Deploy traefik and achieve http and https access 01/18 Update SLTechnology News&Howtos

Deploy traefik and achieve http and https access

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/03 Report--

I. Background 1. Applications such as rancher and kubernetes-dashboard need to be accessed via https, so this deployment will enable traefik support for https.

2. Based on previous rancher HA deployment under the cattle-system namespace, so this time will also deploy traefik under the cattle-system namespace, and use the same tls certificate.

ii. traefik deployment 1. Create RBAC policy to authorize service account

The RBAC manifest file traefik-rbac.yaml is as follows:

---apiVersion: v1kind: ServiceAccountmetadata: name: traefik-ingress-controller namespace: cattle-system---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: traefik-ingress-controllerrules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: traefik-ingress-controllerroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controllersubjects:- kind: ServiceAccount name: traefik-ingress-controller namespace: cattle-system

application manifest file

[root@k8s-master03 traefik]# kubectl apply -f traefik-rbac.yamlserviceaccount/traefik-ingress-controller createdclusterrole.rbac.authorization.k8s.io/traefik-ingress-controller createdclusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created2. Deploying traefik using DamonSet controller

The damonset manifest file traefik-ds.yaml is as follows:

---kind: ConfigMapapiVersion: v1metadata: name: traefik-conf namespace: cattle-systemdata: traefik.toml: | insecureSkipVerify = true defaultEntryPoints = ["http","https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] CertFile = "/ssl/tls.crt" KeyFile = "/ssl/tls.key"---kind: DaemonSetapiVersion: extensions/v1beta1metadata: name: traefik-ingress-controller namespace: cattle-system labels: k8s-app: traefik-ingress-lbspec: template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 hostNetwork: true volumes: - name: ssl secret: secretName: tls-rancher-ingress - name: config configMap: name: traefik-conf containers: - image: traefik name: traefik-ingress-lb ports: - name: http containerPort: 80 hostPort: 80 - name: admin containerPort: 8080 securityContext: privileged: true args: - --configfile=/config/traefik.toml - -d - --web - --kubernetes volumeMounts: - mountPath: "/ssl" name: "ssl" - mountPath: "/config" name: "config"---kind: ServiceapiVersion: v1metadata: name: traefik-ingress-service namespace: cattle-systemspec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP port: 80 name: web - protocol: TCP port: 8080 name: admin - protocol: TCP port: 443 name: https #type: NodePort

application manifest file

[root@k8s-master03 traefik]# kubectl apply -f traefik-ds.yamlconfigmap/traefik-conf createddaemonset.extensions/traefik-ingress-controller createdservice/traefik-ingress-service created3. Configure forwarding for traefik UI

The ingress manifest file traefik-ui.yaml is as follows:

apiVersion: v1kind: Servicemetadata: name: traefik-web-ui namespace: cattle-systemspec: selector: k8s-app: traefik-ingress-lb ports: - name: web port: 80 targetPort: 8080---apiVersion: extensions/v1beta1kind: Ingressmetadata: name: traefik-web-ui namespace: cattle-systemspec: rules: - host: traefik-ui.sumapay.com http: paths: - path: / backend: serviceName: traefik-web-ui servicePort: web

application manifest file

[root@k8s-master03 traefik]# kubectl apply -f traefik-ui.yamlservice/traefik-web-ui createdingress.extensions/traefik-web-ui created4. Check [root@k8s-master01 ~]# kubectl get pods -n cattle-systemNAME READY STATUS RESTARTS AGEcattle-cluster-agent-594b8f79bb-pgmdt 1/1 Running 5 11dcattle-node-agent-lg44f 1/1 Running 0 11dcattle-node-agent-zgdms 1/1 Running 5 11drancher2-9774897c-622sc 1/1 Running 0 9drancher2-9774897c-czxxx 1/1 Running 0 9drancher2-9774897c-sm2n5 1/1 Running 1 9dtraefik-ingress-controller-hj9nc 1/1 Running 0 142mtraefik-ingress-controller-vxcgt 1/1 Running 0 142m [root@k8s-master01 ~]# kubectl get svc -n cattle-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGErancher2 ClusterIP 10.111.16.80 80/TCP 9dtraefik-ingress-service ClusterIP 10.111.121.27 80/TCP,8080/TCP,443/TCP 143mtraefik-web-ui ClusterIP 10.103.112.22 80/TCP 136m [root@k8s-master01 ~]# kubectl get ingress -n cattle-system NAME HOSTS ADDRESS PORTS AGErancher2 rancher.sumapay.com 80, 443 9dtraefik-web-ui traefik-ui.sumapay.com 80 137m

After mapping the domain name to the external Load Balancer IP, traefik UI and rancher HA services are accessible through the domain name.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.