部署traefik并實現http和https訪問

一、背景

1.????? rancher、kubernetes-dashboard等應用需要通過https方式訪問，所以此次部署將開啟traefik對https的支持。

2.????? 基于之前的rancher HA是部署在cattle-system命名空間下的，所以此次同樣將traefik部署在cattle-system命名空間下，并且使用同樣的tls證書。

二、traefik部署

1.? 創建RBAC策略，為service account授權

????????????RBAC清單文件traefik-rbac.yaml如下：

---
apiVersion:?v1
kind:?ServiceAccount
metadata:
??name:?traefik-ingress-controller
??namespace:?cattle-system
---
kind:?ClusterRole
apiVersion:?rbac.authorization.k8s.io/v1
metadata:
??name:?traefik-ingress-controller
rules:
??-?apiGroups:
??????-?""
????resources:
??????-?services
??????-?endpoints
??????-?secrets
????verbs:
??????-?get
??????-?list
??????-?watch
??-?apiGroups:
??????-?extensions
????resources:
??????-?ingresses
????verbs:
??????-?get
??????-?list
??????-?watch
---
kind:?ClusterRoleBinding
apiVersion:?rbac.authorization.k8s.io/v1
metadata:
??name:?traefik-ingress-controller
roleRef:
??apiGroup:?rbac.authorization.k8s.io
??kind:?ClusterRole
??name:?traefik-ingress-controller
subjects:
-?kind:?ServiceAccount
??name:?traefik-ingress-controller
??namespace:?cattle-system

???????? ?應用清單文件

[root@k8s-master03?traefik]#?kubectl?apply?-f?traefik-rbac.yaml
serviceaccount/traefik-ingress-controller?created
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller?created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller?created

2.? 使用DamonSet控制器部署traefik

????????????damonset清單文件traefik-ds.yaml如下：

---
kind:?ConfigMap
apiVersion:?v1
metadata:
??name:?traefik-conf
??namespace:?cattle-system
data:
??traefik.toml:?|
????insecureSkipVerify?=?true
????defaultEntryPoints?=?["http","https"]
????[entryPoints]
??????[entryPoints.http]
??????address?=?":80"
??????[entryPoints.https]
??????address?=?":443"
????????[entryPoints.https.tls]
??????????[[entryPoints.https.tls.certificates]]
??????????CertFile?=?"/ssl/tls.crt"
??????????KeyFile?=?"/ssl/tls.key"
---
kind:?DaemonSet
apiVersion:?extensions/v1beta1
metadata:
??name:?traefik-ingress-controller
??namespace:?cattle-system
??labels:
????k8s-app:?traefik-ingress-lb
spec:
??template:
????metadata:
??????labels:
????????k8s-app:?traefik-ingress-lb
????????name:?traefik-ingress-lb
????spec:
??????serviceAccountName:?traefik-ingress-controller
??????terminationGracePeriodSeconds:?60
??????hostNetwork:?true
??????volumes:
??????-?name:?ssl
????????secret:
??????????secretName:?tls-rancher-ingress
??????-?name:?config
????????configMap:
??????????name:?traefik-conf
??????containers:
??????-?image:?traefik
????????name:?traefik-ingress-lb
????????ports:
????????-?name:?http
??????????containerPort:?80
??????????hostPort:?80
????????-?name:?admin
??????????containerPort:?8080
????????securityContext:
??????????privileged:?true
????????args:
????????-?--configfile=/config/traefik.toml
????????-?-d
????????-?--web
????????-?--kubernetes
????????volumeMounts:
????????-?mountPath:?"/ssl"
??????????name:?"ssl"
????????-?mountPath:?"/config"
??????????name:?"config"
---
kind:?Service
apiVersion:?v1
metadata:
??name:?traefik-ingress-service
??namespace:?cattle-system
spec:
??selector:
????k8s-app:?traefik-ingress-lb
??ports:
????-?protocol:?TCP
??????port:?80
??????name:?web
????-?protocol:?TCP
??????port:?8080
??????name:?admin
????-?protocol:?TCP
??????port:?443
??????name:?https
??#type:?NodePort

????????????應用清單文件

[root@k8s-master03?traefik]#?kubectl?apply?-f?traefik-ds.yaml
configmap/traefik-conf?created
daemonset.extensions/traefik-ingress-controller?created
service/traefik-ingress-service?created

3.? 為traefik UI配置轉發

????????????ingress清單文件traefik-ui.yaml如下：

apiVersion:?v1
kind:?Service
metadata:
??name:?traefik-web-ui
??namespace:?cattle-system
spec:
??selector:
????k8s-app:?traefik-ingress-lb
??ports:
??-?name:?web
????port:?80
????targetPort:?8080
---
apiVersion:?extensions/v1beta1
kind:?Ingress
metadata:
??name:?traefik-web-ui
??namespace:?cattle-system
spec:
??rules:
??-?host:?traefik-ui.sumapay.com
????http:
??????paths:
??????-?path:?/
????????backend:
??????????serviceName:?traefik-web-ui
??????????servicePort:?web

????????????應用清單文件

[root@k8s-master03?traefik]#?kubectl?apply?-f?traefik-ui.yaml
service/traefik-web-ui?created
ingress.extensions/traefik-web-ui?created

?4.查看

[root@k8s-master01?~]#?kubectl?get?pods?-n?cattle-system
NAME????????????????????????????????????READY???STATUS????RESTARTS???AGE
cattle-cluster-agent-594b8f79bb-pgmdt???1/1?????Running???5??????????11d
cattle-node-agent-lg44f?????????????????1/1?????Running???0??????????11d
cattle-node-agent-zgdms?????????????????1/1?????Running???5??????????11d
rancher2-9774897c-622sc?????????????????1/1?????Running???0??????????9d
rancher2-9774897c-czxxx?????????????????1/1?????Running???0??????????9d
rancher2-9774897c-sm2n5?????????????????1/1?????Running???1??????????9d
traefik-ingress-controller-hj9nc????????1/1?????Running???0??????????142m
traefik-ingress-controller-vxcgt????????1/1?????Running???0??????????142m
?
[root@k8s-master01?~]#?kubectl?get?svc?-n?cattle-system???
NAME??????????????????????TYPE????????CLUSTER-IP??????EXTERNAL-IP???PORT(S)???????????????????AGE
rancher2??????????????????ClusterIP???10.111.16.80????<none>????????80/TCP????????????????????9d
traefik-ingress-service???ClusterIP???10.111.121.27???<none>????????80/TCP,8080/TCP,443/TCP???143m
traefik-web-ui????????????ClusterIP???10.103.112.22???<none>????????80/TCP????????????????????136m
?
[root@k8s-master01?~]#?kubectl?get?ingress?-n?cattle-system??
NAME?????????????HOSTS????????????????????ADDRESS???PORTS?????AGE
rancher2?????????rancher.sumapay.com????????????????80,?443???9d
traefik-web-ui???traefik-ui.sumapay.com?????????????80????????137m

?

將域名映射到外部負載均衡IP后，就可以通過域名訪問traefik UI和rancher HA服務了。