Home > Developer > Web Develop
http://traefik.cn/
2. Simple way to access
Reference documents
https://tonybai.com/2018/06/25/the-kubernetes-ingress-practice-for-https-service/
Previous: Traefik Basic deployment record, describes the simplest HTTP access Traefik, the access process reference is shown below:
Client---(via HTTP)---> Traefik----(via HTTP)----;? Services
Now to practice is more secure and more complex HTTPS access Traefik, there are two kinds of access process, see below:
Back-end service is normal HTTP
That is, the client and Traefik use HTTPS encrypted communication, but between the Traefik and the SVC is the plaintext HTTP communication
Client---(via HTTPS)---> Traefik----(via HTTP)----;? Services
The backend service is HTTPS
That is, the client and Traefik use HTTPS encrypted communication, but Traefik and Svc are also using HTTPS communication
Client---(via HTTPS)---> Traefik----(via HTTPS)----; Services
3. The HTTPS basics you need to know before you deploy
Reference Documentation:
http://blog.jobbole.com/110354/
Can you summarize https in a sentence?
The answer is no, because HTTPS itself is too complex. But I'm still trying to summarize https with a few words:
HTTPS to make the client-server communication process secured, must use the symmetric encryption algorithm, but the process of negotiating symmetric encryption algorithm, the use of asymmetric encryption algorithm to ensure security, but the process of using asymmetric encryption itself is not secure, there will be the possibility of the middleman tamper with the public key, So the client and server do not use the public key directly, but instead use a certificate issued by a digital certificate authority to ensure the security of the asymmetric encryption process itself. Through these mechanisms, a symmetric encryption algorithm is negotiated, which is used by both parties to encrypt and decrypt the algorithm. This solves the communication security problem between client and server side.
Why the need to introduce a certificate, the above article is very good.
For SSL communication, you must require an authoritative certification certificate (this requires money), we are the experimental environment, build a certificate to play. In addition to the certificate, the Web software (here is Traefik) is required to turn on SSL support and use the certificate we have established.
4. Configure the Certificate
The lab environment uses the existing certificate with the K8s cluster certificate.
[[email protected] ~]# cd /etc/kubernetes/ssl/[[email protected] ssl]# lsadmin.csr? ? ? apiserver-key.pem? ca.srl? ? ? ? ? ? ? ? ? ? ? kubernetes2-worker.csr? ? ? kubernetes3-worker-key.pemadmin-key.pem? apiserver.pem? ? ? kubernetes1-worker.csr? ? ? kubernetes2-worker-key.pem? kubernetes3-worker.pemadmin.pem? ? ? ca-key.pem? ? ? ?? kubernetes1-worker-key.pem? kubernetes2-worker.pem? ? ? openssl.cnfapiserver.csr? ca.pem? ? ? ? ? ?? kubernetes1-worker.pem? ? ? kubernetes3-worker.csr? ? ? worker-openssl.cnf[[email protected] ssl]#
Note The operation directory, if not operating in this directory, you must specify an absolute path
[[email protected] ssl]# kubectl create secret generic traefik-cert --from-file=ca-key.pem --from-file=ca.pem -n kube-systemsecret "traefik-cert" created[[email protected] ssl]#
5. Create Configmap, save Traefik's configuration
The Traefik here Configure the rules to rewrite all HTTP requests to HTTPS and configure the appropriate certificate location:
[[email protected] config]# cat traefik.tomldefaultEntryPoints = ["http","https"][entryPoints]? [entryPoints.http]? address = ":80"? ? [entryPoints.http.redirect]? ? entryPoint = "https"? [entryPoints.https]? address = ":443"? ? [entryPoints.https.tls]? ? ? [[entryPoints.https.tls.certificates]]? ? ? certFile = "/etc/kubernetes/ssl/ca.pem"? ? ? keyFile = "/etc/kubernetes/ssl/ca-key.pem"
[[email protected] config]# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-systemconfigmap "traefik-conf" created
[[email protected] config]# kubectl get cm -n kube-systemNAME? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? DATA? ? ? AGEextension-apiserver-authentication?? 6? ? ? ?? 70dkube-flannel-cfg? ? ? ? ? ? ? ? ? ?? 2? ? ? ?? 70dkube-proxy? ? ? ? ? ? ? ? ? ? ? ? ?? 2? ? ? ?? 70dkubeadm-config? ? ? ? ? ? ? ? ? ? ?? 1? ? ? ?? 70dkubernetes-dashboard-settings? ? ? ? 1? ? ? ?? 61dmysql1.v1? ? ? ? ? ? ? ? ? ? ? ? ? ? 1? ? ? ?? 28dtraefik-conf? ? ? ? ? ? ? ? ? ? ? ?? 1? ? ? ?? 12s[[email protected] config]#``
6. Deploy Traefik, which is primarily to correlate the created secret and Configmap, and mount the corresponding host directory.
Back up the original file
[[email protected] k8s]# cp traefik-deployment.yaml traefik-deployment.yaml.bk[[email protected] k8s]# ll
A well-configured reference is shown below:
[[email protected] k8s]# cat traefik-deployment.yaml---apiVersion:v1kind:ServiceAccountmetadata:? Name:traefik-ingress-controller? Namespace:kube-system---kind:daemonsetapiversion:extensions/v1beta1metadata:? Name:traefik-ingress-controller? Namespace:kube-system? Labels:?? K8s-app:traefik-ingress-lbspec:? Selector:?? Matchlabels:??? K8s-app:traefik-ingress-lb? Template:?? Metadata:??? Labels:???? K8s-app:traefik-ingress-lb???? Name:traefik-ingress-lb?? Spec:??? Serviceaccountname:traefik-ingress-controller??? Terminationgraceperiodseconds:60??? Hostnetwork:true??? Volumes:??? -Name:ssl???? Secret:????? Secretname:traefik-cert??? -Name:config???? Configmap:????? Name:traefik-conf??? Containers:??? -Image:traefik???? Name:traefik-ingress-lb???? Volumemounts:???? -Mountpath: "/etc/kubernetes/ssl"????? Name: "SSL"???? -Mountpath: "/config"????? Name: "config"???? Ports:???? -Name:http?? ? ? ? Containerport:80???? -Name:https????? containerport:443???? -Name:admin????? containerport:8080???? Args:???? ---api???? ---kubernetes???? ---CONFIGFILE=/CONFIG/TRAEFIK.TOML---kind:ServiceapiVersion:v1metadata:? Name:traefik-ingress-service? Namespace:kube-systemspec:? Selector:?? K8s-app:traefik-ingress-lb? Ports:?? -Protocol:tcp??? Port:80??? Name:web?? -Protocol:tcp??? port:443??? Name:https?? -Protocol:tcp??? port:8080??? Name:admin? Type:nodeport[[email protected] k8s]#Some explanations and explanations about the configuration file parameters:
This operation record is based on the operating environment of the previous article, Traefik-rbac.yaml this is already configured. If this is not configured, please configure it first.
Kind:daemonset?? The official default is to use deployment
Hostnetwork:true?? There's an explanation for this basic article.
? ? ??? Args
? ? ? ? ---api
? ? ? ? ---kubernetes
? ? ? ? ---configfile=/config/traefik.toml?
What does this parameter do for you?
This is the parameter, here is the parameter that the container executes when the entrypoint command references
Look at the history of the Traefik mirror.
[[email protected] k8s]# docker history--no-trunc=true docker.io/traefikimage????????????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? CREATED??????? CREATED by??????????????????????????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? SIZE???????? Commentsha256:11569c00178041f0502a3251a2d33196c9a153c564814bc9f712c704a85200c2?? 3 weeks ago????? /bin/sh-c # (NOP)? LABEL org.label-schema.vendor=containous Org.label-schema.url=https://traefik.io Org.label-schema.name=traefik Org.label-schema.description=a Modern Reverse-proxy org.label-schema.version=v1.6.5 org.label-schema.docker.schema-version=1.0?? 0 B????????? <missing>??????????????????????????????????????????????????? 3 weeks ago????? /bin/sh-c # (NOP)? entrypoint ["/traefik"]??????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? 0 B????????? <missing>??????????????????????????????????????????????????? 3 weeks ago????? /bin/sh-c # (NOP)? EXPOSE 80/tcp????????????????????????????????????????????????????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? 0 B????????? <missing>??????????????????????????????????????????????????? 3 weeks ago????? /bin/sh-c # (NOP) COPY file:ba6114281de19b8e363e82ed5b30471e264464b79049c538a86b7eae309ab46e in/?????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 52.2 MB??????? <missing>??????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? 6 weeks ago????? /bin/sh-c # (NOP) COPY file:d8282341d1fb7d2cc3d5d3523d0d4126066cc1ba8abe3f0047a459b3a63a5653 in/etc/ssl/certs/????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 275 KB??????? [[email protected] k8s]#Actually, it's execution.
`<missing>? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? 3 weeks ago? ? ? ?? /bin/sh -c #(nop)? ENTRYPOINT ["/traefik"] ??`
When the parameter
Perform deployment
[[email protected] k8s]# kubectl apply -f traefik-deployment.yamlserviceaccount "traefik-ingress-controller" createddaemonset.extensions "traefik-ingress-controller" createdservice "traefik-ingress-service" created
[[email protected] k8s]# kubectl get po-n kube-systemname??????????????????????????????? Ready??? STATUS?? Restarts?? Ageetcd-kubernetes1???????????? 1/1???? Running?? 39????? 70dkube-apiserver-kubernetes1??????? 1/1???? Running?? 43????? 70dkube-controller-manager-kubernetes1??? 1/1???? Running?? 42????? 70dkube-dns-b4bd9576-db5hh????????? 3/3???? Running?? 117???? 70dkube-flannel-ds-27wrd?????????? 1/1???? Running?? 73????? 70dkube-flannel-ds-6lnj9?????????? 1/1???? Running?? 66????? 70dkube-flannel-ds-xz87r?????????? 1/1???? Running?? 63????? 70dkube-proxy-hhghb???????????? 1/1???? Running?? 39????? 70dkube-proxy-hwvs9???????????? 1/1???? Running?? 39????? 70dkube-proxy-jcxbz???????????? 1/1???? Running?? 39????? 70dkube-scheduler-kubernetes1??????? 1/1???? Running?? 40????? 70dkubernetes-dashboard-7d5dcdb6d9-5zkkl?? 1/1???? RunNing?? 6????? 6dtiller-deploy-5c688d5f9b-kfqwx????? 1/1???? Running?? 12????? 14dtraefik-ingress-controller-8jxsb???? 1/1???? Running?? 0????? 6straefik-ingress-controller-h5wrh???? 1/1???? Running?? 0????? 6sErrors that may occur
[[email protected] k8s]# kubectl logs traefik-ingress-controller-gpgss -n kube-systemtime="2018-08-01T03:06:30Z" level=error msg="Unable to add a certificate to the entryPoint \"https\" : unable to generate TLS certificate : tls: failed to find any PEM data in certificate input"time="2018-08-01T03:06:30Z" level=error msg="Error creating TLS config: No certificates found for TLS entrypoint https"time="2018-08-01T03:06:30Z" level=fatal msg="Error preparing server: No certificates found for TLS entrypoint https" ?
This is caused by a path problem:
See the following configuration parameters
Path to the traefik.toml file
[[entryPoints.https.tls.certificates]]? ? ? certFile = "/etc/kubernetes/ssl/ca.pem"? ? ? keyFile = "/etc/kubernetes/ssl/ca-key.pem"
# #这个证书是存放在k8s the directory on node
volumeMounts:? ? ? ? - mountPath: "/etc/kubernetes/ssl"? ? ? ?? name: "ssl"? ? ? ? - mountPath: "/config"? ? ? ? ? name: "config"
# #为什么这个目录要配置成和traefik The path in TOML? Think about it. Note that this mount path is automatically created.
? ? ? ? Args
? ? ? ? ---api
? ? ? ? ---kubernetes
? ? ? ? ---CONFIGFILE=/CONFIG/TRAEFIK.TOML
# #原因就是因为这个引用, if the path configured above Mountpath is incorrect, the configured certificate will not be found. ConfigFile reference traefik.toml,traefik.toml refers to the path is on the previous node, in the container if not establish the same path, traefik.toml in the container where to read the certificate?
Traefik has been deployed successfully.
7.traefik Fly up 1
Take a look at the previously mentioned access process diagram:
Client---(via HTTPS)---> Traefik----(via HTTP)----;? Services
Test this first.
A brief introduction, the deployment of WordPress in the k8s cluster (this is based on the HTTP80 port service), now through Traefik HTTPS jump access to WordPress
Svc,po situation
[[email protected] ~]# kubectl get svcname????? TYPE???? Cluster-ip???? External-ip?? PORT (S)?? Agehttpd-svc?? Clusterip?? 10.106.13.46??? <none>???? 80/tcp??? 13dkubernetes?? Clusterip?? 10.96.0.1???? <none>???? 443/tcp?? 72dmysql???? Clusterip?? 10.97.84.51??? <none>???? 3306/tcp?? 2dwordpress?? Clusterip?? 10.111.234.225?? <none>???? 8080/tcp?? 2d[[email protected] ~]#
[[email protected] ~]# kubectl get poNAME? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? READY? ?? STATUS? ? RESTARTS?? AGEhttpd-749bf8c6f4-bfjfw? ? ? ? ? ? ? 1/1? ? ?? Running?? 0? ? ? ? ? 2hhttpd-749bf8c6f4-ghpzl? ? ? ? ? ? ? 1/1? ? ?? Running?? 0? ? ? ? ? 2hhttpd-749bf8c6f4-xvrn4? ? ? ? ? ? ? 1/1? ? ?? Running?? 0? ? ? ? ? 2hmysql-5bbbf49b4f-wjw47? ? ? ? ? ? ? 1/1? ? ?? Running?? 4? ? ? ? ? 2dnginx-deployment-6b5c99b6fd-pscr6?? 1/1? ? ?? Running?? 0? ? ? ? ? 2hnginx-deployment-6b5c99b6fd-zr2p7?? 1/1? ? ?? Running?? 0? ? ? ? ? 2hnode-exporter-4gbh9? ? ? ? ? ? ? ?? 1/1? ? ?? Running?? 24? ? ? ?? 35dnode-exporter-8h9vp? ? ? ? ? ? ? ?? 1/1? ? ?? Running?? 25? ? ? ?? 35dwordpress-pod-7dd7659959-hc7mr? ? ? 1/1? ? ?? Running?? 4? ? ? ? ? 2d[[email protected] ~]#
Ingress file
[[email protected]netes1 ~]# cat wp/wordpress.ingress.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata:? name: wordpress-ingress? namespace: defaultspec:? rules:? - host: wordpress.ingress? ? http:? ? ? paths:? ? ? - path: /? ? ? ? backend:? ? ? ? ? serviceName: wordpress? ? ? ? ? servicePort: 8080[[email protected] ~]#
Perform deployment
[[email protected] wp]# kubectl apply -f wordpress.ingress.yamlingress.extensions "wordpress-ingress" created[[email protected] ~]# kubectl get ingNAME? ? ? ? ? ? ? ? HOSTS? ? ? ? ? ? ?? ADDRESS?? PORTS? ?? AGEhttpd-svc-ingress?? httpd-svc.ingress? ? ? ? ? ?? 80? ? ? ? 5dwordpress-ingress?? wordpress.ingress? ? ? ? ? ?? 80? ? ? ? 4d[[email protected] ~]#
The host in the Access resolves the domain name, access to normal
8.traefik Fly up 2
Kubernetes Traefik Configuring HTTPS Practice Action Records
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
