这里提示一下: 前端入口代理为后端Service的Service

问：ingress里的service是哪个service，怎么写

答：还是以下面这个对象为例，可以看到，这个service写的是traefikminio，实际上也就是minio的pod的部署svc yaml里的service的名字，也就是minio-svc.yaml这个定义Service kind类型为Service的metadata下面name的名字，端口实际上就是你想让此条ingress规则代理的域名被转发到service所对应的pod的哪个端口上，这也就解释了为什么即使是https的时候这个地方写的仍然是8080端口，因为此规则的entryPoints字段的websecure才是流量入口，而8080是实际访问的地址

cd /root/hero/app/yaml/ingress/traefik-contrain-80-443/

mkdir ssl

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=tts.herotest.com.cn" #查看生成的两个文件

kubectl create secret tls https --cert=tls.crt --key=tls.key -n hpc #在hpc的命名空间里面设置secret

kubectl get secret -n hpc #查看hpc命名空间中发现https已经成功被创建了

前端代理配置如下:

[root@allinone traefik-contrain-80-443]# cat traefik-miniossl.yaml

apiVersion: traefik.containo.us/v1alpha1

kind: IngressRoute

metadata:

  name: miniossl

  namespace: hpc

spec:

  entryPoints:

    - websecure #前端入口: 名称要和traefik-deploy.yaml里面的ports下面的name名称要一致

  routes:

- match: Host(`tts.herotest.com.cn`) && PathPrefix(`/`)

    kind: Rule

    services:

    - name: traefikminio #要和后端minio-svc.yaml配置文件中的name字段一致 ，前端入口代理为后端Service的Service

      port: 9000

  tls:

    secretName: https

-----------------------------------

traefik-deploy文件配置如下，entrypoints定义了80和443的入口

[root@allinone traefik-contrain-80-443]# cat traefik-deploy.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

  namespace: default

  name: traefik-ingress-controller

---

kind: Deployment

apiVersion: apps/v1

metadata:

  namespace: default

  name: traefik

  labels:

    app: traefik

spec:

  replicas: 2

  selector:

    matchLabels:

      app: traefik

  template:

    metadata:

      labels:

        app: traefik

    spec:

      serviceAccountName: traefik-ingress-controller

      containers:

        - name: traefik

          image: traefik:v2.0.2

          args:

            - --api.insecure

            - --accesslog

            - --entrypoints.web.Address=:80

            - --entrypoints.websecure.Address=:443

            - --providers.kubernetescrd

            - --certificatesresolvers.default.acme.tlschallenge

- --certificatesresolvers.default.acme.email=foo@you.com

            - --certificatesresolvers.default.acme.storage=acme.json

            # Please note that this is the staging Let's Encrypt server.

            # Once you get things working, you should remove that whole line altogether.

- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

          ports:

            - name: web

              containerPort: 80

            - name: websecure

              containerPort: 443

            - name: admin

              containerPort: 8080

----------------------

[root@allinone minio3]# cat minio.yaml

apiVersion: apps/v1

kind: Deployment

metadata:

  name: traefikminio

  namespace: hpc

spec:

  replicas: 1

  selector:

    matchLabels:

app: traefikminio#标签选择器，后面minio-svc.yaml selector下面要配置app: traefikminio  serviceName: traefikminio

serviceName: traefikminio

  template:

    metadata:

      labels:

        app: traefikminio

        serviceName: traefikminio

    spec:

      containers:

      - name: traefikminio

        image: 172.88.19.131/hero/myminio-entry:v1

---------------------------

[root@allinone minio3]# cat minio-svc.yaml

apiVersion: v1

kind: Service

metadata:

name: traefikminio#这个name 在配置traefik-miniossl.yaml前端入口services下的name字段也要配置traefikminio 这个名称

  namespace: hpc

spec:

  ports:

  - name: traefikminio

    port: 9000

    protocol: TCP

    targetPort: 9000

  selector:

app: traefikminio  #通过标签选择器关联后端的一组pod

    serviceName: traefikminio  #通过标签选择器关联后端的一组pod

kubectl apply -f traefik-miniossl.yaml

kubectl get ingressroute -n hpc #发现miniossl IngressRoute前端代理名称已经在里面了

kubectl describe ingressroute miniossl -n hpc  #已经走https协议了

登陆traefik控制台查看，发现已经走https协议了，配置https域名成功

我们来打开浏览器通过https访问下域名上试试

在本机配置host

192.168.19.131 tts.herotest.com.cn

https://tts.herotest.com.cn:30443#成功访问