Featured image of post 使用traefik暴露常用kubernetes服务的方法
kubernetes

使用traefik暴露常用kubernetes服务的方法

使用traefik暴露常用kubernetes dashboard、grafana等服务

1.创建自签证书

1

openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 3650 -out tls.crt

2.创建secret

1
2

如果服务在多个ns,需要多个ns中创建secret
kubectl create secret generic dashboard-tls --from-file=tls.crt --from-file=tls.key -n kube-system

3.暴露服务

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

#创建对应的 IngressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik
spec:
  entryPoints:
  - websecure
  tls:
    secretName: dashboard-tls
  routes:
  - match: Host(`traefik.cluster.local`)  #匹配的域名
    kind: Rule
    services:
    - name: api@internal      #traefik内置服务
      kind: TraefikService
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: mytransport
  namespace: kubernetes-dashboard
spec:
  serverName: "dashboard.cluster.local"
  insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard-k8s
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  routes:
    - match: "Host(`dashboard.cluster.local`)"
      kind: Rule
      services:
      - name: kubernetes-dashboard  #绑定的后端service
        port: 443
        serversTransport: mytransport
  tls:
    secretName: dashboard-tls
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: prometheus-grafana
  namespace: monitoring
spec:
  entryPoints:
  - websecure
  tls:
    secretName: dashboard-tls
  routes:
  - match: Host(`grafana.cluster.local`)
    kind: Rule
    services:
    - name: prometheus-grafana
      port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: hubble-ui
  namespace: kube-system
spec:
  entryPoints:
  - websecure
  tls:
    secretName: dashboard-tls
  routes:
  - match: Host(`hubble.cluster.local`)
    kind: Rule
    services:
    - name: hubble-ui
      port: 80

#应用
kubectl apply -f web.yaml

其中 k8s dashboard 的服务比较特殊,因为原来就是https,需要配置 insecureSkipVerify。

4.配置本地解析

1
2
3
4

10.*.*.131 traefik.cluster.local
10.*.*.131 grafana.cluster.local
10.*.*.131 dashboard.cluster.local
10.*.*.131 hubble.cluster.local

5.使用域名访问相关服务

traefik: https://traefik.cluster.local
traefik

dashboard: https://dashboard.cluster.local/
dashboard

grafana: https://grafana.cluster.local/
grafana

hubble: https://hubble.cluster.local/
hubble

© 2014 - 2023 谭明宵博客
一个默默无闻的工程师的日常
Built with Hugo
主题 StackJimmy 设计