k3s 内置 traefik 启用自动签发证书及可视化面板
k3s 内置的 Traefik 是一个云原生的新型的 HTTP 反向代理、负载均衡软件,能轻易的部署微服务。k3s 将其作为集群的默认反向代理 和 Ingress Controller,但可视化面板是无法访问的。
1、关于 IngressRoute
本文使用了自定义资源 IngressRoute,依赖 Traefik 2 以上版本。详细配置请参阅官方文档 https://doc.traefik.io/traefik/v2.5/routing/providers/kubernetes-crd/#kind-ingressroute
2、配置自动签发证书参数(非必要,可以忽略此步骤)
请注意修改邮箱对应的变量值
国内部分IP段可能无法正常签发,可更换后再试
证书存储在临时目录,traefik节点迁移会导致证书重签
# 证书邮箱
export [email protected]
# 证书存储
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: traefik-preset
labels:
app: traefik-preset
annotations:
command: &cmd mkdir -p /var/lib/rancher/tls && chown 65532 /var/lib/rancher/tls
spec:
selector:
matchLabels:
app: traefik-preset
template:
metadata:
labels:
app: traefik-preset
spec:
hostNetwork: true
hostPID: true
initContainers:
- name: runner
command:
- nsenter
- --mount=/proc/1/ns/mnt
- --
- bash
- -c
- *cmd
image: alpine:3.12
securityContext:
privileged: true
containers:
- name: sleep
image: kubernetes/pause
updateStrategy:
type: RollingUpdate
EOF
# 修改参数
kubectl patch -n kube-system deployments traefik --type 'json' -p '[
{
"op" : "replace",
"path" : "/spec/template/spec/volumes/0",
"value" : {
"name" : "data",
"hostPath" : {
"path" : "/var/lib/rancher/tls",
"type" : "DirectoryOrCreate"
},
}
},
{
"op" : "add",
"path" : "/spec/template/spec/containers/0/args/-",
"value" : "--certificatesresolvers.default.acme.tlschallenge"
},
{
"op" : "add",
"path" : "/spec/template/spec/containers/0/args/-",
"value" : "--certificatesresolvers.default.acme.storage=/data/acme.json"
},
{
"op" : "add",
"path" : "/spec/template/spec/containers/0/args/-",
"value" : "--certificatesresolvers.default.acme.email='$MY_ACME_EMAIL'"
}
]'3、修改系统路由配置,使其可通过自定义域名访问
请注意修改认证信息和域名对应的变量值
若未配置自动签发证书,请删除tls的两行配置
配置完成后,可以通过https://traefik.example.org查看路由配置
# 访问域名
export MY_TRAEFIK_HOST=traefik.example.org
# 认证信息
export MY_AUTH_USERNAME=admin
export MY_AUTH_PASSWORD=PASSW0RD
# 生成密钥
export MY_SECRET_CODE=`echo $MY_AUTH_USERNAME:$(echo $MY_AUTH_PASSWORD | openssl passwd -stdin -apr1) | base64`
# 应用变更
cat <<EOF | kubectl apply -f -
kind: Secret
apiVersion: v1
metadata:
name: basic-auth
namespace: kube-system
data:
auth: $MY_SECRET_CODE
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-basic-auth
namespace: kube-system
spec:
basicAuth:
secret: basic-auth
---
kind: IngressRoute
apiVersion: traefik.containo.us/v1alpha1
metadata:
name: traefik-dashboard
namespace: kube-system
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(\`$MY_TRAEFIK_HOST\`)
middlewares:
- name: traefik-basic-auth
services:
- name: api@internal
kind: TraefikService
tls:
certResolver: default
EOF实战应用
根据本站Tag查阅 《Kubernetes 领进门》 系列文章