In the previous article we briefly introduced the next Traefik and how HTTP access, but in the actual production environment is not just HTTP forwarding access, there is HTTPS forwarding access,
Previous: Traefik Basic deployment record, describes the simplest HTTP access Traefik, the access process reference is shown below:
Client---(via HTTP)---> Traefik----(via HTTP)----> Services
Now to practice is more secure and more complex HTTPS access Traefik, there are two kinds of access process, see below:
Back-end service is normal HTTP
That is, the client and Traefik use HTTPS encrypted communication, but between the Traefik and the SVC is the plaintext HTTP communication
Client---(via HTTPS)---> Traefik----(via HTTP)----> Services
The backend service is HTTPS
That is, the client and Traefik use HTTPS encrypted communication, but Traefik and Svc are also using HTTPS communication
Client---(via HTTPS)---> Traefik----(via HTTPS)----> Services
Let's look at how to implement (pseudo) HTTPS, which is the second kind of access process described above.
First create the certificate, want to turn on HTTPS, the certificate is indispensable. You can manually build a certificate or take advantage of an existing certificate. Here I create an SSL certificate myself, the specific creation process can refer to the Internet.
[Email protected] ~]# cd/opt/k8s/ssl[[email protected] ssl]# lsssl.crt SSL.CSR Ssl.key
above this/opt/k8s/ssl directory is created by me, the path can just as long as the path in the config file consistent with the line will be said below. Start Configuring certificates below
[Email protected] ssl]# kubectl create secret generic Traefik-cert--from-file=ssl.crt--from-file=ssl.key-n kube-syste Msecret "Traefik-cert" created
Create a Configmap to save the Traefix configuration. The Traefix here Configure the rules to rewrite all HTTP requests to HTTPS and configure the corresponding certificate location, and I have also created a directory/opt/k8s/conf/here.
[[email protected] conf]# cat traefik.toml defaultentrypoints = ["http", "https"][entrypoints] [entrypoints.http] Addres s = ":" [entryPoints.http.redirect] entrypoint = "https" [Entrypoints.https] address = ": 443" [entrypoints.ht TPS.TLS] [[entryPoints.https.tls.certificates]] CertFile = "/OPT/K8S/SSL/SSL.CRT" keyfile = "/opt/k8s/ssl/s Sl.key "[[email protected] config]# kubectl create Configmap traefik-conf--from-file=traefik.toml-n Kube-systemconfigmap "Traefik-conf" created
Since the previously configured HTTP is now switched to HTTPS, you need to update the next Traefik, which is mainly updated under the associated secret and Configmap, and mount the corresponding host directory.
Back up (good habits in the workplace) before operating safely
[[Email protected] k8s]# cp traefik-deployment.yaml traefik-deployment.yaml.bk[[email protected] k8s]# cat traefik-deployment.yaml ---apiversion: v1kind: serviceaccountmetadata: name: traefik-ingress-controller namespace: Kube-system---kind: daemonsetapiversion: extensions/v1beta1metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lbspec: selector: matchlabels: k8s-app: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceaccountname: traefik-ingress-controller terminationgraceperiodseconds: 60 hostnetwork: true volumes: - name: ssl secret: secretname: traefik-cert - name: config configMap: name: Traefik-conf containers: - image: traefik name: traefik-ingress-lb volumemounts: - mountpath: "/opt/k8s/ssl/" name: "SSL" - mountpath: "/opt/k8s/conf/" name: "config" ports: - name: http containerPort: 80 - name: https containerPort: 443 - name: admin containerPort: 8080 args: - --configfile=/opt/k8s/conf/ traefik.toml - --api - --kubernetes&nbSp; - --loglevel=info---kind: serviceapiversion: v1metadata: name: traefik-ingress-service namespace: kube-systemspec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP port: 80 name: web - protocol: tcp port: 443 name: https - protocol: tcp port: 8080 name: admin type: NodePort[[email protected] k8s]# [[email protected] k8s]# kubectl apply -f traefik-deployment.yamlserviceaccount "Traefik-ingress-controller" createddaemonset.extensions " Traefik-ingress-controller " createdservice " Traefik-ingress-service " created
The main change is the update of several aspects:
Kind:daemonset The official default is to use deployment
hostnetwork:true Turn on node port forwarding
volumemounts: new volumes mount point
Ports : New https443
args : New ConfigFile
and the service layer 443 ports
Finally we test whether the success, here we can login Traefik-ui interface, can see the original HTTP access, Traefik will directly redirect us to HTTPS.
About the third HTTPS forwarding HTTPS implementation mode here will not repeat the follow-up if there is a need can be explored, if necessary, can look at AM's blog is the reference to this article, written in detail.
This Article blog reference:
http://blog.51cto.com/goome/2153703
Go deep into k8s how to access business apps (traefik-ingress configure HTTPS)