使用 RBAC 安全认证方式

为安全起见我们这里使用 RBAC 安全认证方式:(rbac.yaml):

  1. [root@node01 ~]# vim rbac.yaml
  2. [root@node01 ~]# cat rbac.yaml
  3. ---
  4. apiVersion: v1
  5. kind: ServiceAccount
  6. metadata:
  7.   name: traefik-ingress-controller
  8.   namespace: kube-system
  9. ---
  10. kind: ClusterRole
  11. apiVersion: rbac.authorization.k8s.io/v1beta1
  12. metadata:
  13.   name: traefik-ingress-controller
  14. rules:
  15.   - apiGroups:
  16.       - ""
  17.     resources:
  18.       - services
  19.       - endpoints
  20.       - secrets
  21.     verbs:
  22.       - get
  23.       - list
  24.       - watch
  25.   - apiGroups:
  26.       - extensions
  27.     resources:
  28.       - ingresses
  29.     verbs:
  30.       - get
  31.       - list
  32.       - watch
  33. ---
  34. kind: ClusterRoleBinding
  35. apiVersion: rbac.authorization.k8s.io/v1beta1
  36. metadata:
  37.   name: traefik-ingress-controller
  38. roleRef:
  39.   apiGroup: rbac.authorization.k8s.io
  40.   kind: ClusterRole
  41.   name: traefik-ingress-controller
  42. subjects:
  43. - kind: ServiceAccount
  44.   name: traefik-ingress-controller
  45.   namespace: kube-system

直接在集群中创建即可:

  1. [root@node01 ~]# kubectl create -f rbac.yaml
  2. serviceaccount "traefik-ingress-controller" created
  3. clusterrole.rbac.authorization.k8s.io "traefik-ingress-controller" created
  4. clusterrolebinding.rbac.authorization.k8s.io "traefik-ingress-controller" created

4. 修改traefik pod 的 yaml 文件

现在就可以更改下上节课的 traefik pod 的 yaml 文件了:

  1. [root@node01 ~]# vim traefik.yaml
  2. [root@node01 ~]# cat traefik.yaml
  3. kind: Deployment
  4. apiVersion: apps/v1
  5. metadata:
  6.   name: traefik-ingress-controller
  7.   namespace: kube-system
  8.   labels:
  9.     k8s-app: traefik-ingress-lb
  10. spec:
  11.   replicas: 1
  12.   selector:
  13.     matchLabels:
  14.       k8s-app: traefik-ingress-lb
  15.   template:
  16.     metadata:
  17.       labels:
  18.         k8s-app: traefik-ingress-lb
  19.         name: traefik-ingress-lb
  20.     spec:
  21.       serviceAccountName: traefik-ingress-controller
  22.       terminationGracePeriodSeconds: 60
  23.       volumes:
  24.       - name: ssl
  25.         secret:
  26.           secretName: traefik-cert
  27.       - name: config
  28.         configMap:
  29.           name: traefik-conf
  30.       tolerations:
  31.       - operator: "Exists"
  32.       nodeSelector:
  33.         kubernetes.io/hostname: master
  34.       containers:
  35.       - image: traefik:v1.7.17
  36.         name: traefik-ingress-lb
  37.         volumeMounts:
  38.         - mountPath: "/ssl"
  39.           name: "ssl"
  40.         - mountPath: "/config"
  41.           name: "config"
  42.         ports:
  43.         - name: http
  44.           containerPort: 80
  45.           hostPort: 80
  46.         - name: https
  47.           containerPort: 443
  48.           hostPort: 443
  49.         - name: admin
  50.           containerPort: 8080
  51.         args:
  52.         - --configfile=/config/traefik.toml
  53.         - --api
  54.         - --kubernetes
  55.         - --logLevel=INFO
  56. ---
  57. kind: Service
  58. apiVersion: v1
  59. metadata:
  60.   name: traefik-ingress-service
  61.   namespace: kube-system
  62. spec:
  63.   selector:
  64.     k8s-app: traefik-ingress-lb
  65.   ports:
  66.     - protocol: TCP
  67.       port: 80
  68.       name: web
  69.     - protocol: TCP
  70.       port: 8080
  71.       name: admin
  72.   type: NodePort

和之前的比较,我们增加了 443 的端口配置,以及启动参数中通过 configfile 指定了 traefik.toml 配置文件,这个配置文件是通过 volume 挂载进来的。然后更新下 traefik pod:

  1. [root@node01 ~]# kubectl create -f traefik.yaml
  2. deployment.apps "traefik-ingress-controller" created
  3. service "traefik-ingress-service" created

5. 创建 ingress 对象

现在我们是通过 NodePort 来访问 traefik 的 Dashboard 的,那怎样通过 ingress 来访问呢? 首先,需要创建一个 ingress 对象:(ingress.yaml)

  1. [root@node01 ~]# vim ingress.yaml
  2. [root@node01 ~]# cat ingress.yaml 
  3. apiVersion: extensions/v1beta1
  4. kind: Ingress
  5. metadata:
  6.   name: traefik-web-ui
  7.   namespace: kube-system
  8.   annotations:
  9.     kubernetes.io/ingress.class: traefik
  10. spec:
  11.   rules:
  12.   - host: traefik.haimaxy.com
  13.     http:
  14.       paths:
  15.       - backend:
  16.           serviceName: traefik-ingress-service
  17.           servicePort: 8080

然后为 traefik dashboard 创建对应的 ingress 对象:

  1. [root@node01 ~]# kubectl create -f ingress.yaml
  2. ingress.extensions "traefik-web-ui" created

6. 验证

http://traefik.haimaxy.com
图片.png-139kB

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注