traefik https使用

        之前已经使用traefik服务作为入口，测试并访问了tomcat应用，之前是通过http来访问的，而我们在yaml文件里面也添加8443端口用于https访问，在实际环境中我们也是需要
https来进行访问应用，通过traefik实现https，traefik http应用

操作实践

        这里我用了公司的证书，就是为了贴近真实，也满足测试需求，创建一个secret，保存https证书，如果没有证书，可以使用以下方式进行生成证书

签证书

        没有证书可以使用命令生产证书

# mkdir certs
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout xxlaila.cn.key -out xxlaila.cn.crt -subj "/CN=*.xxlaila.cn"

部署准备

traefik.toml

• http 和https共同存在

  defaultEntryPoints = ["http","https"]
  [entryPoints]
    [entryPoints.http]
    address = ":80"
      entryPoint = "https"
    [entryPoints.https]
    address = ":443"
      [entryPoints.https.tls]
        [[entryPoints.https.tls.certificates]]
        certFile = "/certs/xxlaila.cn.crt"
        keyFile = "/certs/xxlaila.cn.key"

• 所有http请求全部rewrite为https的规则

  defaultEntryPoints = ["http","https"]
  [entryPoints]
    [entryPoints.http]
    address = ":80"
      [entryPoints.http.redirect]
      entryPoint = "https"
    [entryPoints.https]
    address = ":443"
      [entryPoints.https.tls]
        [[entryPoints.https.tls.certificates]]
        certFile = "/certs/xxlaila.cn.crt"
        keyFile = "/certs/xxlaila.cn.key"

• 部分域名强制跳转https

  defaultEntryPoints = ["http","https"]
  [entryPoints]
    [entryPoints.http]
    address = ":80"
      [entryPoints.http.redirect]
        regex = "^http://traefix.xxlaila.cn/(.*)"
        replacement = "https://traefix.xxlaila.cn/$1"
    [entryPoints.https]
    address = ":443"
      [entryPoints.https.tls]
        [[entryPoints.https.tls.certificates]]
        certFile = "/certs/xxlaila.cn.crt"
        keyFile = "/certs/xxlaila.cn.key"

创建证书secret

#  kubectl create secret generic traefik-cert --from-file=certs/xxlaila.cn.crt --from-file=certs/xxlaila.cn.key --from-file=certs/dev.xxlaila.cn.crt --from-file=certs/dev.xxlaila.cn.key --from-file=certs/test.xxlaila.cn.crt --from-file=certs/test.xxlaila.cn.key  -n kube-system
secret/traefik-cert created

# kubectl get secret traefik-cert -n kube-system 
NAME           TYPE     DATA   AGE
traefik-cert   Opaque   2      26s

• traefik-cert.yaml

  证书base64加密
  # cat dev.xxlaila.cn.crt |base64 |tr -d '\n'
  
  # cat > traefik-cert.yaml<<EOF
  ---
  kind: Secert
  apiVersion: v1
  metadata:
    name: traefik-cert
    namespace: kube-system
  data:
    "dev.xxlaila.cn.crt": 
    "dev.xxlaila.cn.key":
    "test.xxlaila.cn.crt"
    "test.xxlaila.cn.key":
    "xxlaila.cn.crt":
    "xxlaila.cn.key":
  type:
    - Opaque
  
  EOF

创建configmap保存traefix的配置

• traefik.toml

  # cat > traefik.toml<<EOF
  defaultEntryPoints = ["http","https"]
  [entryPoints]
    [entryPoints.http]
      address = ":80"
      compress = true
  
      [entryPoints.http.whitelist]
        sourceRange = ["172.21.0.0/16", "172.16.0.0/16"]
        useXForwardedFor = true
  
      [entryPoints.http.redirect]
        entryPoint = "https"
    [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls]
        [[entryPoints.https.tls.certificates]]
        certFile = "/opt/traefix/certs/xxlaila.cn.crt"
        keyFile = "/opt/traefix/certs/xxlaila.cn.key"
        [[entryPoints.https.tls.certificates]]
        certFile = "/opt/traefix/certs/dev.xxlaila.cn.crt"
        keyFile = "/opt/traefix/certs/dev.xxlaila.cn.key"
        [[entryPoints.https.tls.certificates]]
        certFile = "/opt/traefix/certs/test.xxlaila.cn.crt"
        keyFile = "/opt/traefix/certs/test.xxlaila.cn.key"
  
  # rules
  filename = "/opt/traefix/conf/rules.toml"
  watch = true
  
  EOF
  
  # kubectl create configmap traefik-conf --from-file=conf/traefik.toml -n kube-system
  configmap/traefik-conf created
  
  # kubectl get configmap traefik-conf -n kube-system
  NAME           DATA   AGE
  traefik-conf   1      25s

重新部署Traefix

        重新部署Traefix主要是要关联创建的secret和configMap，并挂载相对应的主机目录。

deployment 方式部署

        修改片段

# vim traefik-deployment.yaml 
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true 
      dnsPolicy: ClusterFirstWithHostNet
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
          defaultMode: 0644
          items:
            - key: traefik.toml
              path: traefik.toml
      containers:
      - image: traefik:v1.7
        name: traefik-ingress-lb
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: "/certs"
          name: "ssl"
        - mountPath: "/etc/traefik.toml"
          subPath: "traefik.toml"
          name: "config"
        ports:
        - name: http
          containerPort: 80
        - name: admin
          containerPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
              - NET_BIND_SERVICE
        args:
        - --api
        - --web
        - --api.dashboard
        - --web.metrics
        - --metrics.prometheus
        - --web.metrics.prometheus
        - --kubernetes
        - --logLevel=INFO
        - --traefiklog
        - --traefiklog.format=json
        - --accesslog
        - --accesslog.format=json
        - --accessLog.fields.headers.defaultMode=redact
        - --insecureskipverify=true
        - --configFile=/etc/traefik.toml
        - --defaultentrypoints=http,https
        - --entrypoints=Name:https Address::443 TLS
        - --entrypoints=Name:http Address::80 
      nodeSelector:
        IngressProxy: "true"
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/ingress
        operator: Equal

• 执行创建

  # kubectl apply -f traefik-deployment.yaml

测试ui

# cat >ui.yaml<<EOF 
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
    #traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    #traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
  #tls:
  #  - secretName: traefik-cert
  rules:
  - host: traefik.xxlaila.cn
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web
EOF

# cat >ui-test.yaml <<EOF
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui-test
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui-test
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
  #tls:
  #  - secretName: traefik-cert
  rules:
  - host: traefik.test.xxlaila.cn
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web
EOF

注:
tls: traefikm默认加载的证书是tls开头的crt、key证书。如果只有一个证书，可以这么设置。多个域名证书需要设定不同的secret名称，在tls引用的时候根据不同的域名指定不同secret名称
redirect-entry-point: 该域名强制跳转https

traefik 代理外部服务

        traefix对外部应用提供服务，这里以公司的一个应用app和harbor为列，

java app

# cat > java-app.yaml
apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: app-biz
  name: app-biz
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/affinity: "true"
    traefik.ingress.kubernetes.io/load-balancer-method: drr
spec:
  clusterIP: None
  ports:
  - name: http
    port: 8030
    protocol: TCP
    targetPort: 8030
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
  labels:
    k8s-app: app-biz
  name: app-biz
  namespace: default
subsets:
- addresses:
  - ip: 172.22.1.1
  - ip: 172.22.1.2
  ports:
  - name: http
    port: 8030
    protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: app-biz
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.frontend.rule.type: PathPrefixStrip
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
  rules:
  - host: app-biz.test.xxlaila.cn
    http:
      paths:
        - path: /
          backend:
            serviceName: app-biz
            servicePort: 8030
EOF

harbor

# cat >harbor.yaml<<EOF
apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: harbor
  name: harbor
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/affinity: "true"
    #traefik.ingress.kubernetes.io/load-balancer-method: drr
spec:
  clusterIP: None
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
  labels:
    k8s-app: harbor
  name: harbor
  namespace: default
subsets:
- addresses:
  - ip: 172.21.16.90
  ports:
  - name: http
    port: 80
    protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: harbor
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.frontend.rule.type: PathPrefixStrip
    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
    traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
  rules:
  - host: harbor.xxlaila.cn
    http:
      paths:
        - path: /
          backend:
            serviceName: harbor
            servicePort: 80
EOF