Go deep into k8s how to access business apps (traefik-ingress configure HTTPS)

Source: Internet
Author: User
Tags csr ssl ssl certificate k8s

In the previous article we briefly introduced the next Traefik and how HTTP access, but in the actual production environment is not just HTTP forwarding access, there is HTTPS forwarding access,

Previous: Traefik Basic deployment record, describes the simplest HTTP access Traefik, the access process reference is shown below:

Client---(via HTTP)---> Traefik----(via HTTP)----> Services

Now to practice is more secure and more complex HTTPS access Traefik, there are two kinds of access process, see below:

Back-end service is normal HTTP
That is, the client and Traefik use HTTPS encrypted communication, but between the Traefik and the SVC is the plaintext HTTP communication

Client---(via HTTPS)---> Traefik----(via HTTP)----> Services

The backend service is HTTPS
That is, the client and Traefik use HTTPS encrypted communication, but Traefik and Svc are also using HTTPS communication

Client---(via HTTPS)---> Traefik----(via HTTPS)----> Services

Let's look at how to implement (pseudo) HTTPS, which is the second kind of access process described above.

First create the certificate, want to turn on HTTPS, the certificate is indispensable. You can manually build a certificate or take advantage of an existing certificate. Here I create an SSL certificate myself, the specific creation process can refer to the Internet.

[Email protected] ~]# cd/opt/k8s/ssl[[email protected] ssl]# lsssl.crt SSL.CSR Ssl.key


above this/opt/k8s/ssl directory is created by me, the path can just as long as the path in the config file consistent with the line will be said below. Start Configuring certificates below


[Email protected] ssl]# kubectl create secret generic Traefik-cert--from-file=ssl.crt--from-file=ssl.key-n kube-syste Msecret "Traefik-cert" created


Create a Configmap to save the Traefix configuration. The Traefix here Configure the rules to rewrite all HTTP requests to HTTPS and configure the corresponding certificate location, and I have also created a directory/opt/k8s/conf/here.


[[email protected] conf]# cat traefik.toml defaultentrypoints = ["http", "https"][entrypoints] [entrypoints.http] Addres s = ":" [entryPoints.http.redirect] entrypoint = "https" [Entrypoints.https] address = ": 443" [entrypoints.ht TPS.TLS] [[entryPoints.https.tls.certificates]] CertFile = "/OPT/K8S/SSL/SSL.CRT" keyfile = "/opt/k8s/ssl/s Sl.key "[[email protected] config]# kubectl create Configmap traefik-conf--from-file=traefik.toml-n Kube-systemconfigmap "Traefik-conf" created


Since the previously configured HTTP is now switched to HTTPS, you need to update the next Traefik, which is mainly updated under the associated secret and Configmap, and mount the corresponding host directory.

Back up (good habits in the workplace) before operating safely


[[Email protected] k8s]# cp traefik-deployment.yaml traefik-deployment.yaml.bk[[email  protected] k8s]# cat traefik-deployment.yaml ---apiversion: v1kind:  serviceaccountmetadata:  name: traefik-ingress-controller  namespace:  Kube-system---kind: daemonsetapiversion: extensions/v1beta1metadata:  name:  traefik-ingress-controller  namespace: kube-system  labels:     k8s-app: traefik-ingress-lbspec:  selector:    matchlabels:       k8s-app: traefik-ingress-lb  template:    metadata:       labels:        k8s-app:  traefik-ingress-lb        name: traefik-ingress-lb     spec:      serviceaccountname: traefik-ingress-controller       terminationgraceperiodseconds: 60      hostnetwork: true       volumes:      - name: ssl         secret:          secretname:  traefik-cert      - name: config         configMap:          name:  Traefik-conf      containers:      - image:  traefik        name: traefik-ingress-lb         volumemounts:        - mountpath:   "/opt/k8s/ssl/"           name:  "SSL"         - mountpath:   "/opt/k8s/conf/"           name:  "config"          ports:        - name:  http          containerPort: 80         - name: https           containerPort: 443        - name: admin           containerPort: 8080         args:        - --configfile=/opt/k8s/conf/ traefik.toml        - --api         - --kubernetes&nbSp;       - --loglevel=info---kind: serviceapiversion:  v1metadata:  name: traefik-ingress-service  namespace: kube-systemspec:   selector:    k8s-app: traefik-ingress-lb  ports:     - protocol: TCP      port: 80       name: web    - protocol: tcp      port:  443      name: https    - protocol: tcp       port: 8080      name: admin   type: NodePort[[email protected] k8s]# [[email protected] k8s]#  kubectl apply -f traefik-deployment.yamlserviceaccount  "Traefik-ingress-controller"   createddaemonset.extensions  " Traefik-ingress-controller " createdservice " Traefik-ingress-service " created


The main change is the update of several aspects:

Kind:daemonset The official default is to use deployment

hostnetwork:true Turn on node port forwarding

volumemounts: new volumes mount point

Ports : New https443

args : New ConfigFile

and the service layer 443 ports


Finally we test whether the success, here we can login Traefik-ui interface, can see the original HTTP access, Traefik will directly redirect us to HTTPS.

About the third HTTPS forwarding HTTPS implementation mode here will not repeat the follow-up if there is a need can be explored, if necessary, can look at AM's blog is the reference to this article, written in detail.

This Article blog reference:

http://blog.51cto.com/goome/2153703


Go deep into k8s how to access business apps (traefik-ingress configure HTTPS)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.