部署traefik并实现http和https访问

一、背景

1. rancher、kubernetes-dashboard等应用需要通过https方式访问，所以此次部署将开启traefik对https的支持。

2. 基于之前的rancher HA是部署在cattle-system命名空间下的，所以此次同样将traefik部署在cattle-system命名空间下，并且使用同样的tls证书。

二、traefik部署

1. 创建RBAC策略，为service account授权

RBAC清单文件traefik-rbac.yaml如下：

---apiVersion: v1kind: ServiceAccountmetadata:  name: traefik-ingress-controller  namespace: cattle-system---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:  name: traefik-ingress-controllerrules:  - apiGroups:      - ""    resources:      - services      - endpoints      - secrets    verbs:      - get      - list      - watch  - apiGroups:      - extensions    resources:      - ingresses    verbs:      - get      - list      - watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:  name: traefik-ingress-controllerroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: traefik-ingress-controllersubjects:- kind: ServiceAccount  name: traefik-ingress-controller  namespace: cattle-system

应用清单文件

[root@k8s-master03 traefik]# kubectl apply -f traefik-rbac.yamlserviceaccount/traefik-ingress-controller createdclusterrole.rbac.authorization.k8s.io/traefik-ingress-controller createdclusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created

2. 使用DamonSet控制器部署traefik

damonset清单文件traefik-ds.yaml如下：

---kind: ConfigMapapiVersion: v1metadata:  name: traefik-conf  namespace: cattle-systemdata:  traefik.toml: |    insecureSkipVerify = true    defaultEntryPoints = ["http","https"]    [entryPoints]      [entryPoints.http]      address = ":80"      [entryPoints.https]      address = ":443"        [entryPoints.https.tls]          [[entryPoints.https.tls.certificates]]          CertFile = "/ssl/tls.crt"          KeyFile = "/ssl/tls.key"---kind: DaemonSetapiVersion: extensions/v1beta1metadata:  name: traefik-ingress-controller  namespace: cattle-system  labels:    k8s-app: traefik-ingress-lbspec:  template:    metadata:      labels:        k8s-app: traefik-ingress-lb        name: traefik-ingress-lb    spec:      serviceAccountName: traefik-ingress-controller      terminationGracePeriodSeconds: 60      hostNetwork: true      volumes:      - name: ssl        secret:          secretName: tls-rancher-ingress      - name: config        configMap:          name: traefik-conf      containers:      - image: traefik        name: traefik-ingress-lb        ports:        - name: http          containerPort: 80          hostPort: 80        - name: admin          containerPort: 8080        securityContext:          privileged: true        args:        - --configfile=/config/traefik.toml        - -d        - --web        - --kubernetes        volumeMounts:        - mountPath: "/ssl"          name: "ssl"        - mountPath: "/config"          name: "config"---kind: ServiceapiVersion: v1metadata:  name: traefik-ingress-service  namespace: cattle-systemspec:  selector:    k8s-app: traefik-ingress-lb  ports:    - protocol: TCP      port: 80      name: web    - protocol: TCP      port: 8080      name: admin    - protocol: TCP      port: 443      name: https  #type: NodePort

应用清单文件

[root@k8s-master03 traefik]# kubectl apply -f traefik-ds.yamlconfigmap/traefik-conf createddaemonset.extensions/traefik-ingress-controller createdservice/traefik-ingress-service created

3. 为traefik UI配置转发

ingress清单文件traefik-ui.yaml如下：

apiVersion: v1kind: Servicemetadata:  name: traefik-web-ui  namespace: cattle-systemspec:  selector:    k8s-app: traefik-ingress-lb  ports:  - name: web    port: 80    targetPort: 8080---apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-web-ui  namespace: cattle-systemspec:  rules:  - host: traefik-ui.sumapay.com    http:      paths:      - path: /        backend:          serviceName: traefik-web-ui          servicePort: web

应用清单文件

[root@k8s-master03 traefik]# kubectl apply -f traefik-ui.yamlservice/traefik-web-ui createdingress.extensions/traefik-web-ui created

4.查看

[root@k8s-master01 ~]# kubectl get pods -n cattle-systemNAME                                    READY   STATUS    RESTARTS   AGEcattle-cluster-agent-594b8f79bb-pgmdt   1/1     Running   5          11dcattle-node-agent-lg44f                 1/1     Running   0          11dcattle-node-agent-zgdms                 1/1     Running   5          11drancher2-9774897c-622sc                 1/1     Running   0          9drancher2-9774897c-czxxx                 1/1     Running   0          9drancher2-9774897c-sm2n5                 1/1     Running   1          9dtraefik-ingress-controller-hj9nc        1/1     Running   0          142mtraefik-ingress-controller-vxcgt        1/1     Running   0          142m [root@k8s-master01 ~]# kubectl get svc -n cattle-system   NAME                      TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                   AGErancher2                  ClusterIP   10.111.16.80            80/TCP                    9dtraefik-ingress-service   ClusterIP   10.111.121.27           80/TCP,8080/TCP,443/TCP   143mtraefik-web-ui            ClusterIP   10.103.112.22           80/TCP                    136m [root@k8s-master01 ~]# kubectl get ingress -n cattle-system  NAME             HOSTS                    ADDRESS   PORTS     AGErancher2         rancher.sumapay.com                80, 443   9dtraefik-web-ui   traefik-ui.sumapay.com             80        137m

将域名映射到外部负载均衡IP后，就可以通过域名访问traefik UI和rancher HA服务了。