Traefik配置Let's Encrypt自动生成证书[alidns](三)

2021-01-14 10:47 约 286 字预计阅读 2 分钟 - 次阅读

警告

本文最后更新于 2021-01-15 09:06，文中内容可能已过时。

一、准备工作

这里使用的alidns，创建AccessKey
29603-16eeja057wk.png
创建secret kubectl create secret generic traefik-alidns-secret --from-literal=ALICLOUD_ACCESS_KEY=<AK> --from-literal=ALICLOUD_SECRET_KEY=<SK> --from-literal=ALICLOUD_REGION_ID=cn-shanghai -n traefik-v2

二、修改traefik配置(conf.yaml)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# 我这里使用的是固定节点
nodeSelector:
    kubernetes.io/hostname: test-k8s-node1

# 持久化acme.json
deployment:
  additionalVolumes:
    - name: acme
      hostPath:
        path: /etc/acme/

additionalVolumeMounts:
  - name: acme
    mountPath: /etc/acme/

additionalArguments:
  # 这个是用于测试的时候使用的地址，当测试证书没问题以后，需要注释下面这个配置。
  # 如果证书由CN=Fake LE Intermediate X1颁发，表示符合预期。可以用过curl -s -vv1看到。
  # - "--certificatesResolvers.ali.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
  # 指定dns的provider,其他provider: https://doc.traefik.io/traefik/https/acme/#providers
  - "--certificatesResolvers.ali.acme.dnsChallenge.provider=alidns"
  # 用于注册的电子邮件地址
  - "--certificatesResolvers.ali.acme.email=742899387@qq.com"
  # 设置ACME证书的保存位置
  - "--certificatesResolvers.ali.acme.storage=/etc/acme/acme.json"

# 使用步骤一创建的secret
envFrom:
 - secretRef:
     name: traefik-alidns-secret

securityContext:
  capabilities:
    drop: []
  readOnlyRootFilesystem: false
  runAsGroup: 0
  runAsNonRoot: false
  runAsUser: 0

更新traefik helm upgrade -n traefik-v2 traefik ./traefik -f conf.yaml

三、测试

nginx应用

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-test
  namespace: kube-ops
spec:
  selector:
    matchLabels:
      app: nginx
      test: "true"
  template:
    metadata:
      labels:
        app: nginx
        test: "true"
    spec:
      containers:
        - name: nginx-test
          ports:
            - name: http
              containerPort: 80
          image: nginx:1.17.10
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-test
  namespace: kube-ops
spec:
  selector:
    app: nginx
    test: "true"
  type: ClusterIP
  ports:
    - name: web
      port: 80
      targetPort: http

ingressroute配置

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nginx-test
  namespace: kube-ops
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`test.soulchild.site`)
    kind: Rule
    services:
    - name: nginx-test
      port: 80
  tls:
    certResolver: ali
    domains:
    - main: "*.soulchild.site"

由于域名没有备案，不能访问，我这里直接解析到traefik pod ip，访问测试

请我喝杯水

赞赏

微信号

微信打赏