k8s Cluster ingress HTTPS practice

This paper introduces the use of Ingress combined with Traefik to realize the dynamic and static separation of the inlet, this article will implement the ingress HTTPS configuration based on the previous text.

For simplicity and efficiency, it is recommended that HTTPS offload be implemented at the ingress level after containerized deployment is applied. Popular point is the user to ingress the connection to go to the HTTPS protocol, ingress to the back-end service connection to go HTTPS protocol.

Our configuration requirements for HTTPS are also relatively simple, mainly as follows:
1. HTTP Auto Redirect to HTTPS
2, HTTPS support virtual host (TLS SNI)

First, the initial environmental preparation

1, here for the convenience of testing, the previous configuration of the site dynamic part of the routing rules are removed, only the static part

2. Configure hosts to parse records

3. HTTP Access Test

Ii. Preparing certificate files and configuration files

1, here will be two sites of four certificate files unified into a secret inside to maintain

# kubectl create secret generic traefik-cert --from-file=star_59iedu_com.key  --from-file=star_59iedu_com.pem  --from-file=star_yingjigl_com.key  --from-file=star_yingjigl_com.pem -n kube-system

2. Configure HTTP redirection to HTTPS while supporting multiple HTTPS virtual hosts (TLS SNI)

# cat traefik.toml defaultEntryPoints = ["http","https"][entryPoints]  [entryPoints.http]  address = ":80"    [entryPoints.http.redirect]    entryPoint = "https"  [entryPoints.https]  address = ":443"    [entryPoints.https.tls]      [[entryPoints.https.tls.certificates]]      CertFile = "/ssl/star_59iedu_com.pem"      KeyFile = "/ssl/star_59iedu_com.key"      [[entryPoints.https.tls.certificates]]      certFile = "/ssl/star_yingjigl_com.pem"      keyFile = "/ssl/star_yingjigl_com.key"

# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system

Third, modify the Traefik configuration file

The main need to add config and SSL volumes, the other configuration (for example: RABC, service, ingress, etc.) remain unchanged, the specific configuration can refer to the previous article, the Front Portal: http://blog.51cto.com/ylw6006/2073718

# Cat Traefik-deployment.yaml Apiversion:v1kind:serviceaccountmetadata:name:traefik-ingress-controller namespace: Kube-system---kind:deploymentapiversion:extensions/v1beta1metadata:name:traefik-ingress-controller namespace: Kube-system Labels:k8s-app:traefik-ingress-lbspec:replicas:2 selector:matchlabels:k8s-app:traefik-ing      RESS-LB template:metadata:labels:k8s-app:traefik-ingress-lb name:traefik-ingress-lb Spec: Serviceaccountname:traefik-ingress-controller hostnetwork:true nodeSelector:traefik:proxy te RMINATIONGRACEPERIODSECONDS:60 volumes:-Name:ssl Secret:secretname:traefik-cert- Name:config configmap:name:traefik-conf Containers:-Image:traefik name:traefik-in  GRESS-LB volumemounts:-Mountpath: "/ssl" Name: "SSL"-Mountpath: "/config" Name:       "Config" ports: -Name:web containerport:80 hostport:80-name:admin containerport:8081 arg S:---configfile=/config/traefik.toml---web---web.address=:8081---kubernetes

# kubectl apply -f traefik-deployment.yaml   

Iv. Access Testing and validation

Reference Documentation:
Other requirements, such as gzip compression, TLS version and encryption algorithms, and rewrite redirection can also be referenced in this document
https://docs.traefik.io/configuration/entrypoints/#basic

k8s Cluster ingress HTTPS practice