Go deep into k8s how to access business apps (traefik-ingress configure HTTPS)

In the previous article we briefly introduced the next Traefik and how HTTP access, but in the actual production environment is not just HTTP forwarding access, there is HTTPS forwarding access,

Previous: Traefik Basic deployment record, describes the simplest HTTP access Traefik, the access process reference is shown below:

Client---(via HTTP)---> Traefik----(via HTTP)----> Services

Now to practice is more secure and more complex HTTPS access Traefik, there are two kinds of access process, see below:

Back-end service is normal HTTP
That is, the client and Traefik use HTTPS encrypted communication, but between the Traefik and the SVC is the plaintext HTTP communication

Client---(via HTTPS)---> Traefik----(via HTTP)----> Services

The backend service is HTTPS
That is, the client and Traefik use HTTPS encrypted communication, but Traefik and Svc are also using HTTPS communication

Client---(via HTTPS)---> Traefik----(via HTTPS)----> Services

Let's look at how to implement (pseudo) HTTPS, which is the second kind of access process described above.

First create the certificate, want to turn on HTTPS, the certificate is indispensable. You can manually build a certificate or take advantage of an existing certificate. Here I create an SSL certificate myself, the specific creation process can refer to the Internet.

[Email protected] ~]# cd/opt/k8s/ssl[[email protected] ssl]# lsssl.crt SSL.CSR Ssl.key

above this/opt/k8s/ssl directory is created by me, the path can just as long as the path in the config file consistent with the line will be said below. Start Configuring certificates below

[Email protected] ssl]# kubectl create secret generic Traefik-cert--from-file=ssl.crt--from-file=ssl.key-n kube-syste Msecret "Traefik-cert" created

Create a Configmap to save the Traefix configuration. The Traefix here Configure the rules to rewrite all HTTP requests to HTTPS and configure the corresponding certificate location, and I have also created a directory/opt/k8s/conf/here.

[[email protected] conf]# cat traefik.toml defaultentrypoints = ["http", "https"][entrypoints] [entrypoints.http] Addres s = ":" [entryPoints.http.redirect] entrypoint = "https" [Entrypoints.https] address = ": 443" [entrypoints.ht TPS.TLS] [[entryPoints.https.tls.certificates]] CertFile = "/OPT/K8S/SSL/SSL.CRT" keyfile = "/opt/k8s/ssl/s Sl.key "[[email protected] config]# kubectl create Configmap traefik-conf--from-file=traefik.toml-n Kube-systemconfigmap "Traefik-conf" created

Since the previously configured HTTP is now switched to HTTPS, you need to update the next Traefik, which is mainly updated under the associated secret and Configmap, and mount the corresponding host directory.

Back up (good habits in the workplace) before operating safely

[[Email protected] k8s]# cp traefik-deployment.yaml traefik-deployment.yaml.bk[[email  protected] k8s]# cat traefik-deployment.yaml ---apiversion: v1kind:  serviceaccountmetadata:  name: traefik-ingress-controller  namespace:  Kube-system---kind: daemonsetapiversion: extensions/v1beta1metadata:  name:  traefik-ingress-controller  namespace: kube-system  labels:     k8s-app: traefik-ingress-lbspec:  selector:    matchlabels:       k8s-app: traefik-ingress-lb  template:    metadata:       labels:        k8s-app:  traefik-ingress-lb        name: traefik-ingress-lb     spec:      serviceaccountname: traefik-ingress-controller       terminationgraceperiodseconds: 60      hostnetwork: true       volumes:      - name: ssl         secret:          secretname:  traefik-cert      - name: config         configMap:          name:  Traefik-conf      containers:      - image:  traefik        name: traefik-ingress-lb         volumemounts:        - mountpath:   "/opt/k8s/ssl/"           name:  "SSL"         - mountpath:   "/opt/k8s/conf/"           name:  "config"          ports:        - name:  http          containerPort: 80         - name: https           containerPort: 443        - name: admin           containerPort: 8080         args:        - --configfile=/opt/k8s/conf/ traefik.toml        - --api         - --kubernetes&nbSp;       - --loglevel=info---kind: serviceapiversion:  v1metadata:  name: traefik-ingress-service  namespace: kube-systemspec:   selector:    k8s-app: traefik-ingress-lb  ports:     - protocol: TCP      port: 80       name: web    - protocol: tcp      port:  443      name: https    - protocol: tcp       port: 8080      name: admin   type: NodePort[[email protected] k8s]# [[email protected] k8s]#  kubectl apply -f traefik-deployment.yamlserviceaccount  "Traefik-ingress-controller"   createddaemonset.extensions  " Traefik-ingress-controller " createdservice " Traefik-ingress-service " created

The main change is the update of several aspects:

Kind:daemonset The official default is to use deployment

hostnetwork:true Turn on node port forwarding

volumemounts: new volumes mount point

Ports : New https443

args : New ConfigFile

and the service layer 443 ports

Finally we test whether the success, here we can login Traefik-ui interface, can see the original HTTP access, Traefik will directly redirect us to HTTPS.

About the third HTTPS forwarding HTTPS implementation mode here will not repeat the follow-up if there is a need can be explored, if necessary, can look at AM's blog is the reference to this article, written in detail.

This Article blog reference:

http://blog.51cto.com/goome/2153703

Go deep into k8s how to access business apps (traefik-ingress configure HTTPS)