安全套接字层 (SSL) 证书（有时称为数字证书）用于在浏览器或用户计算机与服务器或网站之间建立加密连接。SSL 连接可保护在每次访问（称为会话）期间交换的敏感数据（例如信用卡信息），以防被非授权方拦截。SSL 连接可保护在每次访问（称为会话）期间交换的敏感数据（例如信用卡信息），以防被非授权方拦截。

traefik 转发或者提供的域名都能够支持https 请求！

K8s 集群
阿里云dns账户：（需要读写dns服务）
ALICLOUD_ACCESS_KEY
ALICLOUD_SECRET_KEY

---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: traefik-outer-ingress-controllerrules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses/status verbs: - update---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: traefik-outer-ingress-controllerroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-outer-ingress-controllersubjects:- kind: ServiceAccount name: traefik-outer-ingress-controller namespace: kube-system服务配置

注意： 所有需要启动traefik的节点配置标签如下
traefik: "traefik-outer"

---apiVersion: v1kind: ServiceAccountmetadata: name: traefik-outer-ingress-controller namespace: kube-system---kind: DaemonSetapiVersion: extensions/v1beta1metadata: name: traefik-outer-ingress-controller namespace: kube-system labels: k8s-app: traefik-outer-ingress-lbspec: selector: matchLabels: k8s-app: traefik-outer-ingress-lb template: metadata: labels: k8s-app: traefik-outer-ingress-lb name: traefik-outer-ingress-lb spec: serviceAccountName: traefik-outer-ingress-controller terminationGracePeriodSeconds: 60 hostNetwork: true containers: - image: traefik:1.7.19 name: traefik-outer-ingress-lb env: - name: ALICLOUD_ACCESS_KEY # 添加环境变量ALICLOUD_ACCESS_KEY value: LTAIxxxxxxxxxxxAYfXqk # 阿里云RAM账号的access_key - name: ALICLOUD_SECRET_KEY # 添加环境变量ALICLOUD_SECRET_KEY value: gfNxxxxxxxxxxxoOslfc # 阿里云RAM账号的access_secret resources: limits: cpu: 1000m memory: 1024Mi requests: cpu: 1000m memory: 1024Mi ports: - name: http containerPort: 80 hostPort: 80 - name: https containerPort: 443 hostPort: 443 - name: admin containerPort: 8080 hostPort: 8080 args: - --api - --kubernetes - --configfile=/traefik.toml - --insecureskipverify #如果后端服务是https协议时不验证其证书 - --logLevel=INFO #日志级别 - --defaultEntryPoints=http,https #traefik同时开启HTTP和HTTPS服务 - --entrypoints=Name:https Address::443 TLS #HTTPS服务监听在443端口 - --entrypoints=Name:http Address::80 #HTTPS服务监听在443端口，与http跳转https配置冲突，只能配置一项；# - --entrypoints=Name:http Address::80 Redirect.EntryPoint:https #HTTP监听在80端口，并将流量重定向至https - --acme #开启证书验证 - --acme.email=kevin@ptcpt.com #用于注册的邮箱地址 - --acme.storage=/tmp/acme.json #证书申请临时文件存储位置 - --acme.acmeLogging=true #打开日志，方便排错 - --acme.entryPoint=https #证书类型，必需指向到一个443端口 - --acme.httpchallenge.entrypoint=http # 验证域名时使用的协议 - --acme.dnschallenge # 域名验证方式 - --acme.dnschallenge.provider=alidns # 域名提供商 - --acme.dnschallenge.delaybeforecheck=5 # 验证域名延时 - --acme.onHostRule=true #自动为acme.entryPoint下的新域名申请证书 - --acme.domains=ptmind.com #要申请证书的域名 - --acme.domains=lingxi365.cn #要申请证书的域名 - --acme.domains=lingxi.link #要申请证书的域名 nodeSelector: traefik: "traefik-outer"---kind: ServiceapiVersion: v1metadata: name: traefik-outer-ingress-service namespace: kube-systemspec: selector: k8s-app: traefik-outer-ingress-lb ports: - protocol: TCP port: 80 name: web - protocol: TCP port: 443 name: https - protocol: TCP port: 8080 name: admin---apiVersion: extensions/v1beta1kind: Ingressmetadata: name: traefik-outer-web-ui namespace: kube-systemspec: rules: - host: traefik.ptmind.com #配置管理页面的域名 http: paths: - path: / backend: serviceName: traefik-outer-ingress-service servicePort: admintraefik 命令

--api --kubernetes --configfile=/traefik.toml --insecureskipverify --logLevel=INFO \--defaultEntryPoints=http,https '--entrypoints=Name:https Address::443 TLS' \'--entrypoints=Name:http Address::80' --acme --acme.dnschallenge --acme.email=kevin@ptcpt.com \--acme.storage=/tmp/acme.json --acme.acmeLogging=true --acme.entryPoint=https --acme.httpchallenge.entrypoint=http \--acme.dnschallenge.provider=alidns --acme.dnschallenge.delaybeforecheck=5 \--acme.domains=ptmind.com --acme.domains=lingxi365.cn --acme.domains=lingxi.link \--acme.onHostRule=true其它参数解释

entryPoint = "https"# 启用按需证书。如果这个主机名还没有证书，这将会在与一个主机名发起请求的第一个TLS握手中向Let's Encrypt请求一个证书。# 警告，第一次在请求中获取主机证书会导致TLS握手会非常慢，这会引起Dos***。# 警告，值得注意的是Let's Encrypt是有请求上限的：https://letsencrypt.org/docs/rate-limitsonDemand = false# 启用根据前端Host规则来生成证书。这将会为每个具有Host规则的前端生成一个Let's Encrypt的证书。# 举个例子，一个具有规则的Host:test1.traefik.cn,test2.traefik.cn 将会为主域名test1.traefik.cn与SAN(替代域名) test2.traefik.cn生成一个证书。onHostRule = true [acme.httpChallenge] entryPoint="http"