1.创建自签证书
1 | openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 3650 -out tls.crt |
---|
2.创建secret
1 2 | 如果服务在多个ns,需要多个ns中创建secret kubectl create secret generic dashboard-tls --from-file=tls.crt --from-file=tls.key -n kube-system |
---|
3.暴露服务
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 | #创建对应的 IngressRoute apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard namespace: traefik spec: entryPoints: - websecure tls: secretName: dashboard-tls routes: - match: Host(`traefik.cluster.local`) #匹配的域名 kind: Rule services: - name: api@internal #traefik内置服务 kind: TraefikService --- apiVersion: traefik.containo.us/v1alpha1 kind: ServersTransport metadata: name: mytransport namespace: kubernetes-dashboard spec: serverName: "dashboard.cluster.local" insecureSkipVerify: true --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: dashboard-k8s namespace: kubernetes-dashboard spec: entryPoints: - websecure routes: - match: "Host(`dashboard.cluster.local`)" kind: Rule services: - name: kubernetes-dashboard #绑定的后端service port: 443 serversTransport: mytransport tls: secretName: dashboard-tls --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: prometheus-grafana namespace: monitoring spec: entryPoints: - websecure tls: secretName: dashboard-tls routes: - match: Host(`grafana.cluster.local`) kind: Rule services: - name: prometheus-grafana port: 80 --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: hubble-ui namespace: kube-system spec: entryPoints: - websecure tls: secretName: dashboard-tls routes: - match: Host(`hubble.cluster.local`) kind: Rule services: - name: hubble-ui port: 80 #应用 kubectl apply -f web.yaml |
---|
其中 k8s dashboard 的服务比较特殊,因为原来就是https,需要配置 insecureSkipVerify。
4.配置本地解析
1 2 3 4 | 10.*.*.131 traefik.cluster.local 10.*.*.131 grafana.cluster.local 10.*.*.131 dashboard.cluster.local 10.*.*.131 hubble.cluster.local |
---|
5.使用域名访问相关服务
traefik: https://traefik.cluster.local
dashboard: https://dashboard.cluster.local/
grafana: https://grafana.cluster.local/
hubble: https://hubble.cluster.local/