部署traefik并实现http和https访问-创新互联

一、背景

1.     rancher、kubernetes-dashboard等应用需要通过https方式访问,所以此次部署将开启traefik对https的支持。

宁津网站制作公司哪家好,找创新互联!从网页设计、网站建设、微信开发、APP开发、响应式网站建设等网站项目制作,到程序开发,运营维护。创新互联2013年开创至今到现在10年的时间,我们拥有了丰富的建站经验和运维经验,来保证我们的工作的顺利进行。专注于网站建设就选创新互联。

2.     基于之前的rancher HA是部署在cattle-system命名空间下的,所以此次同样将traefik部署在cattle-system命名空间下,并且使用同样的tls证书。

二、traefik部署

1. 创建RBAC策略,为service account授权

RBAC清单文件traefik-rbac.yaml如下:

--- apiVersion: v1 kind: ServiceAccount metadata:   name: traefik-ingress-controller   namespace: cattle-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata:   name: traefik-ingress-controller rules:   - apiGroups:       - ""     resources:       - services       - endpoints       - secrets     verbs:       - get       - list       - watch   - apiGroups:       - extensions     resources:       - ingresses     verbs:       - get       - list       - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata:   name: traefik-ingress-controller roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: traefik-ingress-controller subjects: - kind: ServiceAccount   name: traefik-ingress-controller   namespace: cattle-system

 应用清单文件

[root@k8s-master03 traefik]# kubectl apply -f traefik-rbac.yaml serviceaccount/traefik-ingress-controller created clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created

2. 使用DamonSet控制器部署traefik

damonset清单文件traefik-ds.yaml如下:

--- kind: ConfigMap apiVersion: v1 metadata:   name: traefik-conf   namespace: cattle-system data:   traefik.toml: |     insecureSkipVerify = true     defaultEntryPoints = ["http","https"]     [entryPoints]       [entryPoints.http]       address = ":80"       [entryPoints.https]       address = ":443"         [entryPoints.https.tls]           [[entryPoints.https.tls.certificates]]           CertFile = "/ssl/tls.crt"           KeyFile = "/ssl/tls.key" --- kind: DaemonSet apiVersion: extensions/v1beta1 metadata:   name: traefik-ingress-controller   namespace: cattle-system   labels:     k8s-app: traefik-ingress-lb spec:   template:     metadata:       labels:         k8s-app: traefik-ingress-lb         name: traefik-ingress-lb     spec:       serviceAccountName: traefik-ingress-controller       terminationGracePeriodSeconds: 60       hostNetwork: true       volumes:       - name: ssl         secret:           secretName: tls-rancher-ingress       - name: config         configMap:           name: traefik-conf       containers:       - image: traefik         name: traefik-ingress-lb         ports:         - name: http           containerPort: 80           hostPort: 80         - name: admin           containerPort: 8080         securityContext:           privileged: true         args:         - --configfile=/config/traefik.toml         - -d         - --web         - --kubernetes         volumeMounts:         - mountPath: "/ssl"           name: "ssl"         - mountPath: "/config"           name: "config" --- kind: Service apiVersion: v1 metadata:   name: traefik-ingress-service   namespace: cattle-system spec:   selector:     k8s-app: traefik-ingress-lb   ports:     - protocol: TCP       port: 80       name: web     - protocol: TCP       port: 8080       name: admin     - protocol: TCP       port: 443       name: https   #type: NodePort

应用清单文件

[root@k8s-master03 traefik]# kubectl apply -f traefik-ds.yaml configmap/traefik-conf created daemonset.extensions/traefik-ingress-controller created service/traefik-ingress-service created

3. 为traefik UI配置转发

ingress清单文件traefik-ui.yaml如下:

apiVersion: v1 kind: Service metadata:   name: traefik-web-ui   namespace: cattle-system spec:   selector:     k8s-app: traefik-ingress-lb   ports:   - name: web     port: 80     targetPort: 8080 --- apiVersion: extensions/v1beta1 kind: Ingress metadata:   name: traefik-web-ui   namespace: cattle-system spec:   rules:   - host: traefik-ui.sumapay.com     http:       paths:       - path: /         backend:           serviceName: traefik-web-ui           servicePort: web

应用清单文件

[root@k8s-master03 traefik]# kubectl apply -f traefik-ui.yaml service/traefik-web-ui created ingress.extensions/traefik-web-ui created

 4.查看

[root@k8s-master01 ~]# kubectl get pods -n cattle-system NAME                                    READY   STATUS    RESTARTS   AGE cattle-cluster-agent-594b8f79bb-pgmdt   1/1     Running   5          11d cattle-node-agent-lg44f                 1/1     Running   0          11d cattle-node-agent-zgdms                 1/1     Running   5          11d rancher2-9774897c-622sc                 1/1     Running   0          9d rancher2-9774897c-czxxx                 1/1     Running   0          9d rancher2-9774897c-sm2n5                 1/1     Running   1          9d traefik-ingress-controller-hj9nc        1/1     Running   0          142m traefik-ingress-controller-vxcgt        1/1     Running   0          142m   [root@k8s-master01 ~]# kubectl get svc -n cattle-system    NAME                      TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                   AGE rancher2                  ClusterIP   10.111.16.80            80/TCP                    9d traefik-ingress-service   ClusterIP   10.111.121.27           80/TCP,8080/TCP,443/TCP   143m traefik-web-ui            ClusterIP   10.103.112.22           80/TCP                    136m   [root@k8s-master01 ~]# kubectl get ingress -n cattle-system   NAME             HOSTS                    ADDRESS   PORTS     AGE rancher2         rancher.sumapay.com                80, 443   9d traefik-web-ui   traefik-ui.sumapay.com             80        137m

将域名映射到外部负载均衡IP后,就可以通过域名访问traefik UI和rancher HA服务了。

部署traefik并实现http和https访问

部署traefik并实现http和https访问

部署traefik并实现http和https访问

另外有需要云服务器可以了解下创新互联cdcxhl.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。


网页名称:部署traefik并实现http和https访问-创新互联
标题路径:http://csdahua.cn/article/desjse.html
扫二维码与项目经理沟通

我们在微信上24小时期待你的声音

解答本文疑问/技术咨询/运营咨询/技术建议/互联网交流