Home > Developer > Web Develop
http://traefik.cn/
2. Simple way to access
Reference documents
https://tonybai.com/2018/06/25/the-kubernetes-ingress-practice-for-https-service/
Previous: Traefik Basic deployment record, describes the simplest HTTP access Traefik, the access process reference is shown below:
Client---(via HTTP)---> Traefik----(via HTTP)----;? Services
Now to practice is more secure and more complex HTTPS access Traefik, there are two kinds of access process, see below:
Back-end service is normal HTTP
That is, the client and Traefik use HTTPS encrypted communication, but between the Traefik and the SVC is the plaintext HTTP communication
Client---(via HTTPS)---> Traefik----(via HTTP)----;? Services
The backend service is HTTPS
That is, the client and Traefik use HTTPS encrypted communication, but Traefik and Svc are also using HTTPS communication
Client---(via HTTPS)---> Traefik----(via HTTPS)----; Services
3. The HTTPS basics you need to know before you deploy
Reference Documentation:
http://blog.jobbole.com/110354/
Can you summarize https in a sentence?
The answer is no, because HTTPS itself is too complex. But I'm still trying to summarize https with a few words:
HTTPS to make the client-server communication process secured, must use the symmetric encryption algorithm, but the process of negotiating symmetric encryption algorithm, the use of asymmetric encryption algorithm to ensure security, but the process of using asymmetric encryption itself is not secure, there will be the possibility of the middleman tamper with the public key, So the client and server do not use the public key directly, but instead use a certificate issued by a digital certificate authority to ensure the security of the asymmetric encryption process itself. Through these mechanisms, a symmetric encryption algorithm is negotiated, which is used by both parties to encrypt and decrypt the algorithm. This solves the communication security problem between client and server side.
Why the need to introduce a certificate, the above article is very good.
For SSL communication, you must require an authoritative certification certificate (this requires money), we are the experimental environment, build a certificate to play. In addition to the certificate, the Web software (here is Traefik) is required to turn on SSL support and use the certificate we have established.
4. Configure the Certificate
The lab environment uses the existing certificate with the K8s cluster certificate.
[Email protected] ~]# cd/etc/kubernetes/ssl/
[[email protected] ssl]# ls
ADMIN.CSR??? Apiserver-key.pem? Ca.srl??????????? KUBERNETES2-WORKER.CSR??? Kubernetes3-worker-key.pem
Admin-key.pem? Apiserver.pem??? KUBERNETES1-WORKER.CSR??? Kubernetes2-worker-key.pem? Kubernetes3-worker.pem
Admin.pem??? Ca-key.pem????? Kubernetes1-worker-key.pem? Kubernetes2-worker.pem??? Openssl.cnf
APISERVER.CSR? Ca.pem??????? Kubernetes1-worker.pem??? KUBERNETES3-WORKER.CSR??? Worker-openssl.cnf
[Email protected] ssl]#
Note The operation directory, if not operating in this directory, you must specify an absolute path
[Email protected] ssl]# kubectl create secret generic Traefik-cert--from-file=ca-key.pem--from-file=ca.pem-n Kube-sys Re+
Secret "Traefik-cert" created
[Email protected] ssl]#
5. Create Configmap, save Traefik's configuration
The Traefik here Configure the rules to rewrite all HTTP requests to HTTPS and configure the appropriate certificate location:
[email protected] config]# cat TRAEFIK.TOML
defaultentrypoints = ["http", "https"]
[Entrypoints]
? [Entrypoints.http]
? Address = ": 80"
? ? [EntryPoints.http.redirect]
? ? entrypoint = "https"
? [Entrypoints.https]
? Address = ": 443"
? ? [EntryPoints.https.tls]
? ? ? [[EntryPoints.https.tls.certificates]]
? ? ? CertFile = "/etc/kubernetes/ssl/ca.pem"
? ? ? KeyFile = "/etc/kubernetes/ssl/ca-key.pem"
[Email protected] config]# kubectl create Configmap traefik-conf--from-file=traefik.toml-n Kube-system
Configmap "Traefik-conf" created
[[email protected] config]# Kubectl get cm-n Kube-system
NAME??????????????????????? DATA??? Age
Extension-apiserver-authentication?? 6????? 70d
Kube-flannel-cfg??????????? 2????? 70d
Kube-proxy??????????????? 2????? 70d
Kubeadm-config???????????? 1????? 70d
Kubernetes-dashboard-settings???? 1????? 61d
Mysql1.v1??????????????? 1????? 28d
Traefik-conf??????????????????? 1????? 12s
[Email protected] config]#
6. Deploy Traefik, which is primarily to correlate the created secret and Configmap, and mount the corresponding host directory.
Back up the original file
[email protected] k8s]# CP Traefik-deployment.yaml TRAEFIK-DEPLOYMENT.YAML.BK
[email protected] k8s]# LL
A well-configured reference is shown below:
[email protected] k8s]# cat TRAEFIK-DEPLOYMENT.YAMLAPIVERSION:V1Kind:service
Apiversion:v1
Metadata
? Name:traefik-ingress-service
? Namespace:kube-system
Spec
? Selector
? ? K8s-app:traefik-ingress-lb
? Ports
? ? -Protocol:tcp
? ? ? Port:80
? ? ? Name:web
? ? -Protocol:tcp
? ? ? port:443
? ? ? Name:https
? ? -Protocol:tcp
? ? ? port:8080
? ? ? Name:admin
? Type:nodeport
[[email protected] k8s]
Some explanations and explanations about the configuration file parameters:
This operation record is based on the operating environment of the previous article, Traefik-rbac.yaml this is already configured. If this is not configured, please configure it first.
Kind:daemonset?? The official default is to use deployment
Hostnetwork:true?? There's an explanation for this basic article.
? ? ??? Args
? ? ? ? ---api
? ? ? ? ---kubernetes
? ? ? ? ---configfile=/config/traefik.toml?
What does this parameter do for you?
This is the parameter, here is the parameter that the container executes when the entrypoint command references
Look at the history of the Traefik mirror.
[email protected] k8s]# Docker history--no-trunc=true Docker.io/traefik
IMAGE????????????????????????????????????????????????? CREATED??????? CREATED by??????????????????????????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? SIZE???????? COMMENT
Sha256:11569c00178041f0502a3251a2d33196c9a153c564814bc9f712c704a85200c2?? 3 weeks ago????? /bin/sh-c # (NOP)? LABEL org.label-schema.vendor=containous Org.label-schema.url=https://traefik.io Org.label-schema.name=traefik Org.label-schema.description=a Modern Reverse-proxy org.label-schema.version=v1.6.5 org.label-schema.docker.schema-version=1.0?? 0 B?????????
<missing>??????????????????????????????????????????????????? 3 weeks ago????? /bin/sh-c # (NOP)? entrypoint ["/traefik"]???????????????????????????????????????????????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? 0 B?????????
<missing>??????????????????????????????????????????????????? 3 weeks ago????? /bin/sh-c # (NOP)? EXPOSE 80/tcp????????????????????????????????????????????????????????????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? 0 B?????????
<missing>??????????????????????????????????????????????????? 3 weeks ago????? /bin/sh-c # (NOP) COPY file:ba6114281de19b8e363e82ed5b30471e264464b79049c538a86b7eae309ab46e in/?????????????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 52.2 MB???????
<missing>??????????????????????????????????????????????????? 6 weeks ago????? /bin/sh-c # (NOP) COPY file:d8282341d1fb7d2cc3d5d3523d0d4126066cc1ba8abe3f0047a459b3a63a5653 in/etc/ssl/certs/????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 275 KB???????
[Email protected] k8s]#
Actually, it's execution.
/bin/sh-c # (NOP)? entrypoint ["/traefik"]
When the parameter
Perform deployment
[Email protected] k8s]# Kubectl apply-f Traefik-deployment.yaml
ServiceAccount "Traefik-ingress-controller" created
Daemonset.extensions "Traefik-ingress-controller" created
Service "Traefik-ingress-service" created
[[email protected] k8s]# Kubectl get po-n Kube-system
NAME???????????????????????? Ready??? STATUS?? Restarts?? Age
Etcd-kubernetes1???????????? 1/1???? Running?? 39????? 70d
Kube-apiserver-kubernetes1??????? 1/1???? Running?? 43????? 70d
Kube-controller-manager-kubernetes1??? 1/1???? Running?? 42????? 70d
Kube-dns-b4bd9576-db5hh????????? 3/3???? Running?? 117???? 70d
Kube-flannel-ds-27wrd?????????? 1/1???? Running?? 73????? 70d
Kube-flannel-ds-6lnj9?????????? 1/1???? Running?? 66????? 70d
kube-flannel-ds-xz87r?????????? 1/1???? Running?? 63????? 70d
Kube-proxy-hhghb???????????? 1/1???? Running?? 39????? 70d
Kube-proxy-hwvs9???????????? 1/1???? Running?? 39????? 70d
Kube-proxy-jcxbz???????????? 1/1???? Running?? 39????? 70d
Kube-scheduler-kubernetes1??????? 1/1???? Running?? 40????? 70d
Kubernetes-dashboard-7d5dcdb6d9-5zkkl?? 1/1???? Running?? 6????? 6d
Tiller-deploy-5c688d5f9b-kfqwx????? 1/1???? Running?? 12????? 14d
Traefik-ingress-controller-8jxsb???? 1/1???? Running?? 0????? 6s
Traefik-ingress-controller-h5wrh???? 1/1???? Running?? 0????? 6s
Errors that may occur
[Email protected] k8s]# kubectl logs traefik-ingress-controller-gpgss-n Kube-system
Time= "2018-08-01t03:06:30z" Level=error msg= "Unable to add a certificate to the entrypoint \" Https\ ": unable to generate TLS certificate:tls:failed to find any PEM data in certificate input "
Time= "2018-08-01t03:06:30z" level=error msg= "Error creating TLS Config:no certificates found for TLS entrypoint https"
Time= "2018-08-01t03:06:30z" Level=fatal msg= "Error preparing Server:no certificates found for TLS entrypoint https"?
This is caused by a path problem:
See the following configuration parameters
Path to the traefik.toml file
[[EntryPoints.https.tls.certificates]]
? ? ? CertFile = "/etc/kubernetes/ssl/ca.pem"
? ? ? KeyFile = "/etc/kubernetes/ssl/ca-key.pem"
This certificate is a directory stored on k8s node.
Volumemounts:
? ? ? ? -Mountpath: "/etc/kubernetes/ssl"
? ? ? ?? Name: "SSL"
? ? ? ? -Mountpath: "/config"
? ? ? ? ? Name: "Config"
Why is this directory configured to be the same as the path in TRAEFIK.TOML? Think about it. Note that this mount path is automatically created.
? ? ? ? Args
? ? ? ? ---api
? ? ? ? ---kubernetes
? ? ? ? ---CONFIGFILE=/CONFIG/TRAEFIK.TOML
The reason is that because of this reference, if the path configured above Mountpath is incorrect, the configured certificate will not be found. ConfigFile reference traefik.toml,traefik.toml refers to the path is on the previous node, in the container if not establish the same path, traefik.toml in the container where to read the certificate?
Traefik has been deployed successfully.
7.traefik Fly up 1
Take a look at the previously mentioned access process diagram:
Client---(via HTTPS)---> Traefik----(via HTTP)----;? Services
Test this first.
A brief introduction, the deployment of WordPress in the k8s cluster (this is based on the HTTP80 port service), now through Traefik HTTPS jump access to WordPress
Svc,po situation
[[email protected] ~]# kubectl Get svc
NAME????? TYPE???? Cluster-ip???? External-ip?? PORT (S)?? Age
Httpd-svc?? Clusterip?? 10.106.13.46??? <none>???? 80/tcp??? 13d
Kubernetes?? Clusterip?? 10.96.0.1???? <none>???? 443/tcp?? 72d
MySQL???? Clusterip?? 10.97.84.51??? <none>???? 3306/tcp?? 2d
WordPress?? Clusterip?? 10.111.234.225?? <none>???? 8080/tcp?? 2d
[[email protected] ~]#
[[email protected] ~]# Kubectl get PO
NAME??????????????????????? Ready??? STATUS?? Restarts?? Age
Httpd-749bf8c6f4-bfjfw??????? 1/1???? Running?? 0????? 2h
Httpd-749bf8c6f4-ghpzl??????? 1/1???? Running?? 0????? 2h
Httpd-749bf8c6f4-xvrn4??????? 1/1???? Running?? 0????? 2h
Mysql-5bbbf49b4f-wjw47??????? 1/1???? Running?? 4????? 2d
Nginx-deployment-6b5c99b6fd-pscr6?? 1/1???? Running?? 0????? 2h
Nginx-deployment-6b5c99b6fd-zr2p7?? 1/1???? Running?? 0????? 2h
Node-exporter-4gbh9????????? 1/1???? Running?? 24????? 35d
Node-exporter-8h9vp????????? 1/1???? Running?? 25????? 35d
Wordpress-pod-7dd7659959-hc7mr??? 1/1???? Running?? 4????? 2d
[Email protected] ~]#
Ingress file
[email protected] ~]# cat Wp/wordpress.ingress.yaml
Apiversion:extensions/v1beta1
Kind:ingress
Metadata
? Name:wordpress-ingress
? Namespace:default
Spec
? Rules
? -Host:wordpress.ingress
? ? http
? ? ? Paths
? ? ? -Path:/
? ? ? ? Backend:
? ? ? ? ? Servicename:wordpress
? ? ? ? ? serviceport:8080
[Email protected] ~]#
Perform deployment
[Email protected] wp]# Kubectl apply-f Wordpress.ingress.yaml
Ingress.extensions "Wordpress-ingress" created
[[email protected] ~]# kubectl get ing
NAME???????? The HOSTS???????? ADDRESS?? PORTS??? Age
Httpd-svc-ingress?? Httpd-svc.ingress??????? 80???? 5d
Wordpress-ingress?? Wordpress.ingress??????? 80???? 4d
[Email protected] ~]#
The host in the Access resolves the domain name, access to normal
8.traefik Fly up 2
Kubernetes Traefik Configuring HTTPS Practice Action Records
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
