我無法在 Kubernetes 中使用 traefik 2.9 通過 http 和 https 公開服務。http端點有點作業,一旦我嘗試添加https,我就以某種方式引入了CORS錯誤,但這不是我主要關心的問題。https 入口已損壞,我找不到任何跡象表明它為什么不起作用。traefik pod 沒有記錄任何錯誤,并且 dotnet 服務沒有接收到請求。此外,兩個路由都顯示在儀表板中,并且 websecure 顯示為啟用了 TLS。
不包括 ClusterRole、ServiceAccount 和 ClusterRoleBinding,因為我認為配置正確,因為如果不是,http 路由將無法作業。
Traefik 配置:
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v2.9
args:
- --api.insecure
- --providers.kubernetesingress
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls
ports:
- name: web
containerPort: 80
- name: dashboard
containerPort: 8080
- name: websecure
containerPort: 443
Traefik 服務:
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard-service
spec:
type: LoadBalancer
ports:
- port: 8080
targetPort: dashboard
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-service
spec:
type: LoadBalancer
loadBalancerIP: 10.10.1.38
ports:
- targetPort: web
port: 80
name: http
- targetPort: websecure
port: 443
name: https
selector:
app: traefik
tls 的秘密:
apiVersion: v1
data:
comptech.pem: <contents of pem file base64 encoded>
comptech.crt: <contents of crt file base64 encoded>
comptech.key: <contents of key file base64 encoded>
kind: Secret
metadata:
name: comptech-cert
namespace: default
type: Opaque
dotnet應用服務:
apiVersion: v1
kind: Service
metadata:
name: control-api-service
spec:
ports:
- name: http
port: 80
targetPort: 5000
protocol: TCP
- name: https
port: 443
targetPort: 5000
protocol: TCP
selector:
app: control-api
入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: control-api-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: sub.domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: control-api-service
port:
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: control-api-secure-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
- host: sub.domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: control-api-service
port:
name: https
tls:
- secretName: comptech-cert
我希望在 traefik/tls 方面有更多經驗的人能夠快速意識到我做錯了什么。非常感謝任何輸入!
更新:防火墻只允許 http 流量,我們將其重新配置為支持 https 并且它使用 Traefiks 默認證書進行回應。所以我可以點擊容器,但仍然沒有使用我提供的證書配置 tls。
uj5u.com熱心網友回復:
- 不需要 pem 檔案,并且使用 openssl 錯誤地生成了 crt 檔案,對我有用的命令是:
openssl crl2pkcs7 -nocrl -certfile comptech.pem | openssl pkcs7 -print_certs -out cert.crt - 指向 control-api-service 的 https 埠不起作用,需要更改為 http
- 需要為 traefik 部署創建配置映射才能正常作業:
apiVersion: v1 kind: ConfigMap metadata: name: traefik-config labels: name: traefik-config namespace: default data: dyn.yaml: | # https://doc.traefik.io/traefik/https/tls/ tls: stores: default: defaultCertificate: certFile: '/certs/tls.crt' keyFile: '/certs/tls.key'
- 最后,必須在 traefik 部署中使用 configmap 和 secret,如下所示:
kind: Deployment apiVersion: apps/v1 metadata: name: traefik-deployment labels: app: traefik spec: replicas: 1 selector: matchLabels: app: traefik template: metadata: labels: app: traefik spec: serviceAccountName: traefik-account containers: - name: traefik image: traefik:v2.9 args: - --api.insecure - --providers.kubernetesingress - --entrypoints.web.address=:80 - --entrypoints.websecure.address=:443 - --entrypoints.websecure.http.tls - --providers.file.filename=/config/dyn.yaml ports: - name: web containerPort: 80 - name: dashboard containerPort: 8080 - name: websecure containerPort: 443 volumeMounts: - name: comptech-cert-volume mountPath: /certs - name: traefik-config-volume mountPath: /config volumes: - name: comptech-cert-volume secret: secretName: comptech-cert - name: traefik-config-volume configMap: name: traefik-config
轉載請註明出處,本文鏈接:https://www.uj5u.com/yidong/515432.html
標籤:KubernetessslKubernetes入口交易