我在自己管理的kubernetes集群中安装了traefik 2.2,并支持Let's Encrypt。
到目前为止一切正常。但在我看来,入口路由的配置仍然很笨拙。只有当我定义了两个IntgresRoutes时,它才有效——一个用于HTTP,带有重定向到https的中间件,另一个用于https。所以我的对象看起来是这样的:
# Middleware for Redirect http -> https
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-redirect
spec:
redirectScheme:
scheme: https
# IngressRoute http for a simple whoami service
---
kind: IngressRoute
apiVersion: traefik.containo.us/v1alpha1
metadata:
name: whoami-notls
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`mydomain.foo.com`)
kind: Rule
services:
- name: whoami
port: 8080
# redirect http to https
middlewares:
- name: https-redirect
# IngresRoute https
---
kind: IngressRoute
apiVersion: traefik.containo.us/v1alpha1
metadata:
name: whoami-tls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`mydomain.foo.com`)
kind: Rule
services:
- name: whoami
port: 8080
tls:
certResolver: default
有没有一种更简单的方法可以简单地告诉traefik,在任何情况下,我的服务(正在8080端口上侦听(都应该重定向到HTTPS。为什么我的设置中需要两个独立的ingresRoutes?
在traefik 2.2。有这样的东西:
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: foo
namespace: bar
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
traefik.ingress.kubernetes.io/router.middlewares: redirect-http@kuberntes-crd
spec:
rules:
- host: foo.com
http:
paths:
- path: ""
backend:
serviceName: service1
servicePort: 80
它看起来很简单。但这对我来说不起作用——traefik没有认识到这种Ingress配置。
在Traefik.io团队的帮助下,我现在解决了这个问题:
要在Ingress中使用traefik注释,请确保在部署对象中添加了"kubernetesingress"提供程序:
...
spec:
containers:
- args:
- --api
....
- --providers.kubernetescrd=true
- --providers.kubernetesingress=true
....
对于从HTTP到HTTPS的全局重定向,您也可以在traefik deplyment对象中配置它:
# permanent redirecting of all requests on http (80) to https (443)
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.websecure.http.tls.certResolver=default
现在,您可以用一种简单的方式配置入口:
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
spec:
rules:
- host: example.foo.com
http:
paths:
- path: /
backend:
serviceName: whoami
servicePort: 80
另请参阅我最近的博客文章。