前言

在之前的 k3s 安装笔记 里有怎么使用 traefik1 去暴露 k8s-dashboardhttps 端口。

一、tls 自签证书

这里就直接用 crypto/tls/generate_cert.go 生成了

1
2
3
4
5

➜ go run $GOROOT/src/crypto/tls/generate_cert.go -host dashboard.zeromake.com
2021/07/31 12:36:49 wrote cert.pem
2021/07/31 12:36:49 wrote key.pem
# 重命名为需要的文件名
➜ mv key.pem dashboard.key && mv cert.pem dashboard.crt

把上面生成的证书放到 kubernetes secret 里,由于 dashboard 需要的文件名与 ingress 不同,我们还需要单独建一个 ingress 用的 secret。

1
2
3

# 给 ingress 创建 secret
➜ kubectl create secret tls dashboard-ingress-certs --key dashboard.key --cert dashboard.crt -n  kubernetes-dashboard
secret/dashboard-ingress-certs created

二、使用 ingress 注解去配置

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/ingress.class: "traefik"
    ingress.kubernetes.io/protocol: "https"
    traefik.ingress.kubernetes.io/service.serverstransport: traefik-servers-transport
spec:
  tls:
    - hosts:
      - dashboard.zeromake.com
      secretName: dashboard-ingress-certs
  rules:
    - host: dashboard.zeromake.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard
                port:
                  number: 443
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: traefik-servers-transport
  namespace: kubernetes-dashboard
spec:
  serverName: "test"
  insecureSkipVerify: true

三、使用 IngressRoute

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: traefik-servers-transport
  namespace: kubernetes-dashboard
spec:
  serverName: "test"
  insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: kubernetes-dashboard-route
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  tls:
    secretName: dashboard-ingress-certs
  routes:
  - match: Host(`dashboard.zeromake.com`)
    kind: Rule
    services:
      - name: kubernetes-dashboard
        port: 443
        scheme: https
        serversTransport: traefik-servers-transport

四、参考