\u6211\u4eec\u6709\u4e00\u4e2a\u5e38\u89c4\u7684\u7f51\u7ad9\u670d\u52a1\u9700\u8981\u90e8\u7f72\uff0c\u5e76\u4e14\u5bf9\u5916\u63d0\u4f9bhttps\u8bbf\u95ee\uff0c\u4ece\u7ecf\u6d4e\u7684\u89d2\u5ea6\u8003\u8651\uff0c\u5efa\u8bae\u8d2d\u4e70\u963f\u91cc\u4e91\u7684\u3010\u5bb9\u5668\u96c6\u7fa4ACK<\/strong>\u3011\u3010\u7f51\u7ad9\u57df\u540d\u3011\u3010NBL\u8d1f\u8f7d\u5747\u8861\u3011\u3010\u5171\u4eab\u5e26\u5bbd\u5305\u3011\u3010\u4e91\u670d\u52a1\u5668ECS\u3011<\/strong>\uff0c\u5982\u679c\u6709\u6587\u4ef6\u9700\u6c42\u8fd8\u53ef\u4ee5\u8d2d\u4e70\u3010\u5bf9\u8c61\u5b58\u50a8\u3011\u3010NAS\u6587\u4ef6\u7cfb\u7edf\u3011<\/strong>\u7b49\uff0c\u6709\u9759\u6001\u6587\u4ef6\u52a0\u901f\u9700\u6c42\u8fd8\u53ef\u4ee5\u8d2d\u4e70CDN\u670d\u52a1\uff0c\u672c\u7bc7\u6587\u7ae0\u6211\u4f7f\u7528\u6700\u4f4e\u9700\u6c42(\u94b1)\uff0c\u4ec5\u8d2d\u4e703\u53f0\u670d\u52a1\u5668\uff0c\u7ec4\u6210k8s\u96c6\u7fa4\uff0c\u90e8\u7f72web\u7f51\u7ad9\uff0c\u81ea\u52a8\u4f7f\u7528acme.sh\u7533\u8bf7\u8bc1\u4e66\uff0c\u4f7f\u7528\u5916\u90e8\u8d1f\u8f7d\u5747\u8861\u5668\u6765\u6253\u9020\u4e00\u4e2a\u6700\u4f4e\u9650\u5ea6\u7684\u9ad8\u53ef\u7528\u751f\u4ea7\u73af\u5883\u3002<\/p>\n\n\n\n \u4ece\u963f\u91cc\u4e91\u5b98\u7f51\u8d2d\u4e70\u3010\u5bb9\u5668\u96c6\u7fa4ACK<\/strong>\u3011\u3010\u7f51\u7ad9\u57df\u540d\u3011\u3010NBL\u8d1f\u8f7d\u5747\u8861\u3011\u3010\u5171\u4eab\u5e26\u5bbd\u5305\u3011\u3010\u4e91\u670d\u52a1\u5668ECS\u3011<\/strong>\u672c\u6587\u5ffd\u7565\uff0c\u9ed8\u8ba4\u8bfb\u8005\u5df2\u8d2d\u4e70\u5e76\u6dfb\u52a0\u597d\uff0c\u5e76\u590d\u5236kubeconfig\u6587\u4ef6\u5230\u670d\u52a1\u5668\u4e0a\uff0ckubectl\u548chelm\u7a0b\u5e8f\u5df2\u7ecf\u5b89\u88c5\u597d\uff0c\u63a5\u4e0b\u6765\u76f4\u63a5\u6572\u547d\u4ee4<\/p>\n\n\n\n \u5b89\u88c5\u963f\u91cc\u4e91dns\u6311\u6218\u6240\u5bf9\u5e94\u7684webhook<\/p>\n\n\n\n \u6dfb\u52a0alidns-secret.yaml \u6587\u4ef6\uff0c\u6ce8\u610f\u8fd9\u91cc\u7684access-key\u548csecret-key\u662f\u8981\u901a\u8fc7\u963f\u91cc\u4e91\u7684accesskey\u529f\u80fd\u53bb\u83b7\u53d6\u7684\uff0c\u83b7\u53d6\u4e4b\u540e\uff0c\u901a\u8fc7echo\u547d\u4ee4\u83b7\u53d6base64\u52a0\u5bc6\u540e\u7684\u6587\u672c\uff0c\u586b\u5165yaml\u6587\u4ef6\u4e2d<\/p>\n\n\n\n \u6dfb\u52a0letsencrypt-staging.yaml\u6587\u4ef6\uff0c\u6ce8\u610f\u4e0d\u8981\u4fee\u6539groupName\uff0c\u56e0\u4e3a\u6211\u4e0a\u9762helm install alidns-webhook\u7684\u65f6\u5019\u4f7f\u7528\u7684\u9ed8\u8ba4\u53c2\u6570\u91cc\u7684groupName\u662fexample.com\uff0c\u4e00\u5b9a\u8981\u4fee\u6539groupName\u7684\u8bdd\uff0c\u9700\u8981\u4e24\u8fb9\u540c\u6b65\u4fee\u6539<\/p>\n\n\n\n \u6dfb\u52a0Certificate.yaml\u6587\u4ef6,\u8fd9\u4e00\u6b65\u5b8c\u6210\u540e\uff0c\u624b\u52a8\u53bb\u963f\u91cc\u4e91\u7684\u57df\u540d\u89e3\u6790\u91cc\u6dfb\u52a0\u5bf9\u5e94\u7684cname\u89e3\u6790\u4e86\uff0c\u8bb0\u5f55\u503c\u586b\u8d1f\u8f7d\u5747\u8861\u5668\u7ed9\u5230\u7684\u57df\u540d\uff0c\u4e00\u822c\u662fnlb-xxxx.\u5730\u57df.nlb.aliyuncs.com<\/p>\n\n\n\n 1.\u7f16\u8f91\u4e00\u4e2avalues-traefik.yaml\u6587\u4ef6\uff0c\u53ef\u4ee5\u53c2\u8003\u6211\u4e0b\u9762\u7684\u914d\u7f6e\uff0c<\/p>\n\n\n\n \u5b89\u88c5\u5b8c\u6210\u540e\uff0c\u4f7f\u7528kubectl get svc -n traefik\u5c31\u80fd\u770b\u5230\u751f\u6210\u7684loadbalancer\u4e86\uff0c\u901a\u8fc7\u963f\u91cc\u4e91\u63a7\u5236\u53f0\u4e5f\u53ef\u4ee5\u770b\u5230\u7f51\u7edc\u578b\u8d1f\u8f7d\u5747\u8861\u5668\u91cc\u9762\u81ea\u52a8\u521b\u5efa\u4e86\u5bf9\u5e94\u7684\u76d1\u542c\u548c\u670d\u52a1\u5668\u7ec4\uff0c\u5982\u9700\u9a8c\u8bc1\u90e8\u7f72\u540e\u7684\u6548\u679c\uff0c\u53ef\u4ee5\u7528\u6d4f\u89c8\u5668\u8bbf\u95eehttps:\/\/traefik.hello.com\/dashboard \u8fdb\u884c\u6d4b\u8bd5<\/p>\n","protected":false},"excerpt":{"rendered":" \u80cc\u666f\u9700\u6c42 \u6211\u4eec\u6709\u4e00\u4e2a\u5e38\u89c4\u7684\u7f51\u7ad9\u670d\u52a1\u9700\u8981\u90e8\u7f72\uff0c\u5e76\u4e14\u5bf9\u5916\u63d0\u4f9bhttps\u8bbf\u95ee\uff0c\u4ece\u7ecf\u6d4e\u7684\u89d2\u5ea6\u8003\u8651\uff0c\u5efa\u8bae\u8d2d\u4e70\u963f\u91cc\u4e91\u7684\u3010\u5bb9 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1478","post","type-post","status-publish","format-standard","hentry","category-k8s"],"_links":{"self":[{"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/posts\/1478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1478"}],"version-history":[{"count":0,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/posts\/1478\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u5ffd\u7565\u7684\u7ec6\u8282<\/h2>\n\n\n\n
1.\u5b89\u88c5cert-manager<\/h2>\n\n\n\n
helm repo add jetstack https:\/\/charts.jetstack.io\n \nhelm repo update\n \nhelm install \\\n cert-manager jetstack\/cert-manager \\\n --namespace cert-manager \\\n --create-namespace \\\n --version v1.15.3 \\\n --set installCRDs=true<\/code><\/pre>\n\n\n\n2.\u914d\u7f6ecert-manager\u6240\u9700\u8981\u7684\u963f\u91cc\u4e91dns\u6311\u6218<\/h2>\n\n\n\n
helm repo add cert-manager-alidns-webhook https:\/\/devmachine-fr.github.io\/cert-manager-alidns-webhook\nhelm repo update\nhelm install alidns-webhook cert-manager-alidns-webhook\/alidns-webhook<\/code><\/pre>\n\n\n\necho -n \"\u539f\u59cb\u5bc6\u94a5\" | base64 \n\n# alidns-secret.yaml \u6587\u4ef6\napiVersion: v1\nkind: Secret\nmetadata:\n name: alidns-secret\n namespace: cert-manager\ndata:\n access-key: base64\u52a0\u5bc6\u540e\u7684\n secret-key: base64\u52a0\u5bc6\u540e\u7684<\/code><\/pre>\n\n\n\nkubectl apply -f alidns-secret.yaml\n<\/code><\/pre>\n\n\n\napiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n name: letsencrypt-staging\nspec:\n acme:\n email: 357244849@qq.com\n server: https:\/\/acme-v02.api.letsencrypt.org\/directory\n privateKeySecretRef:\n name: letsencrypt-staging-account-key\n solvers:\n - dns01:\n webhook:\n groupName: example.com\n solverName: alidns-solver\n config:\n region: \"\"\n accessKeySecretRef:\n name: alidns-secret\n key: access-key\n secretKeySecretRef:\n name: alidns-secret\n key: secret-key<\/code><\/pre>\n\n\n\nkubectl apply -f letsencrypt-staging.yaml\n<\/code><\/pre>\n\n\n\napiVersion: cert-manager.io\/v1\nkind: Certificate\nmetadata:\n name: hello-com\n namespace: traefik\nspec:\n # The secretName will store certificate content\n secretName: hello-com-tls\n dnsNames:\n\n - \"*.hello.com\"\n - \"ops.hello.com\"\n issuerRef:\n name: letsencrypt-staging\n kind: ClusterIssuer<\/code><\/pre>\n\n\n\nkubectl apply -f Certificate.yaml<\/code><\/pre>\n\n\n\n3.\u5b89\u88c5traefik\u5e76\u5173\u8054\u5bf9\u5e94\u7684\u8bc1\u4e66\u548c\u8d1f\u8f7d\u5747\u8861\u5668<\/h2>\n\n\n\n
providers:\n kubernetesCRD:\n allowCrossNamespace: true\n kubernetesIngress:\n publishedService:\n enabled: true # \u8ba9 Ingress \u7684\u5916\u90e8 IP \u5730\u5740\u72b6\u6001\u663e\u793a\u4e3a Traefik \u7684 LB IP \u5730\u5740\nservice:\n enabled: true\n loadBalancerClass: alibabacloud.com\/nlb\n annotations:\n service.beta.kubernetes.io\/alibaba-cloud-loadbalancer-id: \"NLB\u7684ID\" # \u5173\u8054\u963f\u91cc\u4e91NLB\u8d1f\u8f7d\u5747\u8861\u5668\u7684ID\u3002\n service.beta.kubernetes.io\/alibaba-cloud-loadbalancer-force-override-listeners: \"true\"\n spec:\n externalTrafficPolicy: Local\n# \u8fd9\u91cc\u4e0d\u52a0\u7684\u8bdd\uff0c80\u548c 443 \u4f1a\u62a5\u6ca1\u6709\u6743\u9650\nsecurityContext:\n capabilities:\n add:\n - NET_BIND_SERVICE\n runAsNonRoot: false\n runAsUser: 0\nupdateStrategy:\n # -- Customize updateStrategy: RollingUpdate or OnDelete\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n maxSurge: 0\nports:\n web:\n port: 80\n expose:\n default: true\n exposedPort: 80 # \u5bf9\u5916\u7684 HTTP \u7aef\u53e3\u53f7\uff0c\u4f7f\u7528\u6807\u51c6\u7aef\u53e3\u53f7\u5728\u56fd\u5185\u9700\u5907\u6848\n redirectTo:\n port: websecure\n websecure:\n port: 443\n expose:\n default: true\n exposedPort: 443 # \u5bf9\u5916\u7684 HTTPS \u7aef\u53e3\u53f7\uff0c\u4f7f\u7528\u6807\u51c6\u7aef\u53e3\u53f7\u5728\u56fd\u5185\u9700\u5907\u6848\nlogs:\n access:\n enabled: true\ndeployment:\n enabled: true\n replicas: 3\ningressRoute:\n dashboard:\n enabled: true\n matchRule: Host(`traefik.hello.com`) && (PathPrefix(`\/dashboard`) || PathPrefix(`\/api`))\n entryPoints: [\"websecure\"]\n middlewares:\n - name: traefik-dashboard-auth\nextraObjects:\n - apiVersion: v1\n kind: Secret\n metadata:\n name: traefik-dashboard-auth-secret\n type: kubernetes.io\/basic-auth\n stringData:\n username: hello\n password: thankyou\n\n - apiVersion: traefik.io\/v1alpha1\n kind: Middleware\n metadata:\n name: traefik-dashboard-auth\n spec:\n basicAuth:\n secret: traefik-dashboard-auth-secret\n# \u5173\u8054cert-manager\u8bbe\u7f6e\u7684\u79d8\u94a5\ntlsStore:\n default:\n defaultCertificate:\n secretName: hello-com-tls\n<\/code><\/pre>\n\n\n\nhelm repo add traefik https:\/\/helm.traefik.io\/traefik\nhelm repo update\nhelm upgrade --install traefik -n traefik -f values-traefik.yaml traefik\/traefik<\/code><\/pre>\n\n\n\n