Kubernetes Traefik Configuring HTTPS Practice Action Records

Source: Internet
Author: User
Tags k8s asymmetric encryption

1. Reference documentation

http://traefik.cn/

2. Simple way to access

Reference documents
https://tonybai.com/2018/06/25/the-kubernetes-ingress-practice-for-https-service/

Previous: Traefik Basic deployment record, describes the simplest HTTP access Traefik, the access process reference is shown below:

Client---(via HTTP)---> Traefik----(via HTTP)----> Services

Now to practice is more secure and more complex HTTPS access Traefik, there are two kinds of access process, see below:

Back-end service is normal HTTP
That is, the client and Traefik use HTTPS encrypted communication, but between the Traefik and the SVC is the plaintext HTTP communication

Client---(via HTTPS)---> Traefik----(via HTTP)----> Services

The backend service is HTTPS
That is, the client and Traefik use HTTPS encrypted communication, but Traefik and Svc are also using HTTPS communication

Client---(via HTTPS)---> Traefik----(via HTTPS)----> Services

3. The HTTPS basics you need to know before you deploy

Reference Documentation:
http://blog.jobbole.com/110354/

Can you summarize https in a sentence?
The answer is no, because HTTPS itself is too complex. But I'm still trying to summarize https with a few words:

HTTPS to make the client-server communication process secured, must use the symmetric encryption algorithm, but the process of negotiating symmetric encryption algorithm, the use of asymmetric encryption algorithm to ensure security, but the process of using asymmetric encryption itself is not secure, there will be the possibility of the middleman tamper with the public key, So the client and server do not use the public key directly, but instead use a certificate issued by a digital certificate authority to ensure the security of the asymmetric encryption process itself. Through these mechanisms, a symmetric encryption algorithm is negotiated, which is used by both parties to encrypt and decrypt the algorithm. This solves the communication security problem between client and server side.

Why the need to introduce a certificate, the above article is very good.
For SSL communication, you must require an authoritative certification certificate (this requires money), we are the experimental environment, build a certificate to play. In addition to the certificate, the Web software (here is Traefik) is required to turn on SSL support and use the certificate we have established.

4. Configure the Certificate

The lab environment uses the existing certificate with the K8s cluster certificate.

[[email protected] ~]# cd /etc/kubernetes/ssl/[[email protected] ssl]# lsadmin.csr? ? ? apiserver-key.pem? ca.srl? ? ? ? ? ? ? ? ? ? ? kubernetes2-worker.csr? ? ? kubernetes3-worker-key.pemadmin-key.pem? apiserver.pem? ? ? kubernetes1-worker.csr? ? ? kubernetes2-worker-key.pem? kubernetes3-worker.pemadmin.pem? ? ? ca-key.pem? ? ? ?? kubernetes1-worker-key.pem? kubernetes2-worker.pem? ? ? openssl.cnfapiserver.csr? ca.pem? ? ? ? ? ?? kubernetes1-worker.pem? ? ? kubernetes3-worker.csr? ? ? worker-openssl.cnf[[email protected] ssl]#

Note The operation directory, if not operating in this directory, you must specify an absolute path

[[email protected] ssl]# kubectl create secret generic traefik-cert --from-file=ca-key.pem --from-file=ca.pem -n kube-systemsecret "traefik-cert" created[[email protected] ssl]#

5. Create Configmap, save Traefik's configuration

The Traefik here Configure the rules to rewrite all HTTP requests to HTTPS and configure the appropriate certificate location:

[[email protected] config]# cat traefik.tomldefaultEntryPoints = ["http","https"][entryPoints]? [entryPoints.http]? address = ":80"? ? [entryPoints.http.redirect]? ? entryPoint = "https"? [entryPoints.https]? address = ":443"? ? [entryPoints.https.tls]? ? ? [[entryPoints.https.tls.certificates]]? ? ? certFile = "/etc/kubernetes/ssl/ca.pem"? ? ? keyFile = "/etc/kubernetes/ssl/ca-key.pem"
[[email protected] config]# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-systemconfigmap "traefik-conf" created
[[email protected] config]# kubectl get cm -n kube-systemNAME? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? DATA? ? ? AGEextension-apiserver-authentication?? 6? ? ? ?? 70dkube-flannel-cfg? ? ? ? ? ? ? ? ? ?? 2? ? ? ?? 70dkube-proxy? ? ? ? ? ? ? ? ? ? ? ? ?? 2? ? ? ?? 70dkubeadm-config? ? ? ? ? ? ? ? ? ? ?? 1? ? ? ?? 70dkubernetes-dashboard-settings? ? ? ? 1? ? ? ?? 61dmysql1.v1? ? ? ? ? ? ? ? ? ? ? ? ? ? 1? ? ? ?? 28dtraefik-conf? ? ? ? ? ? ? ? ? ? ? ?? 1? ? ? ?? 12s[[email protected] config]#``

6. Deploy Traefik, which is primarily to correlate the created secret and Configmap, and mount the corresponding host directory.

Back up the original file

[[email protected] k8s]# cp traefik-deployment.yaml traefik-deployment.yaml.bk[[email protected] k8s]# ll

A well-configured reference is shown below:

[[email protected] k8s]# cat traefik-deployment.yaml---apiVersion:v1kind:ServiceAccountmetadata:? Name:traefik-ingress-controller? Namespace:kube-system---kind:daemonsetapiversion:extensions/v1beta1metadata:? Name:traefik-ingress-controller? Namespace:kube-system? Labels:?? K8s-app:traefik-ingress-lbspec:? Selector:?? Matchlabels:??? K8s-app:traefik-ingress-lb? Template:?? Metadata:??? Labels:???? K8s-app:traefik-ingress-lb???? Name:traefik-ingress-lb?? Spec:??? Serviceaccountname:traefik-ingress-controller??? Terminationgraceperiodseconds:60??? Hostnetwork:true??? Volumes:??? -Name:ssl???? Secret:????? Secretname:traefik-cert??? -Name:config???? Configmap:????? Name:traefik-conf??? Containers:??? -Image:traefik???? Name:traefik-ingress-lb???? Volumemounts:???? -Mountpath: "/etc/kubernetes/ssl"????? Name: "SSL"???? -Mountpath: "/config"????? Name: "config"???? Ports:???? -Name:http?? ? ? ? Containerport:80???? -Name:https????? containerport:443???? -Name:admin????? containerport:8080???? Args:???? ---api???? ---kubernetes???? ---CONFIGFILE=/CONFIG/TRAEFIK.TOML---kind:ServiceapiVersion:v1metadata:? Name:traefik-ingress-service? Namespace:kube-systemspec:? Selector:?? K8s-app:traefik-ingress-lb? Ports:?? -Protocol:tcp??? Port:80??? Name:web?? -Protocol:tcp??? port:443??? Name:https?? -Protocol:tcp??? port:8080??? Name:admin? Type:nodeport[[email protected] k8s]#

Some explanations and explanations about the configuration file parameters:

This operation record is based on the operating environment of the previous article, Traefik-rbac.yaml this is already configured. If this is not configured, please configure it first.

Kind:daemonset official default is to use deployment
Hostnetwork:true has an explanation for this basic article.

? ? ? Args
? ? ? ? ---api
? ? ? ? ---kubernetes
? ? ? ? ---configfile=/config/traefik.toml?

What does this parameter do for you?
This is the parameter, here is the parameter that the container executes when the entrypoint command references

Look at the history of the Traefik mirror.

[[email protected] k8s]# docker history--no-trunc=true docker.io/traefikimage????????????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? CREATED??????? CREATED by??????????????????????????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? SIZE???????? Commentsha256:11569c00178041f0502a3251a2d33196c9a153c564814bc9f712c704a85200c2?? 3 weeks ago????? /bin/sh-c # (NOP)? LABEL org.label-schema.vendor=containous Org.label-schema.url=https://traefik.io Org.label-schema.name=traefik Org.label-schema.description=a Modern Reverse-proxy org.label-schema.version=v1.6.5 org.label-schema.docker.schema-version=1.0?? 0 B????????? <missing>??????????????????????????????????????????????????? 3 weeks ago????? /bin/sh-c # (NOP)? entrypoint ["/traefik"]??????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? 0 B????????? <missing>??????????????????????????????????????????????????? 3 weeks ago????? /bin/sh-c # (NOP)? EXPOSE 80/tcp????????????????????????????????????????????????????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? 0 B????????? <missing>??????????????????????????????????????????????????? 3 weeks ago????? /bin/sh-c # (NOP) COPY file:ba6114281de19b8e363e82ed5b30471e264464b79049c538a86b7eae309ab46e in/?????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 52.2 MB??????? <missing>??????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? 6 weeks ago????? /bin/sh-c # (NOP) COPY file:d8282341d1fb7d2cc3d5d3523d0d4126066cc1ba8abe3f0047a459b3a63a5653 in/etc/ssl/certs/????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 275 KB??????? [[email protected] k8s]#

Actually, it's execution.
&lt;missing&gt;? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? 3 weeks ago? ? ? ?? /bin/sh -c #(nop)? ENTRYPOINT ["/traefik"] ??
When the parameter

Perform deployment

[[email protected] k8s]# kubectl apply -f traefik-deployment.yamlserviceaccount "traefik-ingress-controller" createddaemonset.extensions "traefik-ingress-controller" createdservice "traefik-ingress-service" created
[[email protected] k8s]# kubectl get po-n kube-systemname??????????????????????????????? Ready??? STATUS?? Restarts?? Ageetcd-kubernetes1???????????? 1/1???? Running?? 39????? 70dkube-apiserver-kubernetes1??????? 1/1???? Running?? 43????? 70dkube-controller-manager-kubernetes1??? 1/1???? Running?? 42????? 70dkube-dns-b4bd9576-db5hh????????? 3/3???? Running?? 117???? 70dkube-flannel-ds-27wrd?????????? 1/1???? Running?? 73????? 70dkube-flannel-ds-6lnj9?????????? 1/1???? Running?? 66????? 70dkube-flannel-ds-xz87r?????????? 1/1???? Running?? 63????? 70dkube-proxy-hhghb???????????? 1/1???? Running?? 39????? 70dkube-proxy-hwvs9???????????? 1/1???? Running?? 39????? 70dkube-proxy-jcxbz???????????? 1/1???? Running?? 39????? 70dkube-scheduler-kubernetes1??????? 1/1???? Running?? 40????? 70dkubernetes-dashboard-7d5dcdb6d9-5zkkl?? 1/1???? RunNing?? 6????? 6dtiller-deploy-5c688d5f9b-kfqwx????? 1/1???? Running?? 12????? 14dtraefik-ingress-controller-8jxsb???? 1/1???? Running?? 0????? 6straefik-ingress-controller-h5wrh???? 1/1???? Running?? 0????? 6s

Errors that may occur

[[email protected] k8s]# kubectl logs traefik-ingress-controller-gpgss -n kube-systemtime="2018-08-01T03:06:30Z" level=error msg="Unable to add a certificate to the entryPoint \"https\" : unable to generate TLS certificate : tls: failed to find any PEM data in certificate input"time="2018-08-01T03:06:30Z" level=error msg="Error creating TLS config: No certificates found for TLS entrypoint https"time="2018-08-01T03:06:30Z" level=fatal msg="Error preparing server: No certificates found for TLS entrypoint https" ?

This is caused by a path problem:
See the following configuration parameters

Path to the traefik.toml file

 [[entryPoints.https.tls.certificates]]? ? ? certFile = "/etc/kubernetes/ssl/ca.pem"? ? ? keyFile = "/etc/kubernetes/ssl/ca-key.pem"

# #这个证书是存放在k8s the directory on node

?```
Volumemounts:
? ? ? ? -Mountpath: "/etc/kubernetes/ssl"
? ? ? ? Name: "SSL"
? ? ? ? -Mountpath: "/config"
? ? ? ? ? Name: "Config"

##为什么这个目录要配置成和traefik.toml里的路径一样呢?思考下。注意这个挂载路径是会自动建立的? ? ? ? args:? ? ? ? - --api? ? ? ? - --kubernetes? ? ? ? - --configfile=/config/traefik.toml##原因就是因为这个引用,如果上面mountPath配置的路径不正确,将找不到配置的证书。?configfile引用traefik.toml,traefik.toml引用的路径是前面node上的,在容器里如果不建立一样的路径,traefik.toml在容器里去哪读取证书呢?traefik已经部署成功。7.traefik飞起来1看看前面提到的访问过程示图:client --- (via https) ---> traefik ---- (via http) ---->? services先测试这个简单介绍,在k8s集群中部署了wordpress(这是基于http80端口的服务),现在通过traefik https跳转访问wordpresssvc,po情况

[[email protected] ~]# Kubectl Get Svc
NAME TYPE cluster-ip external-ip PORT (S) Age
Httpd-svc clusterip 10.106.13.46 <none> 80/tcp 13d
Kubernetes clusterip 10.96.0.1 <none> 443/tcp 72d
MySQL Clusterip 10.97.84.51 <none> 3306/tcp 2d
WordPress Clusterip 10.111.234.225 <none> 8080/tcp 2d
[Email protected] ~]#

[[email protected] ~]# Kubectl get PO
NAME Ready STATUS Restarts
HTTPD-749BF8C6F4-BFJFW 1/1 Running 0 2h
Httpd-749bf8c6f4-ghpzl 1/1 Running 0 2h
Httpd-749bf8c6f4-xvrn4 1/1 Running 0 2h
Mysql-5bbbf49b4f-wjw47 1/1 Running 4 2d
NGINX-DEPLOYMENT-6B5C99B6FD-PSCR6 1/1 Running 0 2h
NGINX-DEPLOYMENT-6B5C99B6FD-ZR2P7 1/1 Running 0 2h
Node-exporter-4gbh9 1/1 Running 35d
NODE-EXPORTER-8H9VP 1/1 Running 35d
WORDPRESS-POD-7DD7659959-HC7MR 1/1 Running 4 2d
[Email protected] ~]#

ingress文件

[email protected] ~]# cat Wp/wordpress.ingress.yaml
Apiversion:extensions/v1beta1
Kind:ingress
Metadata
? Name:wordpress-ingress
? Namespace:default
Spec
? Rules
? -Host:wordpress.ingress
? ? http
? ? ? Paths
? ? ? -Path:/
? ? ? ? Backend:
? ? ? ? ? Servicename:wordpress
? ? ? ? ? serviceport:8080
[Email protected] ~]#

执行部署

[Email protected] wp]# Kubectl apply-f Wordpress.ingress.yaml
Ingress.extensions "Wordpress-ingress" created

[[email protected] ~]# kubectl get ing
NAME???????? The HOSTS???????? ADDRESS?? PORTS??? Age
Httpd-svc-ingress?? Httpd-svc.ingress??????? 80???? 5d
Wordpress-ingress?? Wordpress.ingress??????? 80???? 4d
[Email protected] ~]#

在访问的主机解析好域名,访问正常8.traefik飞起来2

Kubernetes Traefik Configuring HTTPS Practice action Records

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.