Traefik Letsencrypt GKE 上最简单的例子

Question

我正在尝试使用此article 在 GKE 上使用 Traefik 实现最简单的 example。我做了一些更改以满足我的要求，但我无法获得 ACME 证书。

到目前为止我做了什么

• 运行以下命令并创建除 ingress-route 之外的所有资源对象

$ kubectl apply -f 00-resource-crd-definition.yml,05-traefik-rbac.yml,10-service-account.yaml,15-traefik-deployment.yaml,20-traefik-service.yaml,25-whoami-deployment.yaml,30-whoami-service.yaml
customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/traefikservices.traefik.containo.us created
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
serviceaccount/traefik-ingress-controller created
deployment.apps/traefik created
service/traefik created
deployment.apps/whoami created
service/whoami created

• 获取作为负载均衡器公开的 Traefik 服务的 IP

$ kubectl get service
NAME         TYPE           CLUSTER-IP      EXTERNAL-IP    PORT(S)                                     AGE
kubernetes   ClusterIP      10.109.0.1      <none>         443/TCP                                     6h16m
traefik      LoadBalancer   10.109.15.230   34.69.16.102   80:32318/TCP,443:32634/TCP,8080:32741/TCP   70s
whoami       ClusterIP      10.109.14.91    <none>         80/TCP                                      70s

• 为此 IP 创建 DNS 记录

$ nslookup k8sacmetest.gotdns.ch
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
Name:   k8sacmetest.gotdns.ch
Address: 34.69.16.102

• 创建资源入口路由

$ kubectl apply -f 35-ingress-route.yaml
ingressroute.traefik.containo.us/simpleingressroute created
ingressroute.traefik.containo.us/ingressroutetls created

• traefik 日志

time="2020-04-25T20:10:31Z" level=info msg="Configuration loaded from flags."
time="2020-04-25T20:10:32Z" level=error msg="subset not found for default/whoami" providerName=kubernetescrd ingress=simpleingressroute namespace=default
time="2020-04-25T20:10:32Z" level=error msg="subset not found for default/whoami" providerName=kubernetescrd ingress=ingressroutetls namespace=default
time="2020-04-25T20:10:52Z" level=error msg="Unable to obtain ACME certificate for domains \"k8sacmetest.gotdns.ch\": unable to generate a certificate for the domains [k8sacmetest.gotdns.ch]: acme: Error -> One or more domains had a problem:\n[k8sacmetest.gotdns.ch] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n" routerName=default-ingressroutetls-08dd2bb9eecaa72a6606@kubernetescrd rule="Host(`k8sacmetest.gotdns.ch`) && PathPrefix(`/tls`)" providerName=default.acme

我的成就

• Traefik 仪表板

link

• 与 notls 的哇哦

link

无法获得用于 TLS WHOAMI 的 ACME 证书

my-pain

INFRA 详细信息

• 我正在使用 Google Kubernetes 集群（这里正在讨论的那个 -cloud.google.com/kubernetes-engine，点击 Go to Console）。
• Traefik 版本为 2.2。
• 我正在使用“CloudShell”访问集群”。

问：

1) 获取 TLS 证书我哪里出错了？

2) 如果它的防火墙问题如何解决？

3) 如果您还有其他更好的Treafik Let's encrypt simplest example on GKE 示例，请告诉我

Answer 1

只需在kubectl port-forward 命令之前运行sudo。您正在尝试绑定到特权端口，因此您需要更多权限。

这不是 GKE 的最简单示例，因为您可以使用 GKE LoadBalnacer 代替 kubectl port-forward。

试试这个：

apiVersion: v1
kind: Service
metadata:
  name: traefik
spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
      targetPort: web
    - protocol: TCP
      name: websecure
      port: 443
      targetPort: websecure
  selector:
    app: traefik
  type: LoadBalancer

然后您可以在EXTERNAL-IP 列中使用kubectl get svc 找到您的新IP，为您的域添加正确的DNS 记录，就可以了。