amazon-web-services - Traefik https 通过 kubernetes 部署和 AWS 认证
问题描述
我正在通过 kubernetes 在 AWS 上运行 traefik。这一切都适用于 http,但无法获取 https 和我的 http=>https 重定向配置。
我有以下 .toml 文件
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
使用下面的 Kubernetes 部署 + 服务配置。
Kubernetes 配置文件:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "3"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Deployment","metadata":{"annotations":{},"labels":{"k8s-app":"traefik-ingress-lb"},"name":"traefik-ingress-controller","namespace":"kube-system"},"spec":{"replicas":1,"selector":{"matchLabels":{"k8s-app":"traefik-ingress-lb"}},"template":{"metadata":{"labels":{"k8s-app":"traefik-ingress-lb","name":"traefik-ingress-lb"}},"spec":{"containers":[{"args":["--api","--kubernetes","--logLevel=INFO"],"image":"traefik","name":"traefik-ingress-lb","ports":[{"containerPort":80,"name":"http"},{"containerPort":8080,"name":"admin"}]}],"serviceAccountName":"traefik-ingress-controller","terminationGracePeriodSeconds":60}}}}
creationTimestamp: 2018-07-18T19:39:53Z
generation: 3
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-controller
namespace: kube-system
resourceVersion: "624437"
selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/traefik-ingress-controller
uid: 58026a2c-8ac2-11e8-bb82-02f2884c3a1c
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
containers:
- args:
- --configFile=/conf/traefik.toml
- --api
- --kubernetes
- --logLevel=INFO
image: traefik
imagePullPolicy: Always
name: traefik-ingress-lb
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 8080
name: admin
protocol: TCP
- containerPort: 443
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /conf
name: config
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: traefik-ingress-controller
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
volumes:
- configMap:
defaultMode: 420
name: traefik-conf
name: config
status:
availableReplicas: 1
conditions:
- lastTransitionTime: 2018-07-18T19:39:54Z
lastUpdateTime: 2018-07-18T19:39:54Z
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
observedGeneration: 3
readyReplicas: 1
replicas: 1
updatedReplicas: 1
---
apiVersion: v1
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"traefik-ingress-service","namespace":"kube-system"},"spec":{"ports":[{"name":"web","port":80,"protocol":"TCP"},{"name":"admin","port":8080,"protocol":"TCP"}],"selector":{"k8s-app":"traefik-ingress-lb"},"type":"NodePort"}}
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:735079771029:certificate/sfsg
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
creationTimestamp: 2018-07-18T19:39:54Z
name: traefik-ingress-service
namespace: kube-system
resourceVersion: "619785"
selfLink: /api/v1/namespaces/kube-system/services/traefik-ingress-service
uid: 585294fb-8ac2-11e8-bb82-02f2884c3a1c
spec:
clusterIP: 100.69.33.166
externalTrafficPolicy: Cluster
ports:
- name: web
nodePort: 32734
port: 80
protocol: TCP
targetPort: 80
- name: admin
nodePort: 32566
port: 8080
protocol: TCP
targetPort: 8080
- name: https
nodePort: 32287
port: 443
protocol: TCP
targetPort: 80
selector:
k8s-app: traefik-ingress-lb
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer:
ingress:
- hostname: blablabla.eu-west-1.elb.amazonaws.com
我的 http 工作正常,但我的 https 不工作。我有一个超时错误。这很奇怪。我什至在我的 ELB 的端口 443 上添加了一个侦听器,但仍然无法正常工作。你们有什么感想 ?
解决方案
由于您使用的是入口点重定向,因此 Traefik 会将请求重定向到指定的入口点(在您的情况下为 https)。然后你的 ELB 监听 https,并将请求传递到 Traefik 上的 http 入口点,然后重定向到 https 等。
在终止 TLS 的层之外的任何其他层重定向到 TLS 通常是一个坏主意。如果您的 ELB 正在终止 TLS 连接,则应将其配置为在需要时重定向。
此外,由于您在 ELB 后面拥有所有流量 http,因此您可以从 traefik 中删除 https 入口点,因为它们将不再需要。
推荐阅读
- android - MotionLayout:点击和触摸在运动场景中的转换中不起作用(Youtube 播放器,如 UI)
- ipad - 当多个连接的场景在前台处于活动状态时获取当前聚焦的 UIScene
- python - 为现有项目结构创建 setup.py
- javascript - 在对象数组中查找路径
- node.js - 获取始终每 10 秒更改一次的 JSON 响应(实时车辆位置)
- sockets - python3.7中未知的名称或服务
- ruby-on-rails - 使用 -curl 请求
- php - 触发事件后如何触发发布方法?
- c - 为什么函数指针不被视为指向函数?
- mysql - MySQL:无法在单个查询中删除多条记录