简介

Kubernetes目前ingress主流的就是nginx-ingress 和traefik-ingress.nginx-ingress中实现http转https加一个注解就可以了，很简单。但是traefik-ingress好像稍微要复杂一点。现就将整个过程整理成文。

条件

1. Kubernetes集群

2.集群已经安装traefik-ingress插件

步骤

1. 部署nginx应用和服务

#kubectl apply -f nginx.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: default
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: nginx
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:latest
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /
            port: 80
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: nginx
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /
            port: 80
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
      dnsPolicy: ClusterFirst
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx
  name: nginx
  namespace: default
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  sessionAffinity: None
  type: ClusterIP

2. 创建https所需要的证书secret ,可以参考这一篇文章:  https://blog.csdn.net/lwlfox/article/details/106219412 ,这里secret的名字需要在步骤3中使用

3. 创建 https  traefik-ingress

#kubectl apply -f nginx-ingress-https.yaml

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nginx-https
  namespace: default
  labels:
    app: nginx
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`nginx.yourdomain.com`)
    kind: Rule
    services:
    - name: nginx
      port: 80
      sticky:
        cookie:
          httpOnly: true
          name: cookie
          secure: true
          sameSite: none
  tls:
    secretName: yourdomain.com #第2步创建的secret的名字

4.创建中间件和http traefik-ingress,实现自动http转https

#kubectl apply -f nginx-ingress-http.yaml

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
spec:
  redirectScheme:
    scheme: https

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nginx-http
  namespace: default
spec:
  entryPoints:
  - web
  routes:
  - kind: Rule
    match: Host(`nginx.yourdomain.work`)
    priority: 10
    middlewares:
    - name: redirect-https
    services:
    - kind: Service
      name: nginx
      namespace: default
      passHostHeader: true
      port: 80
      responseForwarding:
        flushInterval: 1ms
      scheme: http

5.验证自动跳转