时间戳

首页 > 解决方案 > Traefik https 通过 kubernetes 部署和 AWS 认证

amazon-web-services - Traefik https 通过 kubernetes 部署和 AWS 认证

问题描述

我正在通过 kubernetes 在 AWS 上运行 traefik。这一切都适用于 http,但无法获取 https 和我的 http=>https 重定向配置。

我有以下 .toml 文件

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"

使用下面的 Kubernetes 部署 + 服务配置。

Kubernetes 配置文件:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "3"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"extensions/v1beta1","kind":"Deployment","metadata":{"annotations":{},"labels":{"k8s-app":"traefik-ingress-lb"},"name":"traefik-ingress-controller","namespace":"kube-system"},"spec":{"replicas":1,"selector":{"matchLabels":{"k8s-app":"traefik-ingress-lb"}},"template":{"metadata":{"labels":{"k8s-app":"traefik-ingress-lb","name":"traefik-ingress-lb"}},"spec":{"containers":[{"args":["--api","--kubernetes","--logLevel=INFO"],"image":"traefik","name":"traefik-ingress-lb","ports":[{"containerPort":80,"name":"http"},{"containerPort":8080,"name":"admin"}]}],"serviceAccountName":"traefik-ingress-controller","terminationGracePeriodSeconds":60}}}}
  creationTimestamp: 2018-07-18T19:39:53Z
  generation: 3
  labels:
    k8s-app: traefik-ingress-lb
  name: traefik-ingress-controller
  namespace: kube-system
  resourceVersion: "624437"
  selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/traefik-ingress-controller
  uid: 58026a2c-8ac2-11e8-bb82-02f2884c3a1c
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      containers:
      - args:
        - --configFile=/conf/traefik.toml
        - --api
        - --kubernetes
        - --logLevel=INFO
        image: traefik
        imagePullPolicy: Always
        name: traefik-ingress-lb
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        - containerPort: 8080
          name: admin
          protocol: TCP
        - containerPort: 443
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /conf
          name: config
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik-ingress-controller
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
      - configMap:
          defaultMode: 420
          name: traefik-conf
        name: config
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: 2018-07-18T19:39:54Z
    lastUpdateTime: 2018-07-18T19:39:54Z
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  observedGeneration: 3
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1
  
 ---
 apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"traefik-ingress-service","namespace":"kube-system"},"spec":{"ports":[{"name":"web","port":80,"protocol":"TCP"},{"name":"admin","port":8080,"protocol":"TCP"}],"selector":{"k8s-app":"traefik-ingress-lb"},"type":"NodePort"}}
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:735079771029:certificate/sfsg
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
  creationTimestamp: 2018-07-18T19:39:54Z
  name: traefik-ingress-service
  namespace: kube-system
  resourceVersion: "619785"
  selfLink: /api/v1/namespaces/kube-system/services/traefik-ingress-service
  uid: 585294fb-8ac2-11e8-bb82-02f2884c3a1c
spec:
  clusterIP: 100.69.33.166
  externalTrafficPolicy: Cluster
  ports:
  - name: web
    nodePort: 32734
    port: 80
    protocol: TCP
    targetPort: 80
  - name: admin
    nodePort: 32566
    port: 8080
    protocol: TCP
    targetPort: 8080
  - name: https
    nodePort: 32287
    port: 443
    protocol: TCP
    targetPort: 80
  selector:
    k8s-app: traefik-ingress-lb
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - hostname: blablabla.eu-west-1.elb.amazonaws.com

我的 http 工作正常,但我的 https 不工作。我有一个超时错误。这很奇怪。我什至在我的 ELB 的端口 443 上添加了一个侦听器,但仍然无法正常工作。你们有什么感想 ?

标签: amazon-web-serviceshttpskubernetestraefiktraefik-ingress

解决方案

由于您使用的是入口点重定向,因此 Traefik 会将请求重定向到指定的入口点(在您的情况下为 https)。然后你的 ELB 监听 https,并将请求传递到 Traefik 上的 http 入口点,然后重定向到 https 等。

在终止 TLS 的层之外的任何其他层重定向到 TLS 通常是一个坏主意。如果您的 ELB 正在终止 TLS 连接,则应将其配置为在需要时重定向。

此外,由于您在 ELB 后面拥有所有流量 http,因此您可以从 traefik 中删除 https 入口点,因为它们将不再需要。

推荐阅读