如何使用Traefik和Kubernetes创建到正在侦听HTTPS的服务的HTTPS路由
我是kubernetes和Traefik的新手 我将继续学习该教程: 我把它改成在Scala中使用我的服务,它在https和9463端口下。 我正试图用kubernetes和traefik部署我的Scala服务 当我直接转发到服务时:如何使用Traefik和Kubernetes创建到正在侦听HTTPS的服务的HTTPS路由,kubernetes,traefik,Kubernetes,Traefik,我是kubernetes和Traefik的新手 我将继续学习该教程: 我把它改成在Scala中使用我的服务,它在https和9463端口下。 我正试图用kubernetes和traefik部署我的Scala服务 当我直接转发到服务时: kubectl port-forward service/core-service 8001:9463 我执行一个curl-k'https://localhost:8001/health“: 我得到了“{Message:Ok}” 但当我向traefik执行端口
kubectl port-forward service/core-service 8001:9463
我执行一个curl-k'https://localhost:8001/health“
:
我得到了“{Message:Ok}”
但当我向traefik执行端口转发时
kubectl port-forward service/traefik 9463:9463 -n default
并执行curl-k'https://ejemplo.com:9463/tls/health“
我收到一个“内部服务器错误”
我想问题是我的“核心服务”是通过HTTPS协议监听的,这就是我添加的scheme:HTTPS
。
我试图在文档中找到解决方案,但它令人困惑
这些是我的yml文件:
服务.亚马尔
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
ports:
- protocol: TCP
name: admin
port: 8080
- protocol: TCP
name: websecure
port: 9463
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: core-service
spec:
ports:
- protocol: TCP
name: websecure
port: 9463
selector:
app: core-service
部署.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.0
args:
- --api.insecure
- --accesslog
- --entrypoints.websecure.Address=:9463
- --providers.kubernetescrd
- --certificatesresolvers.default.acme.tlschallenge
- --certificatesresolvers.default.acme.email=foo@you.com
- --certificatesresolvers.default.acme.storage=acme.json
# Please note that this is the staging Let's Encrypt server.
# Once you get things working, you should remove that whole line altogether.
- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
ports:
- name: websecure
containerPort: 9463
- name: admin
containerPort: 8080
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: core-service
labels:
app: core-service
spec:
replicas: 1
selector:
matchLabels:
app: core-service
template:
metadata:
labels:
app: core-service
spec:
containers:
- name: core-service
image: core-service:0.1.4-SNAPSHOT
ports:
- name: websecure
containerPort: 9463
livenessProbe:
httpGet:
port: 9463
scheme: HTTPS
path: /health
initialDelaySeconds: 10
入口路由2.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`ejemplo.com`) && PathPrefix(`/tls`)
kind: Rule
services:
- name: core-service
port: 9463
scheme: https
tls:
certResolver: default
从
默认情况下,TLS路由器将终止TLS连接。然而,
可以指定passthrough选项来设置请求
应按“原样”转发,并对所有数据进行加密
在您的情况下,需要启用SSL Passthrough,因为pod需要HTTPS流量
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`ejemplo.com`) && PathPrefix(`/tls`)
kind: Rule
services:
- name: core-service
port: 9463
scheme: https
tls:
certResolver: default
passthrough: true
从
默认情况下,TLS路由器将终止TLS连接。然而,
可以指定passthrough选项来设置请求
应按“原样”转发,并对所有数据进行加密
在您的情况下,需要启用SSL Passthrough,因为pod需要HTTPS流量
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`ejemplo.com`) && PathPrefix(`/tls`)
kind: Rule
services:
- name: core-service
port: 9463
scheme: https
tls:
certResolver: default
passthrough: true
@这救了我的命,我被封锁了几个星期!非常感谢你@这救了我的命,我被封锁了几个星期!非常感谢你!