本文主要是介绍kubernetes下traefik申请ssl证书(tlsChallenge、httpChallenge、dnsChallenge),希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
traefik有三种ssl证书申请方式,分别是tlsChallenge、httpChallenge、dnsChallenge,让我们来对比一下三种方式的区别
tlsChallenge | httpChallenge | dnsChallenge |
---|---|---|
443端口可访问 | 80端口可访问 | 指定provider和设置该provider需要的环境变量 |
dnsChallenge
helm配置
下面helm yaml以阿里云dns为例
image:name: registry-vpc.cn-shenzhen.aliyuncs.com/liweilun/traefiktag: "v2.6"
deployment:kind: Deployment
ingressRoute:dashboard:enabled: false
experimental:http3:enabled: true
env:- name: ALICLOUD_ACCESS_KEYvalueFrom:secretKeyRef:name: alidnskey: ALICLOUD_ACCESS_KEY- name: ALICLOUD_SECRET_KEYvalueFrom:secretKeyRef:name: alidnskey: ALICLOUD_SECRET_KEY
additionalArguments:- "--providers.kubernetescrd.allowexternalnameservices=true"- "--entrypoints.websecure.http3.advertisedport=443"- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=alidns"- "--certificatesresolvers.myresolver.acme.keytype=EC256"- "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0"
ports:web:port: 80websecure:port: 443http3: true
service:type: ClusterIP
hostNetwork: true
securityContext:capabilities:drop: [ALL]add: [NET_BIND_SERVICE]readOnlyRootFilesystem: falserunAsGroup: 0runAsNonRoot: falserunAsUser: 0
1、traefik申请证书要求是Deployment,不能是DaemonSet。
2、env环境变量需要有ALICLOUD_ACCESS_KEY和ALICLOUD_SECRET_KEY
3、additionalArguments里面
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=alidns"
指定一个名字叫myresolver的dnschallenge,provider为alidns
- "--certificatesresolvers.myresolver.acme.keytype=EC256"
指定证书类型为ecc,256位长度,ecc证书兼容性不如rsa证书但性能更高,ecc的256位长度等于rsa的3072位长度
- "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0"
表示一直等待证书直到申请成功
4、调整安全上下文securityContext为允许root,因为要操作acme.json,这里没尝试root以外的能否申请
ingress配置
这里以traefik的kubernetes IngressRoute模式为例,只需要在tls部分的certResolver使用刚刚helm设置的myresolver这个provider就能申请ssl证书
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:name: qcyn
spec:entryPoints:- websecureroutes:- match: Host(`xxx.cn`)kind: Rulemiddlewares:- name: headersnamespace: defaultservices:- name: yn-practiceport: 8080tls:certResolver: myresolveroptions:name: tlsoptionnamespace: defaultdomains:- sans:- 'xxx.cn'
dnsChallenge 优点
dnsChallenge是traefik申请通配符证书的唯一方式,避免在domain罗列大量域名
dnsChallenge 缺点
如果要在traefik里面使用dnsChallenge,providers不能有重复,因为环境变量只能有一对。例如我用阿里云dns,那ALICLOUD_ACCESS_KEY和ALICLOUD_SECRET_KEY就只能有一对
这篇关于kubernetes下traefik申请ssl证书(tlsChallenge、httpChallenge、dnsChallenge)的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!