前文介绍使用ingress结合traefik实现了入口的动静分离，本文将在前文基础上实现ingress的https配置。

为了简单且高效，建议应用容器化部署之后，https卸载在ingress这一级实现。通俗一点来说就是用户到ingress的连接走https协议，ingress到后端服务的连接走http协议。

我们对https的配置要求也比较简单，主要如下：

1、http自动重定向到https

2、https支持虚拟主机（TLS SNI）

一、初始环境准备

1、这里为了方便测试，把前文配置的网站动态部分路由规则都拿掉，仅保留静态部分

2、配置hosts解析记录3、http访问测试

二、准备证书文件和配置文件

1、这里将两个站点的四个证书文件统一放到一个secret里面去维护

# kubectl create secret generic traefik-cert --from-file=star_59iedu_com.key  \--from-file=star_59iedu_com.pem  \--from-file=star_yingjigl_com.key  \--from-file=star_yingjigl_com.pem -n kube-system

2、配置http重定向到https，同时支持多个https虚拟主机（TLS SNI）

# cat traefik.toml defaultEntryPoints = ["http","https"][entryPoints]  [entryPoints.http]  address = ":80"    [entryPoints.http.redirect]    entryPoint = "https"  [entryPoints.https]  address = ":443"    [entryPoints.https.tls]      [[entryPoints.https.tls.certificates]]      CertFile = "/ssl/star_59iedu_com.pem"      KeyFile = "/ssl/star_59iedu_com.key"      [[entryPoints.https.tls.certificates]]      certFile = "/ssl/star_yingjigl_com.pem"      keyFile = "/ssl/star_yingjigl_com.key"

# kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system

三、修改traefik配置文件

主要需要添加config和ssl volumes,其他的配置（例如：rabc、service、ingress等）保持不变，具体配置可参考前文，前文传送门：

# cat traefik-deployment.yaml   apiVersion: v1kind: ServiceAccountmetadata:  name: traefik-ingress-controller  namespace: kube-system---kind: DeploymentapiVersion: extensions/v1beta1metadata:  name: traefik-ingress-controller  namespace: kube-system  labels:    k8s-app: traefik-ingress-lbspec:  replicas: 2  selector:    matchLabels:      k8s-app: traefik-ingress-lb  template:    metadata:      labels:        k8s-app: traefik-ingress-lb        name: traefik-ingress-lb    spec:      serviceAccountName: traefik-ingress-controller      hostNetwork: true      nodeSelector:        traefik: proxy      terminationGracePeriodSeconds: 60      volumes:       - name: ssl         secret:          secretName: traefik-cert       - name: config         configMap:          name: traefik-conf      containers:      - image: traefik        name: traefik-ingress-lb        volumeMounts:        - mountPath: "/ssl"          name: "ssl"        - mountPath: "/config"          name: "config"        ports:        - name: web          containerPort: 80          hostPort: 80        - name: admin          containerPort: 8081        args:        - --configfile=/config/traefik.toml        - --web        - --web.address=:8081        - --kubernetes

# kubectl apply -f traefik-deployment.yaml

四、访问测试与验证

参考文档：

其他的需求，例如gzip压缩，tls版本和加密算法，rewrite重定向等配置也可以参考此文档

五、其他需求

1、 使用一个统一的入口地址。

2、 默认同时支持http和https方式访问。3、 根据实际的情况和要求来配置http访问请求重定向到https。4、 兼容后端https服务（这里以dashboard为例）

# cat traefik.toml   insecureSkipVerify = truedefaultEntryPoints = ["http","https"][entryPoints]  [entryPoints.http]  address = ":80"    [entryPoints.http.redirect]    regex = "^http://k8s.59iedu.com/(.*)"    replacement = "https://k8s.59iedu.com/$1"  [entryPoints.https]  address = ":443"    [entryPoints.https.tls]      [[entryPoints.https.tls.certificates]]      CertFile = "/ssl/star_59iedu_com.pem"      KeyFile = "/ssl/star_59iedu_com.key"      [[entryPoints.https.tls.certificates]]      certFile = "/ssl/star_yingjigl_com.pem"      keyFile = "/ssl/star_yingjigl_com.key"      [[entryPoints.https.tls.certificates]]      certFile = "/ssl/star_huilearning_com.pem"      keyFile = "/ssl/star_huilearning_com.key"

# cat dashboard-ingress.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: kubernetes-dashboard  namespace: kube-system  annotations:    ingress.kubernetes.io/ssl-passthrough: "true"spec:  rules:  - host: k8s.59iedu.com    http:      paths:      - path: /        backend:          serviceName: kubernetes-dashboard          servicePort: 443