证书准备
- 自己制作 这个不赘述了,网上一大把
- 购买的ssl证书 这里使用的是购买的ssl证书
问题纠正
- 有些说法是traefik证书名字必须是tls(比如: tls.pem, tls.key),这是错误的说法,下面就以非tls名字命名的证书来实现traefik ssl证书的添加
- traefik中ssl和config挂载路径问题 在traefik-deployment.yaml中我们知道需要挂载配置文件目录和证书目录,有说法是不能修改默认的路径,这种说法是不对的,下面就以非默认路径来进行挂载
配置文件说明
- traefik.toml
logLevel = "INFO"insecuresSkipVerify = truedefaultEntryPoints = ["http","https"][entryPoints] [entryPoints.http] address = ":80" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/files/k8s-files/kubernetes/ssl/card/cr.xxxxxx.cn.pem" # 1 keyFile = "/files/k8s-files/kubernetes/ssl/card/cr.xxxxxx.cn.key" [[entryPoints.https.tls.certificates]] certFile = "/files/k8s-files/kubernetes/ssl/smart/smart.xxxxx.cn.pem" # 2 keyFile = "/files/k8s-files/kubernetes/ssl/smart/smart.xxxxx.cn.key"[respondingTimeouts]readTimeout = "30s"writeTimeout = "30s"idleTimeout = "360s"备注: 上面的1 和 2 两处都是将不同的证书放置于不同的目录(card和smart)下的,这个是k8s比较坑的一点,因为这个证书是需要挂载进traefik容器内部的,如果都将证书放到ssl这一个目录下面而不是ssl下面单独的子目录下面,那么将会覆盖之前的证书,也就是说只有一个证书是可用的。所以这个是这次添加多证书最大的坑。
- traefik-deployment.yaml 这里就只贴上volume和volumeMounts两部分了
containers: - image: traefik:latest imagePullPolicy: IfNotPresent name: traefik-ingress-lb volumeMounts: - name: "ssl-cr" mountPath: "/files/k8s-files/kubernetes/ssl/card" - name: "ssl-smart" mountPath: "/files/k8s-files/kubernetes/ssl/smart" - name: "config" mountPath: "/files/k8s-files/kubernetes/cfg" ports: - name: http containerPort: 80 - name: https containerPort: 443 - name: admin containerPort: 8080 - name: zhuanfa containerPort: 5053 args: - --api - --kubernetes - --logLevel=INFO - --configfile=/files/k8s-files/kubernetes/cfg/traefik.toml volumes: - name: ssl-cr secret: secretName: traefik-cert-cr - name: ssl-smart secret: secretName: traefik-cert-smart - name: config configMap: name: traefik-conf
证书生成
以smart.xxxxx.cn为例
cd /files/k8s-files/kubernetes/sslkubectl create secret generic traefik-cert-smart --from-file=./smart/smart.xxxxx.cn.pem --from-file=./smart/smart.xxxxx.cn.key -n kube-system
查看traefik-cert-smart这个secret
# Please edit the object below. Lines beginning with a '#' will be ignored,# and an empty file will abort the edit. If an error occurs while saving this file will be# reopened with the relevant failures.#apiVersion: v1data: smart.xxxxx.cn.key: base64encode #可以看到这里的名字记录的和我们--from-file指定的名字相同 smart.xxxxx.cn.pem: base64encodekind: Secretmetadata: creationTimestamp: "2019-04-21T05:08:16Z" name: traefik-cert-smart namespace: kube-system resourceVersion: "2182167" selfLink: /api/v1/namespaces/kube-system/secrets/traefik-cert-smart uid: 789b5e66-63f3-11e9-9d89-00163e03c41etype: Opaque
重建配置文件,重启traefik
cd /files/k8s-files/kubernetes/cfgkubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
新建一个应用进行测试
- nginx-test-tls.yaml
apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: nginxtls namespace: kube-system labels: addonmanager.kubernetes.io/mode: Reconcilespec: template: metadata: labels: app: nginxtls spec: containers: - name: nginxtls image: nginx:1.12.2 imagePullPolicy: IfNotPresent ports: - containerPort: 80---apiVersion: v1kind: Servicemetadata: name: nginxtls labels: app: nginxtls namespace: kube-systemspec: selector: app: nginxtls ports: - name: http port: 80 targetPort: 80---apiVersion: extensions/v1beta1kind: Ingressmetadata: name: nginxtls namespace: kube-system annotations: kubernetes.io/ingress.class: traefik traefik.frontend.rule.type: PathPrefixStripspec: #tls: 注意这里的tls就不要添加了 #- secretName: traefik-cert-smart rules: - host: smart.xxxxx.cn http: paths: - path: / backend: serviceName: nginxtls servicePort: 80
kubectl create -f nginx-test-tls.yaml