我在Kubernetes中使用traefik 2.9通过http和https公开服务时遇到问题。http端点有点工作,我在尝试添加https时不知何故引入了CORS错误,但这不是我主要关心的问题。https入口被破坏了,我找不到任何不起作用的原因。traefik pod没有记录任何错误,dotnet服务也没有接收到请求。此外,两条路由都显示在仪表板中,并且网络安全显示为启用了TLS。
排除ClusterRole、ServiceAccount和ClusterRoleBinding,因为我认为这是正确配置的,因为如果不这样做,http路由就无法工作。
Traefik配置:
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v2.9
args:
- --api.insecure
- --providers.kubernetesingress
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls
ports:
- name: web
containerPort: 80
- name: dashboard
containerPort: 8080
- name: websecure
containerPort: 443
Traefik服务:
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard-service
spec:
type: LoadBalancer
ports:
- port: 8080
targetPort: dashboard
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-service
spec:
type: LoadBalancer
loadBalancerIP: 10.10.1.38
ports:
- targetPort: web
port: 80
name: http
- targetPort: websecure
port: 443
name: https
selector:
app: traefik
tls的秘密:
apiVersion: v1
data:
comptech.pem: <contents of pem file base64 encoded>
comptech.crt: <contents of crt file base64 encoded>
comptech.key: <contents of key file base64 encoded>
kind: Secret
metadata:
name: comptech-cert
namespace: default
type: Opaque
网络应用服务:
apiVersion: v1
kind: Service
metadata:
name: control-api-service
spec:
ports:
- name: http
port: 80
targetPort: 5000
protocol: TCP
- name: https
port: 443
targetPort: 5000
protocol: TCP
selector:
app: control-api
入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: control-api-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: sub.domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: control-api-service
port:
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: control-api-secure-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
- host: sub.domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: control-api-service
port:
name: https
tls:
- secretName: comptech-cert
我希望有更多traefik/tls经验的人能够很快意识到我做错了什么。非常感谢您的任何意见!
更新:防火墙只允许http流量,我们将其重新配置为支持https,并使用Traefiks默认证书进行响应。所以我可以点击容器,但tls仍然没有使用我提供的证书进行配置。
- 不需要pem文件,并且crt文件是使用openssl错误生成的,对我有效的命令是:
openssl crl2pkcs7 -nocrl -certfile comptech.pem | openssl pkcs7 -print_certs -out cert.crt - 指向控制api服务的https端口不起作用,需要更改为http
- traefik部署需要创建一个配置映射才能正常工作:
apiVersion: v1 kind: ConfigMap metadata: name: traefik-config labels: name: traefik-config namespace: default data: dyn.yaml: | # https://doc.traefik.io/traefik/https/tls/ tls: stores: default: defaultCertificate: certFile: '/certs/tls.crt' keyFile: '/certs/tls.key'
- 最后,必须在traefik部署中使用configmap和secret,如下所示:
kind: Deployment apiVersion: apps/v1 metadata: name: traefik-deployment labels: app: traefik spec: replicas: 1 selector: matchLabels: app: traefik template: metadata: labels: app: traefik spec: serviceAccountName: traefik-account containers: - name: traefik image: traefik:v2.9 args: - --api.insecure - --providers.kubernetesingress - --entrypoints.web.address=:80 - --entrypoints.websecure.address=:443 - --entrypoints.websecure.http.tls - --providers.file.filename=/config/dyn.yaml ports: - name: web containerPort: 80 - name: dashboard containerPort: 8080 - name: websecure containerPort: 443 volumeMounts: - name: comptech-cert-volume mountPath: /certs - name: traefik-config-volume mountPath: /config volumes: - name: comptech-cert-volume secret: secretName: comptech-cert - name: traefik-config-volume configMap: name: traefik-config
在我的设置中,我使用Traefik中的IngressRoute CRD实现。CRD是在我使用Helm设置Traefik控制器时自动安装的。
你有可能在你的设置中使用这个吗?您可以在k8s集群上使用以下命令检查CRD是否已经存在。
kubectl get crd
下面是我的一个项目中的一个片段,在该项目中,我还使用IngressRoute清单使用来自机密的自定义通配符证书。
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: blue-api-ingressroute
spec:
entryPoints:
- websecure
routes:
- match: "Host(`blue.domain.com`)" && PathPrefix(`/swagger`)"
kind: Rule
services:
- name: blue-api-svc
port: 80
tls:
secretName: bluecert
您还可以包括Traefik提供的其他自定义资源。这里可以看到可用的一整套配置。例如,下面是相同的代码片段,其中包括中间件和tlsoptions资源,用于提高端点的安全性。
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: tlsoptions
spec:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: security
spec:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: blue-api-ingressroute
spec:
entryPoints:
- websecure
routes:
- match: "Host(`blue.domain.com`)" && PathPrefix(`/swagger`)"
kind: Rule
services:
- name: blue-api-svc
port: 80
middlewares:
- name: security
tls:
secretName: bluecert
options:
name: tlsoptions