K8S集群Ingress https实践

本文详细介绍如何在Kubernetes环境中使用Traefik实现Ingress的HTTPS配置,包括证书管理、HTTP到HTTPS重定向及虚拟主机支持等内容。

前文介绍使用ingress结合traefik实现了入口的动静分离,本文将在前文基础上实现ingress的https配置。

为了简单且高效,建议应用容器化部署之后,https卸载在ingress这一级实现。通俗一点来说就是用户到ingress的连接走https协议,ingress到后端服务的连接走http协议。

我们对https的配置要求也比较简单,主要如下:
1、http自动重定向到https
2、https支持虚拟主机(TLS SNI)

一、初始环境准备

1、这里为了方便测试,把前文配置的网站动态部分路由规则都拿掉,仅保留静态部分
K8S集群Ingress https实践
2、配置hosts解析记录
K8S集群Ingress https实践
3、http访问测试
K8S集群Ingress https实践
K8S集群Ingress https实践

二、准备证书文件和配置文件

1、这里将两个站点的四个证书文件统一放到一个secret里面去维护

# kubectl create secret generic traefik-cert --from-file=star_59iedu_com.key  \
--from-file=star_59iedu_com.pem  \
--from-file=star_yingjigl_com.key  \
--from-file=star_yingjigl_com.pem -n kube-system

K8S集群Ingress https实践
2、配置http重定向到https,同时支持多个https虚拟主机(TLS SNI)

# cat traefik.toml 
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/star_59iedu_com.pem"
      KeyFile = "/ssl/star_59iedu_com.key"
      [[entryPoints.https.tls.certificates]]
      certFile = "/ssl/star_yingjigl_com.pem"
      keyFile = "/ssl/star_yingjigl_com.key"
# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system

K8S集群Ingress https实践

三、修改traefik配置文件

主要需要添加config和ssl volumes,其他的配置(例如:rabc、service、ingress等)保持不变,具体配置可参考前文,前文传送门:http://blog.51cto.com/ylw6006/2073718

# cat traefik-deployment.yaml   
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 2
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      hostNetwork: true
      nodeSelector:
        traefik: proxy
      terminationGracePeriodSeconds: 60
      volumes:
       - name: ssl
         secret:
          secretName: traefik-cert
       - name: config
         configMap:
          name: traefik-conf
      containers:
      - image: traefik
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        ports:
        - name: web
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8081
        args:
        - --configfile=/config/traefik.toml
        - --web
        - --web.address=:8081
        - --kubernetes
# kubectl apply -f traefik-deployment.yaml   

K8S集群Ingress https实践

四、访问测试与验证

K8S集群Ingress https实践
K8S集群Ingress https实践
K8S集群Ingress https实践
K8S集群Ingress https实践

参考文档:
其他的需求,例如gzip压缩,tls版本和加密算法,rewrite重定向等配置也可以参考此文档
https://docs.traefik.io/configuration/entrypoints/#basic

五、其他需求

1、 使用一个统一的入口地址。
2、 默认同时支持http和https方式访问。
3、 根据实际的情况和要求来配置http访问请求重定向到https。
4、 兼容后端https服务(这里以dashboard为例)

# cat traefik.toml   
insecureSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    regex = "^http://k8s.59iedu.com/(.*)"
    replacement = "https://k8s.59iedu.com/$1"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/star_59iedu_com.pem"
      KeyFile = "/ssl/star_59iedu_com.key"
      [[entryPoints.https.tls.certificates]]
      certFile = "/ssl/star_yingjigl_com.pem"
      keyFile = "/ssl/star_yingjigl_com.key"
      [[entryPoints.https.tls.certificates]]
      certFile = "/ssl/star_huilearning_com.pem"
      keyFile = "/ssl/star_huilearning_com.key"
# cat dashboard-ingress.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  annotations:
    ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  rules:
  - host: k8s.59iedu.com
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

K8S集群Ingress https实践
K8S集群Ingress https实践

### Kubernetes上部署Zookeeper集群 #### 创建命名空间 为了更好地管理资源,在创建任何对象之前先定义一个专门用于Zookeeper集群的命名空间。 ```yaml apiVersion: v1 kind: Namespace metadata: name: zookeeper-cluster ``` #### 准备Headless Service 按照最佳实践,为Zookeeper集群准备一个无头服务(Headless Service),这允许客户端通过Pod名称访问各个节点[^3]。 ```yaml apiVersion: v1 kind: Service metadata: name: zookeeper-headless namespace: zookeeper-cluster spec: clusterIP: None ports: - port: 2181 targetPort: client - port: 2888 targetPort: follower - port: 3888 targetPort: leader-election selector: app: zookeeper ``` #### 定义StatefulSet 由于Zookeeper依赖于稳定的网络身份识别,因此推荐使用`StatefulSet`来部署。每个实例都将获得唯一的主机名,这对于构建分布式应用非常重要。 ```yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: zk namespace: zookeeper-cluster spec: serviceName: "zookeeper-headless" replicas: 3 selector: matchLabels: app: zookeeper template: metadata: labels: app: zookeeper spec: containers: - name: zookeeper image: wurstmeister/zookeeper env: - name: ZOOKEEPER_CLIENT_PORT value: "2181" - name: ZOOKEEPER_SERVER_ID valueFrom: fieldRef: fieldPath: metadata.name ports: - containerPort: 2181 name: client - containerPort: 2888 name: follower - containerPort: 3888 name: leader-election ``` #### 设置Ingress控制器 为了让外部流量能够顺利抵达Zookeeper集群中的任意成员,可以利用Ingress规则实现负载均衡功能。不过需要注意的是,默认情况下大多数Ingress不会转发TCP/UDP请求到后端服务器;所以还需要额外配置支持这些协议的服务入口。 对于HTTP(S)类型的API接口,则可以直接编写如下所示的标准Ingress资源配置文件: ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: zookeeper-ingress namespace: zookeeper-cluster annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # 如果适用的话 spec: rules: - host: zk.example.com http: paths: - pathType: Prefix path: "/" backend: service: name: zookeeper-headless port: number: 2181 ``` 但是考虑到实际应用场景中可能更倾向于让应用程序直接连接至具体的Broker而不是经过反向代理层,上述方法未必是最优解法。此时建议考虑采用NodePort或LoadBalancer类型Service暴露特定端口给外界调用者[^4]。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值