bureaucraten, interfacemoderatoren, Beheerders (Semantic MediaWiki), Curatoren (Semantic MediaWiki), Redacteuren (Semantic MediaWiki), toezichthouders, beheerders
205
bewerkingen
→Accessing a Deployment using an Ingress
| Regel 841: | Regel 841: | ||
You can check the Traefik dashboard to see that it's up. Currently, we'll need a port-forward for that: | You can check the Traefik dashboard to see that it's up. Currently, we'll need a port-forward for that: | ||
< | <pre> | ||
$ kubectl port-forward -n kube-system deployment/traefik-ingress 8080:8080 | $ kubectl port-forward -n kube-system deployment/traefik-ingress 8080:8080 | ||
Forwarding from [::1]:8080 -> 8080 | Forwarding from [::1]:8080 -> 8080 | ||
Forwarding from 127.0.0.1:8080 -> 8080 | Forwarding from 127.0.0.1:8080 -> 8080 | ||
</ | </pre> | ||
Now, visit <code>http://localhost:8080/</code> and you should see the Traefik dashboard. It will show no frontends and no backends, as we haven't created any Ingresses yet for it to route. So let's create one for our Nginx service: | Now, visit <code>http://localhost:8080/</code> and you should see the Traefik dashboard. It will show no frontends and no backends, as we haven't created any Ingresses yet for it to route. So let's create one for our Nginx service: | ||
< | <pre> | ||
$ cat ingress.yaml | $ cat ingress.yaml | ||
apiVersion: extensions/v1beta1 | apiVersion: extensions/v1beta1 | ||
| Regel 868: | Regel 868: | ||
$ kubectl apply -f nginx.yaml | $ kubectl apply -f nginx.yaml | ||
ingress.extensions/nginx-ingress created | ingress.extensions/nginx-ingress created | ||
</ | </pre> | ||
So what does this mean? | So what does this mean? | ||
| Regel 878: | Regel 878: | ||
In other words, http://kubetest.sjorsgielen.nl/nginx/index.html will be forwarded to http://nginx-service/index.html. And indeed, it shows the same Nginx page again! Also, if you go to the Traefik dashboard again, you'll see the frontend and backend have appeared and also you'll be able to see the average response time on the Health tab. | In other words, http://kubetest.sjorsgielen.nl/nginx/index.html will be forwarded to http://nginx-service/index.html. And indeed, it shows the same Nginx page again! Also, if you go to the Traefik dashboard again, you'll see the frontend and backend have appeared and also you'll be able to see the average response time on the Health tab. | ||
Now, you could replace your port-forward to the Traefik dashboard with a Service and an Ingress so you can make it externally accessible on your hostname (or a different one) as well. I'll leave that as an exercise to you! | |||
== Let's encrypt this == | |||
There's one very nice feature of Traefik I didn't want you to miss out on. It of course supports TLS, and it can automatically get your certificates through any ACME provider such as Let's Encrypt. | |||
For this, we change our ConfigMap to include a <code>[acme]</code> section and also to auto-forward all HTTP requests to HTTPS: | |||
<pre> | |||
$ cat traefik-configmap.yaml | |||
apiVersion: v1 | |||
kind: ConfigMap | |||
metadata: | |||
name: traefik-configmap | |||
namespace: kube-system | |||
data: | |||
traefik.toml: | | |||
defaultEntryPoints = ["http", "https"] | |||
insecureSkipVerify = true | |||
[entryPoints] | |||
[entryPoints.http] | |||
address = ":80" | |||
[entryPoints.http.redirect] | |||
entryPoint = "https" | |||
[entryPoints.https] | |||
address = ":443" | |||
[entryPoints.https.tls] | |||
[entryPoints.admin] | |||
address = ":8080" | |||
[acme] | |||
email = 'your e-mail address' | |||
storage = "acme.json" | |||
caServer = "https://acme-v01.api.letsencrypt.org/directory" | |||
entryPoint = "https" | |||
onDemand = true | |||
[acme.httpChallenge] | |||
entryPoint = "http" | |||
[kubernetes] | |||
[kubernetes.ingressEndpoint] | |||
publishedService = "kube-system/traefik-ingress-service-external" | |||
[api] | |||
entryPoint = "admin" | |||
$ kubectl apply -f traefik-configmap.yaml | |||
configmap/traefik-configmap configured | |||
</pre> | |||
Now, unfortunately, changing ConfigMaps doesn't automatically update the Pods that use it. So, we can destroy our Pod and the Deployment will recreate it with the correct configuration: | |||
<pre> | |||
$ kubectl get pods -n kube-system | grep traefik | |||
traefik-ingress-6dcd896c78-7w2k6 1/1 Running 0 8d | |||
$ kubectl delete pod traefik-ingress-6dcd896c78-7w2k6 -n kube-system | |||
$ kubectl get pods -n kube-system | grep traefik | |||
traefik-ingress-6dcd896c78-8gl9t 1/1 Running 0 15s | |||
</pre> | |||
Traefik will start requesting a TLS certificate when the first TLS request comes in. That may take a minute for the LetsEncrypt challenge to resolve, but after this, you should be able to access your hostname via HTTPS and it should present a valid certificate. In my case, https://kubetest.sjorsgielen.nl/nginx gives the same working page! Also, we've configured the http forward, so http://kubetest.sjorsgielen.nl/nginx just forwards there. Hassle-free TLS, done! | |||
= Creating your own images = | = Creating your own images = | ||