kubernetes - 如何使用 Traefik 和 Kubernetes 创建到正在侦听 Https 的服务的 HTTPS 路由
问题描述
我是 Kubernetes 和 Traefik 的新手。
我跟进该教程: https ://docs.traefik.io/user-guides/crd-acme/
我将其更改为在 Scala 中使用我的服务,它位于 https 和 9463 端口下。我正在尝试使用 kubernetes 和 traefik 部署我的 Scala 服务。
当我直接转发到服务时:
kubectl port-forward service/core-service 8001:9463
我执行curl -k 'https://localhost:8001/health':
我明白了"{Message:Ok}"
但是当我执行端口转发到 traefik
kubectl port-forward service/traefik 9463:9463 -n default
并执行一个curl -k 'https://ejemplo.com:9463/tls/health'
我得到一个"Internal server error"
我想问题是我的“核心服务”正在侦听 HTTPS 协议,这就是我添加的内容scheme:https。我试图通过文档找到解决方案,但它令人困惑。
这些是我的 yml 文件:
服务.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
ports:
- protocol: TCP
name: admin
port: 8080
- protocol: TCP
name: websecure
port: 9463
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: core-service
spec:
ports:
- protocol: TCP
name: websecure
port: 9463
selector:
app: core-service
部署.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.0
args:
- --api.insecure
- --accesslog
- --entrypoints.websecure.Address=:9463
- --providers.kubernetescrd
- --certificatesresolvers.default.acme.tlschallenge
- --certificatesresolvers.default.acme.email=foo@you.com
- --certificatesresolvers.default.acme.storage=acme.json
# Please note that this is the staging Let's Encrypt server.
# Once you get things working, you should remove that whole line altogether.
- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
ports:
- name: websecure
containerPort: 9463
- name: admin
containerPort: 8080
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: core-service
labels:
app: core-service
spec:
replicas: 1
selector:
matchLabels:
app: core-service
template:
metadata:
labels:
app: core-service
spec:
containers:
- name: core-service
image: core-service:0.1.4-SNAPSHOT
ports:
- name: websecure
containerPort: 9463
livenessProbe:
httpGet:
port: 9463
scheme: HTTPS
path: /health
initialDelaySeconds: 10
IngressRoute2.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`ejemplo.com`) && PathPrefix(`/tls`)
kind: Rule
services:
- name: core-service
port: 9463
scheme: https
tls:
certResolver: default
解决方案
从文档
默认情况下,TLS 路由器将终止 TLS 连接。但是,可以指定 passthrough 选项来设置请求是否应“按原样”转发,保持所有数据加密。
在您的情况下,需要启用 SSL Passthrough,因为 pod 需要 HTTPS 流量。
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`ejemplo.com`) && PathPrefix(`/tls`)
kind: Rule
services:
- name: core-service
port: 9463
scheme: https
tls:
certResolver: default
passthrough: true
推荐阅读
- haskell - 递归函数如何在 Haskell 中工作
- javascript - 如何以这种形式将 HTML 与 Javascript 分开?
- loops - 这段代码的归纳不变量是什么?
- spring-boot - Spring Boot - Tomcat - Apache2 - HTTP 503 错误 - ProxyIOBufferSize
- javascript - “x”不是函数
- azure - Azure 函数:具有不同身份验证的多个函数
- docker - 如何从 Docker 容器连接到远程服务
- swift - 从 UIDatePicker 警报中获取选定的日期
- java - Log4j2 - 无法将日志写入文件
- python - Keras:model.prediction 与 model.evaluation 损失不匹配