Kubernetes access to Web apps using Traefik HTTPS

background
In the previous article, I have used Kubernetes's Traefik service as a portal to access Tomcat related services, but the previous article was accessed via HTTP. In real-world applications, for security reasons, there must be a need for HTTPS access, where we use Traefik to implement HTTPS access.
Previous article link: http://blog.51cto.com/icenycmh/2124502

Experimental operation
A: To open HTTPS, the certificate is indispensable. You can manually build a certificate or take advantage of an existing certificate. Here I use an SSL certificate that has been applied, the corresponding domain name is *.gzshapp.com.

Two: Create a secret to save the HTTPS certificate.

# lltotal 12-rw-r--r-- 1 root root 5477 Mar 30 16:32 _.gzshapp.com_bundle.crt-rw-r--r-- 1 root root 1708 Mar 28 14:01 _.gzshapp.com.key# kubectl create secret generic traefik-cert --from-file=_.gzshapp.com_bundle.crt --from-file=_.gzshapp.com.key -n kube-system

Copy the certificate to k8s node, in this case, the directory where the certificate is stored is:/opt/conf/k8s/ssl/.

Three: Create a configmap, save the Traefix configuration.
The Traefix here Configure the rules to rewrite all HTTP requests to HTTPS and configure the appropriate certificate location:

# vi traefik.tomldefaultEntryPoints = ["http","https"][entryPoints]  [entryPoints.http]  address = ":80"    [entryPoints.http.redirect]    entryPoint = "https"  [entryPoints.https]  address = ":443"    [entryPoints.https.tls]      [[entryPoints.https.tls.certificates]]      certFile = "/opt/conf/k8s/ssl/_.gzshapp.com_bundle.crt"      keyFile = "/opt/conf/k8s/ssl/_.gzshapp.com.key"# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system

Copy the traefik.toml file to the k8s node, in this case, Traefik's storage directory is:/opt/conf/k8s/conf/.

Four: Redeploy the Traefix, here is mainly to associate the created secret and Configmap, and mount the corresponding host directory.

# more Traefik-deployment.yaml apiversion:extensions/v1beta1kind:deploymentmetadata:name:traefik-ingress-lb        Namespace:kube-system labels:k8s-app:traefik-ingress-lbspec:replicas:2 Template:metadata:labels: K8S-APP:TRAEFIK-INGRESS-LB name:traefik-ingress-lb spec:terminationgraceperiodseconds:60 Volume S:-Name:ssl secret:secretname:traefik-cert-name:config Configmap:name: traefik-conf hostnetwork:true restartpolicy:always serviceaccountname:ingress containers:-Im Age:traefik name:traefik-ingress-lb volumemounts:-Mountpath: "/opt/conf/k8s/ssl" Name: " SSL "-Mountpath:"/opt/conf/k8s/conf "Name:" Config "ports:-name:http Container        port:80 hostport:80-name:admin containerport:8580 hostport:8580 args: ---configfile=/opt/conf/k8s/CONF/TRAEFIK.TOML---web---web.address=:8580---kubernetes# kubectl apply-f Traefik-deployment.y       Aml

Five: Test the effect.
Here we can login Traefik-ui interface, can see the original HTTP access, Traefik will directly redirect us to HTTPS.

Because the domain name used by Traefik-ui is not the domain name supported by our certificate, unsafe hints are shown here. Here I modified the ingress of the tomcat-test created in the previous article, modified the domain name to be the domain name supported by the certificate, and then tested it again:

# vi ingress-tomcat.yaml ---apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: tomcat-test-web  namespace: default  annotations:    kubernetes.io/ingress.class: traefik    traefik.frontend.rule.type: PathPrefixStripspec:  rules:  - host: test.gzshapp.com    http:      paths:      - path: /test1/        backend:          serviceName: tomcat-test1          servicePort: 8080      - path: /test2/        backend:          serviceName: tomcat-test2          

Here we modify ingress domain name for test.gzshapp.com, modify the host, and then visit the test:

192.168.232.129 test.gzshapp.com192.168.232.131 test.gzshapp.com

You can see that our configuration is already in effect.

Other requirements
Of course, there are a lot of different needs in the real environment for different situations. For example, access needs to support both HTTP and HTTPS, only some domain names require HTTPS mandatory jump, back-end proxy HTTPS applications and so on. Here we can each to configure Traefik according to the requirements.
1: Support HTTP and HTTPS at the same time: (rewrite code in HTTP to get rid of)

defaultEntryPoints = ["http","https"][entryPoints]  [entryPoints.http]  address = ":80"    entryPoint = "https"  [entryPoints.https]  address = ":443"    [entryPoints.https.tls]      [[entryPoints.https.tls.certificates]]      certFile = "/opt/scripts/traefik/https/_.gzshapp.com_bundle.crt"      keyFile = "/opt/scripts/traefik/https/_.gzshapp.com.key"

2: Configure only part of the domain to force jump https: (write the corresponding domain name in http.redirect)

defaultEntryPoints = ["http","https"][entryPoints]  [entryPoints.http]  address = ":80"    [entryPoints.http.redirect]    regex = "^http://test.gzshapp.com/(.*)"    replacement = "https://test.gzshapp.com/$1"  [entryPoints.https]  address = ":443"    [entryPoints.https.tls]      [[entryPoints.https.tls.certificates]]      certFile = "/opt/conf/k8s/ssl/_.gzshapp.com_bundle.crt"      keyFile = "/opt/conf/k8s/ssl/_.gzshapp.com.key"

3:traefik Proxy back-end HTTPS request:
Here I modified my Tomcat service, opened a 8443 HTTPS port, and modified the configuration of ingress, as follows:

You can see that I created a new ingress domain name of test-ssl.gzshapp.com, where/test1/backend is 8443 HTTPS service,/TEST2 is 8080 HTTP service. Modify host, accessed with HTTPS protocol respectively, the result is as follows:


You can see that the "Bad Gateway" error was reversed when accessing test1. Access to Test2 is normal. This may be due to the use of the backend Tomcat service for the reason of the visa book, the failure of the visit, or the Traefik itself, which is not to be delved into.
Here you can modify the configuration of Traefik, add insecureskipverify = True to solve this problem. This Traefik configuration disables certificate checking on the backend.

insecureSkipVerify = truedefaultEntryPoints = ["http","https"][entryPoints]  [entryPoints.http]  address = ":80"    entryPoint = "https"  [entryPoints.https]  address = ":443"    [entryPoints.https.tls]      [[entryPoints.https.tls.certificates]]      certFile = "/opt/conf/k8s/ssl/_.gzshapp.com_bundle.crt"      keyFile = "/opt/conf/k8s/ssl/_.gzshapp.com.key"

Kubernetes access to Web apps using Traefik HTTPS