Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Guillaume
    @dracorpg
    (yeah, sadly this means Traefik on one node only)
    if only traefik was able to use k8s Secrets for its SSL certificates!
    indeed Traefik 1.x can use a KV-store instead of plainfile, though https://docs.traefik.io/user-guide/kv-config/#store-configuration-in-key-value-store
    Thomas Coudert
    @thcdrt
    @MrDienns indeed you can't, you can have more details here: https://docs.ovh.com/gb/en/kubernetes/setting-up-a-persistent-volume/#access-modes
    Guillaume
    @dracorpg
    is making RWmany available at k8s-level on track, though, @thcdrt? AFAIK Cinder supports multi-attached volumes since the Queens release (when running on a backend capable of it, but I guess Ceph allows it? ohmygod so many stacked infrastructural middleware...)
    Guillaume
    @dracorpg
    @samuel-girard for curiosity's sake I tried changing a PersistentVolume's cinder volumeID manually to make it point to another Cinder volume, but this is not a config item that can be changed :) ... but you can absolutely manually create a PersistentVolume that points to a Cinder volume created previously (through OpenStack Horizon in my case)
    Ghost
    @ghost~5bc6039cd73408ce4faba551
    Hello, I have issue on some socket connection between my pods on certains nodes.
    Wormhole message is :
    Error closing connection: close tcp IP:40272->IP2:10250: use of closed network connection"
    Joël LE CORRE
    @jlecorre_gitlab
    Hello @bmagic
    How did you get this error?
    Guillaume
    @dracorpg

    @samuel-girard ... so once you have manually created a PersistentVolume that points on the Cinder volume of your choice, you can get a PersistentVolumeClaim to bind to this manually-created PersistentVolume through its spec.volumeName attribute (tried to do it more elegantly with label matching using spec.selectors.matchLabels but selectors are appanrently not supported on the k8s<->cinder config OVH uses)

    @jlecorre_gitlab is this whole approach something you'd advise against for some reason I'm missing?

    Dennis van der Veeke
    @MrDienns
    @dracorpg so, reading the traefik ACME docs, they seem to recommend Consul from what I can see. Is this something I need to deploy as a daemonset (just like traefik), or is a single deployment/stateful set enough?
    Guillaume
    @dracorpg
    couldn't be of very good advice as I've never worked with it, but I don't see why you'd need more than 1 instance
    Dennis van der Veeke
    @MrDienns
    alright thank you, ill try it out
    Guillaume
    @dracorpg
    note that you don't have to deploy traefik as a DaemonSet neither... it's just a matter of how much "true HA" you need :)
    Nicolas Steinmetz
    @nsteinmetz
    and if you need volumes for certificates, you can delegate them to cert-manager
    Dennis van der Veeke
    @MrDienns
    oh, really? okay. yeah here and there i'm still figuring out how kubernetes nodes connect to each other
    Guillaume
    @dracorpg
    it kind of defeats the purpose of preferring traefik to nginx-ingress, though, IMHO (using cert-manager)
    Dennis van der Veeke
    @MrDienns
    and yeah im tryingn to setup certificates, what would be the easiest option? consul? cert-manager?
    Nicolas Steinmetz
    @nsteinmetz
    Guillaume
    @dracorpg
    fastest & easiest, to me, is a single instance of traefik as ingress controller (with a PVC for storing its acme.json)
    Nicolas Steinmetz
    @nsteinmetz
    take care that cert-manager objects changed since I wrote the tutorial - have a look at the official doc for latest specs
    there were some relifting around the 0.8 or 0.9 releases and letsencrypt will only authorise >= 0.8 release of cert-manager
    Dennis van der Veeke
    @MrDienns
    ah, so cert-manager creates them as secrets? that's neat
    Nicolas Steinmetz
    @nsteinmetz
    yes !
    Guillaume
    @dracorpg
    @nsteinmetz nice, but I don't see how traefik is told to rely on the secrets created by cert-manager? is it a built-in feature that requires no special config?
    (not even talking about using them, it actually also has to request the certificates from cert-manager in the first place too)
    Nicolas Steinmetz
    @nsteinmetz
    look at my blog post :
    • you will create a certificate object
    • iin the ingress, you will pass the secret as tls property
    Dennis van der Veeke
    @MrDienns
    i'd simply like to setup SSL on traefik as easy and as manageable as possible, preferably fully automated
    Guillaume
    @dracorpg
    What is awesome with traefik is that it will dynamically and automatically request certificates for all your HTTPS-exposed Ingress resources
    Dennis van der Veeke
    @MrDienns
    as in, i create an ingress, and something somewhere automatically decides to invoke lets encrypt, creates an ssl certificate, keeps it somewhere, and serves it
    though for now i probably do want to keep my traefik daemonset, just for that extra balancing
    Guillaume
    @dracorpg
    @nsteinmetz BTW, traefik accepts basically any config option as command-line argument so should you wish to, you can dispense with the configmap
    Nicolas Steinmetz
    @nsteinmetz
    hmm you could automate all of this when creating your k8s deployments. Then renew is automated and so once. So you do it once for all :)
    yeah I know, it was to train myself for configmaps :)
    cert-manage will retrive and renew certificates on its own and pass them to traefik - so it's the same at the end (and you don't need volumes to store acme.json :-P )
    Guillaume
    @dracorpg
    hey, but I still don't understand how they're passed to traefik though!
    Dennis van der Veeke
    @MrDienns
    through an annotation i suppose? just how basic auth works
    at least that's what i'd guess
    Nicolas Steinmetz
    @nsteinmetz
    piVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      annotations:
        traefik.ingress.kubernetes.io/redirect-entry-point: https
        traefik.ingress.kubernetes.io/redirect-permanent: "true"
        ingress.kubernetes.io/ssl-redirect: "true"
        ingress.kubernetes.io/ssl-temporary-redirect: "false"
      name: traefik-web-ui
    spec:
      rules:
      - host: traefik.k8s.cerenit.fr
        http:
          paths:
          - path: /
            backend:
              serviceName: traefik-ingress-service-clusterip
              servicePort: admin
      tls:
      - secretName: traefik-cert
    the secretName is the certifiate object you created with cert-manager.
    Guillaume
    @dracorpg
    oh! you can specify a secret as certificate source in Ingress objects, got it! never got to use that, so I totally missed it
    Nicolas Steinmetz
    @nsteinmetz
    and your certificate is (to update with new specs from cert-manager) :
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Certificate
    metadata:
      name: traefik-cert
    spec:
      secretName: traefik-cert
      issuerRef:
        name: letsencrypt-prod
      commonName: traefik.k8s.cerenit.fr
      acme:
        config:
        - http01:
            ingressClass: traefik
          domains:
          - traefik.k8s.cerenit.fr
    Guillaume
    @dracorpg
    yeah, that part I got ^^
    Nicolas Steinmetz
    @nsteinmetz
    :-)
    indeed, traefik is not used for cert generation with this setup - only as reverse proxy
    Guillaume
    @dracorpg
    @MrDienns AFAIK having a ingress controller (be it traefik or any other) running as DaemonSet is merely a way of ensuring that the number of loadbalancer pods scales proportionally with the number of nodes in your cluster. There is no mechanism (that I know of) to make a loadbalancer pod forward requests preferrably to an application pod that is running on the same node, so you're not avoiding cross-node traffic by having a LB on each node.
    Dennis van der Veeke
    @MrDienns
    yeah, that is fine
    Dennis van der Veeke
    @MrDienns
    @nsteinmetz i have setup secret manager according to this site: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/certificate-management/acme/
    so far, so good, i can see all created pods doing stuff and I see a secret being created which has a certificate in it, so yay, however, it seems to still serve the default traefik certificate
    Screenshot 2019-09-13 at 19.00.56.png
    Dennis van der Veeke
    @MrDienns
    though i did notice it has two certificates in the tls.cert value, im not sure if this is normal
    Screenshot 2019-09-13 at 19.26.29.png