Traefik的TLS配置
Posted ericnie的技术博客
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Traefik的TLS配置相关的知识,希望对你有一定的参考价值。
生产环境的部署大多采用F5+ Traefik这种方式,因为Traefik的SSL方式相对来说比较慢,因此SSL更多的在F5上开放,而F5到Traefik之间以及后端都是http方式。
但客户需要在开发和测试环境直接用SSL,因此需要配置。
创建secret
kubectl create secret generic traefik-cert --from-file=ca-key.pem --from-file=ca.pem -n kube-system
创建configmap
defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] CertFile = "/ssl/ca.pem" KeyFile = "/ssl/ca-key.pem"
kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
Ingress.yaml文件
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: traefik-ingress-lb namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: terminationGracePeriodSeconds: 60 hostNetwork: true restartPolicy: Always serviceAccountName: ingress volumes: - name: ssl secret: secretName: traefik-cert - name: config configMap: name: traefik-conf containers: - image: traefik name: traefik-ingress-lb volumeMounts: - mountPath: "/ssl" name: "ssl" - mountPath: "/config" name: "config" resources: limits: cpu: 200m memory: 30Mi requests: cpu: 100m memory: 20Mi ports: - containerPort: 80 - containerPort: 443 - containerPort: 8580 args: - --web.address=:8580 - --web - --kubernetes - --configfile=/config/traefik.toml --- kind: Service apiVersion: v1 metadata: name: traefik namespace: kube-system spec: type: NodePort ports: - protocol: TCP port: 80 name: http - protocol: TCP port: 443 name: https selector: k8s-app: traefik-ingress-lb
测试
curl -k https://...
以上是关于Traefik的TLS配置的主要内容,如果未能解决你的问题,请参考以下文章
对于 k3s 中的 Traefik Ingress Controller,禁用 TLS 验证