K3S笔记 对Traefik Ingress的一些研究

HTTP访问

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`tfk.example.com`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService

HTTPS访问(自动申请证书)

需要修改一下traefik deployment的配置,方法有很多,我比较喜欢 kubectl edit deployment traefik -n kube-system修改deployment的配置。也可以用大佬写的命令,但是原理都是一样的。

大佬命令:

# 设置证书邮箱
MY_ACME_EMAIL=acme@example.org

# 修改部署参数
kubectl patch -n kube-system deployments traefik --type 'json' -p '[
  {
    "op" : "add",
    "path" : "/spec/template/spec/containers/0/args/-",
    "value" : "--certificatesresolvers.default.acme.tlschallenge"
  },
  {
    "op" : "add",
    "path" : "/spec/template/spec/containers/0/args/-",
    "value" : "--certificatesresolvers.default.acme.email=$MY_ACME_EMAIL"
  },
  {
    "op" : "add",
    "path" : "/spec/template/spec/containers/0/args/-",
    "value" : "--certificatesresolvers.default.acme.storage=/data/acme.json"
  }
]'

其中的default就是个名字,也可以是别的名字。

改造一下上一段的Ingress

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`tfk.example.com`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    certResolver: default

Http自动跳转Https

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: http2https
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`tfk.example.com`)
      kind: Rule
      middlewares:
        - name: http2https
      services:
        - name: api@internal
          kind: TraefikService
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-tls
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`tfk.example.com`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    certResolver: default

简单的登录验证

apiVersion: v1
kind: Secret
type: kubernetes.io/basic-auth
metadata:
  name: basic-auth
  namespace: default
stringData:
  username: qianyang
  password: "112358"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-basic-auth
  namespace: default
spec:
  basicAuth:
    secret: basic-auth
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: http2https
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`tfk.example.com`)
      kind: Rule
      middlewares:
        - name: http2https
      services:
        - name: api@internal
          kind: TraefikService
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-tls
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`tfk.example.com`)
      kind: Rule
      middlewares:
        - name: traefik-basic-auth
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    certResolver: default

访问Kubernetes Dashboard

kind: ServersTransport
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: kubernetes-dashboard-transport
  namespace: kubernetes-dashboard
spec:
  insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: board-tls
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`dashboard.example.com`)
      kind: Rule
      services:
        - name: kubernetes-dashboard
          port: 443
          serversTransport: kubernetes-dashboard-transport
  tls:
    certResolver: default

Leave a Comment

Back to Top