使用traefik暴露常用kubernetes服务的方法

1.创建自签证书

1	openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 3650 -out tls.crt

2.创建secret

1 2	如果服务在多个ns,需要多个ns中创建secret kubectl create secret generic dashboard-tls --from-file=tls.crt --from-file=tls.key -n kube-system

3.暴露服务

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81

#创建对应的 IngressRoute apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard namespace: traefik spec: entryPoints: - websecure tls: secretName: dashboard-tls routes: - match: Host(`traefik.cluster.local`) #匹配的域名 kind: Rule services: - name: api@internal #traefik内置服务 kind: TraefikService --- apiVersion: traefik.containo.us/v1alpha1 kind: ServersTransport metadata: name: mytransport namespace: kubernetes-dashboard spec: serverName: "dashboard.cluster.local" insecureSkipVerify: true --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: dashboard-k8s namespace: kubernetes-dashboard spec: entryPoints: - websecure routes: - match: "Host(`dashboard.cluster.local`)" kind: Rule services: - name: kubernetes-dashboard #绑定的后端service port: 443 serversTransport: mytransport tls: secretName: dashboard-tls --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: prometheus-grafana namespace: monitoring spec: entryPoints: - websecure tls: secretName: dashboard-tls routes: - match: Host(`grafana.cluster.local`) kind: Rule services: - name: prometheus-grafana port: 80 --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: hubble-ui namespace: kube-system spec: entryPoints: - websecure tls: secretName: dashboard-tls routes: - match: Host(`hubble.cluster.local`) kind: Rule services: - name: hubble-ui port: 80

#应用
kubectl apply -f web.yaml

其中 k8s dashboard 的服务比较特殊，因为原来就是https，需要配置 insecureSkipVerify。