我可以让我的traefik控制器与我的入口一起使用。而且它似乎也在按预期导航到所有服务。但是我无法让https工作。希望能帮助您弄清楚这一点。我的主要问题是Traefik会自动创建哪个证书,以及如何在入口中使用它。
这是生成我的traefik.toml的配置图:
Name: traefik-config
Namespace: <redacted>
Labels: app.kubernetes.io/component=traefik-config
namespace=<redacted>
Data
====
traefik.toml:
----
debug = true
logLevel = "DEBUG"
keepTrailingSlash = true
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["<redacted>"]
[ping]
entryPoint = "http"
[kubernetes]
[api]
entryPoint = "traefik"
dashboard = true
[acme]
email = "myEmail@gmail.com"
entryPoint = "https"
storage = "/acme/acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
acmeLogging = true
[acme.dnsChallenge]
provider = "gcloud"
[[acme.domains]]
main = "*.<redacted>.com"
sans = ["<redacted>.com", "traefik.<redacted>.com"]
这是我的traefik部署,它部署了traefik控制器(kubectl describe pod traefik-deploy-7dbd69c994-klrrh:
Name: traefik-deploy-7dbd69c994-klrrh
Namespace: <redacted>
Priority: 0
PriorityClassName: <none>
Start Time: Wed, 10 Jul 2019 10:21:22 -0700
Labels: app.kubernetes.io/component=traefik-pod
namespace=<redacted>
Annotations: <none>
Status: Running
IP: <redacted>
Controlled By: ReplicaSet/traefik-deploy-7dbd69c994
Containers:
traefik-pod:
Container ID: <redacted>
Image: traefik:v1.7.12
Image ID: docker-pullable://traefik@sha256:02cfdbXCCCCCCCXXXXXXXXXX7f0fe3ebeccb8
Ports: 80/TCP, 443/TCP, 8080/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
Args:
--configfile=/config/traefik.toml
State: Running
Started: Wed, 10 Jul 2019 10:21:53 -0700
Ready: True
Restart Count: 0
Environment:
GCE_PROJECT: <set to the key 'GCE_PROJECT' in secret 'traefik-dnsprovider-secret'> Optional: false
GCE_SERVICE_ACCOUNT_FILE: <set to the key 'GCE_SERVICE_ACCOUNT_FILE' in secret 'traefik-dnsprovider-secret'> Optional: false
Mounts:
/acme from acme (rw)
/config from traefik-config (rw)
/secret from traefik-dns-credentials (rw)
/var/run/secrets/kubernetes.io/serviceaccount from traefik-sa-token-24mp9 (ro)
.
.
.
Volumes:
traefik-config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: traefik-config
Optional: false
acme:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: traefik-acme-pvc
ReadOnly: false
traefik-dns-credentials:
Type: Secret (a volume populated by a Secret)
SecretName: traefik-dns-credentials
Optional: false
traefik-sa-token-24mp9:
Type: Secret (a volume populated by a Secret)
SecretName: traefik-sa-token-24mp9
Optional: false
.
.
机密traefik-dnsprovider-secret将GCE_PROJECT和GCE_SERVICE_ACCOUNT_FILE Env变量提供给Pod,它们是我的GCE_PROJECT的b64enc字符串和文件名/secrets/dns-admin-sa.json(用于GCE_SERVICE_ACCOUNT_FILE)。
文件/secrets/dns-admin-sa.json通过密钥traefik-dns-credentials安装在容器上,该密钥为:
Name: traefik-dns-credentials
Namespace: <readcted>
Labels: app.kubernetes.io/component=traefik-dns-credentials
Annotations: helm.sh/hook: pre-install
helm.sh/hook-weight: -5
Type: Opaque
Data
====
dns-admin-sa.json: 2336 bytes
Traefik仪表板入口:
Name: traefik-dashboard-ingress
Namespace: <redacted>
Address:
Default backend: default-http-backend:80 (10.48.0.5:8080)
Rules:
Host Path Backends
---- ---- --------
traefik.<redacted>.com
/ traefik-dashboard-svc:dashboard-http (10.48.0.8:8080)
Annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/frontend-entry-points: http,https
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/redirect-permanent: true
问题:
如何将ssh放入traefik容器kubectl exec -it traefik-deploy-7dbd69c994-klrrh bash中不起作用。我可以使用它检查"/acme/acme.json"的位置
traefik创建哪个证书,以及如何在入口中使用它?我没有向任何入口添加TLS证书(这是我的https失败的地方)。用户指南here显示了如何使用自签名证书,但是我不希望这样做,并且希望使用dns-01挑战来使用证书。