Traefik Letsencrypt

By studyk8s 0 Comments

这个例子展示如何在 Traefik 上使用 letsencrypt 自动证书

首先需要在Traefik的cli上添加

- --providers.kubernetesIngress.ingressClass=traefik-cert-manager

创建一个后端应用 nginx,打开它的 80 端口,注意这里后端服务是 http 的

创建一个 clusterip 的 service

准备妥当之后我们来先生成证书

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: YOUR
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: issuer-account-key
    # Add a single challenge solver, HTTP01
    solvers:
      - http01:
          ingress:
            class: traefik-cert-manager
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: golanghelloworld-cert
  namespace: lizhe
spec:
  commonName: nginx.golanghelloworld.com
  secretName: golanghelloworld-cert
  dnsNames:
    - nginx.golanghelloworld.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

确认证书成功创建了

kubectl describe certificate -n lizhe golanghelloworld-cert
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Issuing    84s   cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  84s   cert-manager  Stored new private key in temporary Secret resource "golanghelloworld-cert-dr48r"
  Normal  Requested  84s   cert-manager  Created new CertificateRequest resource "golanghelloworld-cert-rq7cc"
  Normal  Issuing    57s   cert-manager  The certificate has been successfully issued

将证书绑定到对应的 IngressRoute

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: webappingress
  namespace: lizhe
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`nginx.golanghelloworld.com`) && PathPrefix(`/golang`)
      kind: Rule
      services:
        - name: ngsvc
          port: 80
      middlewares:
        - name: golang-stripprefix
  tls:
    secretName: golanghelloworld-cert
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: golang-stripprefix
  namespace: lizhe
spec:
  stripPrefix:
    prefixes:
      - /golang

这样 TLS 就生效了


Related Posts:
Previous Post

使用sealer快速安装Kubernetes
Next Post

NginxIngress Letsencrypt

Send a Message