Kubernetes上的Traefik v2.0自签名证书
我正在运行Traefik(v2.0)作为EKS群集的入口网关。Traefik入口工作正常。Kubernetes上的Traefik v2.0自签名证书,kubernetes,https,tls1.2,traefik,traefik-ingress,Kubernetes,Https,Tls1.2,Traefik,Traefik Ingress,我正在运行Traefik(v2.0)作为EKS群集的入口网关。Traefik入口工作正常。 现在,我需要使用自签名证书为我的入口添加https支持。为此,我有: 创建了从http到https的入口路由重定向IO->这可以正常工作 创建了一个秘密,其中包含我的自签名证书的密钥和证书 将tls机密添加到我的入口路由部署中: apiVersion:traefik.containo.us/v1alpha1 种类:安格尔斯路 元数据: 名称:pulseingressroutetls 名称空间:pul
现在,我需要使用自签名证书为我的入口添加https支持。为此,我有:
- 创建了从http到https的入口路由重定向IO->这可以正常工作
- 创建了一个秘密,其中包含我的自签名证书的密钥和证书
- 将tls机密添加到我的入口路由部署中:
- apiVersion:traefik.containo.us/v1alpha1
种类:安格尔斯路
元数据:
名称:pulseingressroutetls
名称空间:pulse
规格:
入口点:
-网络安全
tls:
secretName:pulsetlssecret
路线: -匹配:路径前缀(
)/auth
请让我知道我做错了什么?还有其他方法吗?尝试将机密装载到容器上,以便traefik服务识别。此外,使用以下配置配置入口路由
tls:
证书:
-certFile:/path/to/domain.cert
keyFile:/path/to/domain.key
希望这能有所帮助。最终结果如下:
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.0
volumeMounts:
- name: config
mountPath: /etc/traefik/traefik.yml
subPath: traefik.yml
- name: ssl
mountPath: /ssl
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
- name: admin
containerPort: 8080
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
traefik-conf.yml:
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-conf
namespace: pulse
data:
traefik.yml: |
api:
dashboard: true
insecure: true
global:
checkNewVersion: false
sendAnonymousUsage: false
ping: {}
entryPoints:
websecure:
address: ":443"
web:
address: ":80"
providers:
kubernetesCRD: {}
file:
filename: /etc/traefik/traefik.yml
watch: true
tls:
stores:
default:
defaultCertificate:
certFile: /ssl/tls.pem
keyFile: /ssl/tls.key
options:
default:
minVersion: VersionTLS12
sniStrict: false
certificates:
- certFile: /ssl/tls.pem
keyFile: /ssl/tls.key
我更改了入口控制器,如下所示:
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.0
volumeMounts:
- name: config
mountPath: /etc/traefik/traefik.yml
subPath: traefik.yml
- name: ssl
mountPath: /ssl
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
- name: admin
containerPort: 8080
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
入口路线:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: pulseingressroutetls
namespace: pulse
spec:
entryPoints:
- websecure
tls:
secretname: traefik-cert
routes:
...
NumeroUno的公认解决方案实际上是可行的,但我有几点小意见:
应该是certFile:/ssl/tls.pem
certFile:/ssl/tls.crt
- 根据初始机密创建,机密名称为
,无tlssecret
traefik cert