我正在尝试将client-cert标头从traefik传递给我的kubernetes-services . Traefik执行ssl-termination并可以转发客户端证书(https://docs.traefik.io/basics/#matchers) .
我有一个入口,我设置了pass-tls-cert
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: salesdeck-ingress
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/pass-tls-cert: "true"
在我的node.js-service中,我读取了所有可用的头文件,但找不到任何ssl_client_cert头文件或类似的东西 . 这是我的toml文件,其中创建了一个configmap:
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
我正在使用traefik 1.5,请参阅deployment-file:
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
terminationGracePeriodSeconds: 60
volumes:
- name: ssl
secret:
secretName: ***
- name: config
configMap:
name: traefik-conf
containers:
- image: traefik:1.5
name: traefik-ingress-lb
volumeMounts:
- mountPath: "/ssl"
name: "ssl"
- mountPath: "/config"
name: "config"
ports:
- containerPort: 80
- containerPort: 443
- containerPort: 8080
args:
- --configfile=/config/traefik.toml
- --api
- --kubernetes
有任何想法吗?似乎traefik总是直接在前端toml中使用passTLSCert,就像这里一样
[frontends]
[frontends.frontend1]
backend = "backend2"
[frontends.frontend1.routes.test_1]
rule = "Host:test.localhost,test2.localhost"
[frontends.frontend2]
backend = "backend1"
passHostHeader = true
passTLSCert = true
priority = 10
entrypoints = ["https"] # overrides defaultEntryPoints
[frontends.frontend2.routes.test_1]
rule = "HostRegexp:localhost,{subdomain:[a-z]+}.localhost"
[frontends.frontend3]
backend = "backend2"
[frontends.frontend3.routes.test_1]
rule = "Host:test3.localhost;Path:/test"
但是因为我正在为我的路由使用入口,所以我认为我不需要进行前端和后端配置,只需在入口文件中使用注释即可 .