我已经用让我们加密ACME配置了Traefik(头盔图(,但我没有收到任何证书。Traefik 入口在端口 80 和 443 上暴露给互联网。
traefik.toml
logLevel = "INFO"
InsecureSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
[kubernetes]
[acme]
email = "email@email.com"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
acmeLogging = true
[acme.httpChallenge]
entryPoint = "http"
[web]
address = ":8080"
Ingress with Traefik as IngressClass
{
"kind": "Ingress",
"apiVersion": "extensions/v1beta1",
"metadata": {
"name": "domain",
"namespace": "reverse-proxy",
"selfLink": "/apis/extensions/v1beta1/namespaces/reverse-proxy/ingresses/domain",
"uid": "550cdedc-ba77-11e8-8657-00155d00021a",
"resourceVersion": "6393921",
"generation": 5,
"creationTimestamp": "2018-09-17T12:43:52Z",
"annotations": {
"ingress.kubernetes.io/ssl-redirect": "true",
"kubernetes.io/ingress.class": "traefik"
}
},
"spec": {
"tls": [
{
"hosts": [
"domain.com"
],
"secretName": "cert" // without is also not working
}
],
"rules": [
{
"host": "domain.com",
"http": {
"paths": [
{
"backend": {
"serviceName": "domain",
"servicePort": 443
}
}
]
}
},
{
"host": "www.domain.com",
"http": {
"paths": [
{
"backend": {
"serviceName": "www-domain",
"servicePort": 443
}
}
]
}
}
]
},
"status": {
"loadBalancer": {}
}
}
我尝试同时使用 http-01 和 tls-sni-01 challenge。 dns-01 是没有选择的,因为我的 DNS 提供商没有 API。
如何将 letsencrypt 配置注入您的 traefik 入口服务/守护进程?
Traefik 在 Kubernetes Ingress 文档上没有正式的 letsencrypt 功能。但这是一个很好的指南。查找"外部 Traefik 入口控制器",您需要一个 kv 后端来存储您的证书。
您也可以尝试与Traefik一起使用的cert-manager。
目前不建议在 Kubernetes 上使用对 Traefik 的内置 ACME 支持,因为设置故障转移/冗余变得困难。正如Rico所提到的,证书管理器是一个更好的解决方案,也是Traefik团队目前推荐的解决方案:)