Traefik 让我们在 GKE 上加密最简单的例子
Treafik Let's encrypt simplest example on GKE
我正在尝试尽可能简单 example of implementing let's encrypt with Traefik on GKE using this article。我做了一些更改以满足我的要求,但我无法获得 ACME 证书。
到目前为止我做了什么
- 运行以下命令并创建除ingress-route
之外的所有资源对象
$ kubectl apply -f 00-resource-crd-definition.yml,05-traefik-rbac.yml,10-service-account.yaml,15-traefik-deployment.yaml,20-traefik-service.yaml,25-whoami-deployment.yaml,30-whoami-service.yaml
customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/traefikservices.traefik.containo.us created
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
serviceaccount/traefik-ingress-controller created
deployment.apps/traefik created
service/traefik created
deployment.apps/whoami created
service/whoami created
- 获取暴露为负载均衡器的 Traefik 服务的 IP
$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.109.0.1 <none> 443/TCP 6h16m
traefik LoadBalancer 10.109.15.230 34.69.16.102 80:32318/TCP,443:32634/TCP,8080:32741/TCP 70s
whoami ClusterIP 10.109.14.91 <none> 80/TCP 70s
- 为此 IP 创建 DNS 记录
$ nslookup k8sacmetest.gotdns.ch
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: k8sacmetest.gotdns.ch
Address: 34.69.16.102
- 创建资源入口路由
$ kubectl apply -f 35-ingress-route.yaml
ingressroute.traefik.containo.us/simpleingressroute created
ingressroute.traefik.containo.us/ingressroutetls created
- traefik 日志
time="2020-04-25T20:10:31Z" level=info msg="Configuration loaded from flags."
time="2020-04-25T20:10:32Z" level=error msg="subset not found for default/whoami" providerName=kubernetescrd ingress=simpleingressroute namespace=default
time="2020-04-25T20:10:32Z" level=error msg="subset not found for default/whoami" providerName=kubernetescrd ingress=ingressroutetls namespace=default
time="2020-04-25T20:10:52Z" level=error msg="Unable to obtain ACME certificate for domains \"k8sacmetest.gotdns.ch\": unable to generate a certificate for the domains [k8sacmetest.gotdns.ch]: acme: Error -> One or more domains had a problem:\n[k8sacmetest.gotdns.ch] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n" routerName=default-ingressroutetls-08dd2bb9eecaa72a6606@kubernetescrd rule="Host(`k8sacmetest.gotdns.ch`) && PathPrefix(`/tls`)" providerName=default.acme
我的成就
- Traefik 仪表板
- Whoami 与 notls
无法获取用于 TLS WHOAMI 的 ACME 证书
INFRA 详细信息
- 我正在使用 Google Kubernetes 集群(这里讨论的是 -cloud.google.com/kubernetes-engine,点击 Go to Console)。
- Traefik 版本为 2.2。
- 我正在使用 "CloudShell" 访问集群。
提问:
1) 我获取 TLS 证书哪里出错了?
2) 如果它的防火墙问题如何解决?
3) 如果您有更好的例子 Treafik Let's encrypt simplest example on GKE 请告诉我
只是 运行 sudo 在 kubectl port-forward 命令之前。您正在尝试绑定到特权端口,因此您需要更多权限。
这不是 GKE 的最简单示例,因为您可以使用 GKE LoadBalnacer 而不是 kubectl port-forward。
试试这个:
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
ports:
- protocol: TCP
name: web
port: 80
targetPort: web
- protocol: TCP
name: websecure
port: 443
targetPort: websecure
selector:
app: traefik
type: LoadBalancer
然后您可以在 EXTERNAL-IP 列中找到带有 kubectl get svc 的新 IP,为您的域添加正确的 DNS 记录,您应该没问题。
我正在尝试尽可能简单 example of implementing let's encrypt with Traefik on GKE using this article。我做了一些更改以满足我的要求,但我无法获得 ACME 证书。
到目前为止我做了什么
- 运行以下命令并创建除ingress-route 之外的所有资源对象
$ kubectl apply -f 00-resource-crd-definition.yml,05-traefik-rbac.yml,10-service-account.yaml,15-traefik-deployment.yaml,20-traefik-service.yaml,25-whoami-deployment.yaml,30-whoami-service.yaml
customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/traefikservices.traefik.containo.us created
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
serviceaccount/traefik-ingress-controller created
deployment.apps/traefik created
service/traefik created
deployment.apps/whoami created
service/whoami created
- 获取暴露为负载均衡器的 Traefik 服务的 IP
$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.109.0.1 <none> 443/TCP 6h16m
traefik LoadBalancer 10.109.15.230 34.69.16.102 80:32318/TCP,443:32634/TCP,8080:32741/TCP 70s
whoami ClusterIP 10.109.14.91 <none> 80/TCP 70s
- 为此 IP 创建 DNS 记录
$ nslookup k8sacmetest.gotdns.ch
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: k8sacmetest.gotdns.ch
Address: 34.69.16.102
- 创建资源入口路由
$ kubectl apply -f 35-ingress-route.yaml
ingressroute.traefik.containo.us/simpleingressroute created
ingressroute.traefik.containo.us/ingressroutetls created
- traefik 日志
time="2020-04-25T20:10:31Z" level=info msg="Configuration loaded from flags."
time="2020-04-25T20:10:32Z" level=error msg="subset not found for default/whoami" providerName=kubernetescrd ingress=simpleingressroute namespace=default
time="2020-04-25T20:10:32Z" level=error msg="subset not found for default/whoami" providerName=kubernetescrd ingress=ingressroutetls namespace=default
time="2020-04-25T20:10:52Z" level=error msg="Unable to obtain ACME certificate for domains \"k8sacmetest.gotdns.ch\": unable to generate a certificate for the domains [k8sacmetest.gotdns.ch]: acme: Error -> One or more domains had a problem:\n[k8sacmetest.gotdns.ch] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n" routerName=default-ingressroutetls-08dd2bb9eecaa72a6606@kubernetescrd rule="Host(`k8sacmetest.gotdns.ch`) && PathPrefix(`/tls`)" providerName=default.acme
我的成就
- Traefik 仪表板
- Whoami 与 notls
无法获取用于 TLS WHOAMI 的 ACME 证书
INFRA 详细信息
- 我正在使用 Google Kubernetes 集群(这里讨论的是 -cloud.google.com/kubernetes-engine,点击 Go to Console)。
- Traefik 版本为 2.2。
- 我正在使用 "CloudShell" 访问集群。
提问:
1) 我获取 TLS 证书哪里出错了?
2) 如果它的防火墙问题如何解决?
3) 如果您有更好的例子 Treafik Let's encrypt simplest example on GKE 请告诉我
只是 运行 sudo 在 kubectl port-forward 命令之前。您正在尝试绑定到特权端口,因此您需要更多权限。
这不是 GKE 的最简单示例,因为您可以使用 GKE LoadBalnacer 而不是 kubectl port-forward。
试试这个:
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
ports:
- protocol: TCP
name: web
port: 80
targetPort: web
- protocol: TCP
name: websecure
port: 443
targetPort: websecure
selector:
app: traefik
type: LoadBalancer
然后您可以在 EXTERNAL-IP 列中找到带有 kubectl get svc 的新 IP,为您的域添加正确的 DNS 记录,您应该没问题。