kubernetes、traefik和let's encrypt

上了k8s，不得不搞个网关，搞了网关，再来他个免费自动续期的let's encrypt他不香吗，但是这块自己摸索了很长时间，终于搞定了，记录一下。

首先搭建traefik(没有集成let's encrypt重新搭建)，配置文件采用toml，并加载到configmap内，这里名字叫traefik-ssl

kubectl create configmap traefik-ssl --from-file=traefik.toml

traefik.toml

defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
[acme]
#测试，速率限制较高
#caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
#生产
caServer = "https://acme-v02.api.letsencrypt.org/directory"
email = "891841484@qq.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
acmeLogging = true
onDemand = false
  [acme.dnsChallenge]
    provider = "alidns"
    delayBeforeCheck = 0
[[acme.domains]]
  main = "*.ledaotech.com"
#  sans = ["ledaotech.com"]

traefik-ds.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      volumes:
#      - name: ssl
#        secret:
#          secretName: ledaotech
      - name: config
        configMap:
          name: traefik-ssl
      containers:
      - image: traefik:v1.7-alpine
#      - image: fanfengqiang/traefik:1.7.10
        name: traefik-ingress-lb
        env:
        - name: ALICLOUD_ACCESS_KEY
          value: 456789
        - name: ALICLOUD_SECRET_KEY
          value: 123456
        - name: ALICLOUD_REGION_ID
          value: cn-hangzhou
        volumeMounts:
 #       - mountPath: "/ssl"
 #         name: "ssl"
        - mountPath: "/config"
          name: "config"
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 8080
          hostPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --configfile=/config/traefik.toml
#        - --insecureSkipVerify=true                 # 如果后端服务是https协议时不验证其证书
#        - --defaultEntryPoints=http,https           # traefik同时开启HTTP和HTTPS服务
#        - --entrypoints=Name:https Address::443 TLS # HTTPS服务监听在443端口
#        - --entrypoints=Name:http Address::80 Redirect.EntryPoint:https # HTTP监听在80端口，并将流量重定向至https
#        - --acme                                  # 开启证书验证
#        - --acme.acmeLogging=true                 # 打开日志，方便排错
#        - --acme.email=891841484@qq.com          # 邮箱
#        - --acme.entryPoint=https                 # 证书类型
#        - --acme.storage=/tmp/acme.json           # 证书申请临时文件
#        - --acme.dnschallenge                     # 域名验证方式
#        - --acme.dnschallenge.provider=alidns     # 域名提供商
#        - --acme.dnschallenge.delaybeforecheck=5  # 验证域名延时
#        - --acme.httpchallenge.entrypoint=http    # 验证域名时使用的协议
#        - --acme.domains=*.ledaotech.com       # 要申请证书的域名
#        - --acme.domains=ledaotech.com              # 要申请证书的域名
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  type: NodePort
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 443
      name: https
    - protocol: TCP
      port: 8080
      name: admin

以上部署完毕就可以了，坑的地方在于traefik v1.7.9会报no such file or directory "zoneinfo.zip"，经查询换了个版本可以了，附iusse链接 https://github.com/containous/traefik/issues/4404