今日分享 – Kubernetes 领进门 | traefik 自动签发证书及可视化面板

Traefik 是一个云原生的新型的 HTTP 反向代理、负载均衡软件,能轻易的部署微服务。k3s 将其作为集群的默认反向代理 和 Ingress Controller,但可视化面板是无法访问的。

1、关于 IngressRoute

本文使用了自定义资源 IngressRoute,依赖 Traefik 2 以上版本。详细配置请参阅官方文档 https://doc.traefik.io/traefik/v2.5/routing/providers/kubernetes-crd/#kind-ingressroute

2、配置自动签发证书参数(非必要,可以忽略此步骤)

# 证书邮箱
export MY_ACME_EMAIL=acme@example.org

# 证书存储
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: traefik-preset
  labels:
    app: traefik-preset
  annotations:
    command: &cmd mkdir -p /var/lib/rancher/tls && chown 65532 /var/lib/rancher/tls
spec:
  selector:
    matchLabels:
      app: traefik-preset
  template:
    metadata:
      labels:
        app: traefik-preset
    spec:
      hostNetwork: true
      hostPID: true
      initContainers:
      - name: runner
        command:
          - nsenter
          - --mount=/proc/1/ns/mnt
          - --
          - bash
          - -c
          - *cmd
        image: alpine:3.12
        securityContext:
          privileged: true
      containers:
      - name: sleep
        image: kubernetes/pause
  updateStrategy:
    type: RollingUpdate
EOF

# 修改参数
kubectl patch -n kube-system deployments traefik --type 'json' -p '[
  {
    "op" : "replace",
    "path" : "/spec/template/spec/volumes/0",
    "value" : {
        "name" : "data",
        "hostPath" : {
            "path" : "/var/lib/rancher/tls",
            "type" : "DirectoryOrCreate"
        },
    }
  },
  {
    "op" : "add",
    "path" : "/spec/template/spec/containers/0/args/-",
    "value" : "--certificatesresolvers.default.acme.tlschallenge"
  },
  {
    "op" : "add",
    "path" : "/spec/template/spec/containers/0/args/-",
    "value" : "--certificatesresolvers.default.acme.storage=/data/acme.json"
  },
  {
    "op" : "add",
    "path" : "/spec/template/spec/containers/0/args/-",
    "value" : "--certificatesresolvers.default.acme.email='$MY_ACME_EMAIL'"
  }
]'

请注意修改邮箱对应的变量值
国内部分IP段可能无法正常签发,可更换后再试
证书存储在临时目录,traefik 节点迁移会导致证书重签

3、修改系统路由配置,使其可通过自定义域名访问

# 访问域名
export MY_TRAEFIK_HOST=traefik.example.org

# 认证信息
export MY_AUTH_USERNAME=admin
export MY_AUTH_PASSWORD=PASSW0RD

# 生成密钥
export MY_SECRET_CODE=`echo $MY_AUTH_USERNAME:$(echo $MY_AUTH_PASSWORD | openssl passwd -stdin -apr1) | base64`

# 应用变更
cat <<EOF | kubectl apply -f -
kind: Secret
apiVersion: v1
metadata:
  name: basic-auth
  namespace: kube-system
data:
  auth: $MY_SECRET_CODE
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-basic-auth
  namespace: kube-system
spec:
  basicAuth:
    secret: basic-auth
---
kind: IngressRoute
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: traefik-dashboard
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(\`$MY_TRAEFIK_HOST\`)
      middlewares:
        - name: traefik-basic-auth
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    certResolver: default
EOF

请注意修改认证信息和域名对应的变量值
若未配置自动签发证书,请删除 tls 的两行配置
配置完成后,可以通过 https://traefik.example.org 查看路由配置

其他章节

根据本站Tag查阅 《Kubernetes 领进门》 系列文章

正文完