Traifik configuration automatically applies for ssl free certificate

Keywords: Web Development SSL Session DNS Kubernetes

What is an SSL certificate?

Secure sockets layer (SSL) certificates (sometimes referred to as digital certificates) are used to establish an encrypted connection between a browser or user computer and a server or web site. SSL connections protect sensitive data (such as credit card information) exchanged during each access (called a session) from being blocked by unauthorized parties. SSL connections protect sensitive data (such as credit card information) exchanged during each access (called a session) from being blocked by unauthorized parties.

Achieve goals:

The domain name forwarded or provided by traifik can support https request!

Test environment introduction

K8s cluster
Alicloud dns account: (need to read and write dns service)
ALICLOUD_ACCESS_KEY
ALICLOUD_SECRET_KEY

k8s - yaml file is as follows:

Create user authorization

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-outer-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - extensions
    resources:
    - ingresses/status
    verbs:
    - update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-outer-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-outer-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-outer-ingress-controller
  namespace: kube-system

Service configuration

Note: all nodes that need to start tracefik are labeled as follows
traefik: "traefik-outer"

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-outer-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-outer-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-outer-ingress-lb
spec:
  selector:
    matchLabels:
      k8s-app: traefik-outer-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-outer-ingress-lb
        name: traefik-outer-ingress-lb
    spec:
      serviceAccountName: traefik-outer-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      containers:
      - image: traefik:1.7.19
        name: traefik-outer-ingress-lb
        env:
        - name: ALICLOUD_ACCESS_KEY              # Add environment variable alicloud? Access? Key
          value: LTAIxxxxxxxxxxxAYfXqk                 # access_key of alicloud RAM account
        - name: ALICLOUD_SECRET_KEY              # Add environment variable alicloud? Secret? Key
          value: gfNxxxxxxxxxxxoOslfc                   # Access? Secret of alicloud RAM account
        resources:
          limits:
            cpu: 1000m
            memory: 1024Mi
          requests:
            cpu: 1000m
            memory: 1024Mi
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 8080
          hostPort: 8080
        args:
        - --api
        - --kubernetes
        - --configfile=/traefik.toml
        - --insecureskipverify            #If the backend service is https protocol, its certificate will not be verified
        - --logLevel=INFO                 #log level
        - --defaultEntryPoints=http,https #Traifik enables both HTTP and HTTPS services
        - --entrypoints=Name:https Address::443 TLS #HTTPS service listening on port 443
        - --entrypoints=Name:http Address::80 #HTTPS service listens on port 443, which conflicts with http skip HTTPS configuration. Only one can be configured;
#        - --entrypoints=Name:http Address::80 Redirect.EntryPoint:https #HTTP listens on port 80 and redirects traffic to https
        - --acme                         #Turn on certificate validation
        - --acme.email=kevin@ptcpt.com   #Email address for registration
        - --acme.storage=/tmp/acme.json  #Certificate request temporary file storage location
        - --acme.acmeLogging=true        #Open the log for troubleshooting
        - --acme.entryPoint=https        #Certificate type, must point to a 443 port
        - --acme.httpchallenge.entrypoint=http    # Protocol to use when validating domain names
        - --acme.dnschallenge                     # Domain name verification method
        - --acme.dnschallenge.provider=alidns     # Domain name provider
        - --acme.dnschallenge.delaybeforecheck=5  # Verify domain name delay
        - --acme.onHostRule=true      #Automatically apply for certificate for new domain name under acme.entryPoint
        - --acme.domains=ptmind.com   #Domain name to request certificate
        - --acme.domains=lingxi365.cn #Domain name to request certificate
        - --acme.domains=lingxi.link  #Domain name to request certificate
      nodeSelector:
        traefik: "traefik-outer"
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-outer-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-outer-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 443
      name: https
    - protocol: TCP
      port: 8080
      name: admin
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-outer-web-ui
  namespace: kube-system
spec:
  rules:
  - host: traefik.ptmind.com #Domain name of configuration management page
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-outer-ingress-service
          servicePort: admin

Traifik command

--api --kubernetes --configfile=/traefik.toml --insecureskipverify --logLevel=INFO \
--defaultEntryPoints=http,https '--entrypoints=Name:https Address::443 TLS' \
'--entrypoints=Name:http Address::80' --acme --acme.dnschallenge --acme.email=kevin@ptcpt.com \
--acme.storage=/tmp/acme.json --acme.acmeLogging=true --acme.entryPoint=https --acme.httpchallenge.entrypoint=http \
--acme.dnschallenge.provider=alidns --acme.dnschallenge.delaybeforecheck=5 \
--acme.domains=ptmind.com --acme.domains=lingxi365.cn --acme.domains=lingxi.link \
--acme.onHostRule=true

Interpretation of other parameters

entryPoint = "https"
# Enable on-demand certificates. If the host name does not have a certificate, this will request a certificate from Let's Encrypt in the first TLS handshake that initiates the request with a host name.
# Warning, getting the host certificate in the request for the first time will cause TLS handshake to be very slow, which will cause Dos * *.
# Warning, it's worth noting that Let's Encrypt has a request limit: https://letsencrypt.org/docs/rate-limits
onDemand = false
# Enable certificate generation based on front-end Host rules. This will generate a Let's Encrypt certificate for each front end with Host rules.
# For example, a host with rules: test1.traifik.cn, test2.traifik.cn will generate a certificate for the main domain test1.traifik.cn and San (alternative domain) test2.traifik.cn.
onHostRule = true
  [acme.httpChallenge]
  entryPoint="http"

Posted by 4rxsid on Thu, 28 Nov 2019 13:21:32 -0800

Hot Keywords

©2024 Programmer Group