Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Guillaume
    @dracorpg
    indeed Traefik 1.x can use a KV-store instead of plainfile, though https://docs.traefik.io/user-guide/kv-config/#store-configuration-in-key-value-store
    Thomas Coudert
    @thcdrt
    @MrDienns indeed you can't, you can have more details here: https://docs.ovh.com/gb/en/kubernetes/setting-up-a-persistent-volume/#access-modes
    Guillaume
    @dracorpg
    is making RWmany available at k8s-level on track, though, @thcdrt? AFAIK Cinder supports multi-attached volumes since the Queens release (when running on a backend capable of it, but I guess Ceph allows it? ohmygod so many stacked infrastructural middleware...)
    Guillaume
    @dracorpg
    @samuel-girard for curiosity's sake I tried changing a PersistentVolume's cinder volumeID manually to make it point to another Cinder volume, but this is not a config item that can be changed :) ... but you can absolutely manually create a PersistentVolume that points to a Cinder volume created previously (through OpenStack Horizon in my case)
    Ghost
    @ghost~5bc6039cd73408ce4faba551
    Hello, I have issue on some socket connection between my pods on certains nodes.
    Wormhole message is :
    Error closing connection: close tcp IP:40272->IP2:10250: use of closed network connection"
    Joël LE CORRE
    @jlecorre_gitlab
    Hello @bmagic
    How did you get this error?
    Guillaume
    @dracorpg

    @samuel-girard ... so once you have manually created a PersistentVolume that points on the Cinder volume of your choice, you can get a PersistentVolumeClaim to bind to this manually-created PersistentVolume through its spec.volumeName attribute (tried to do it more elegantly with label matching using spec.selectors.matchLabels but selectors are appanrently not supported on the k8s<->cinder config OVH uses)

    @jlecorre_gitlab is this whole approach something you'd advise against for some reason I'm missing?

    Dennis van der Veeke
    @MrDienns
    @dracorpg so, reading the traefik ACME docs, they seem to recommend Consul from what I can see. Is this something I need to deploy as a daemonset (just like traefik), or is a single deployment/stateful set enough?
    Guillaume
    @dracorpg
    couldn't be of very good advice as I've never worked with it, but I don't see why you'd need more than 1 instance
    Dennis van der Veeke
    @MrDienns
    alright thank you, ill try it out
    Guillaume
    @dracorpg
    note that you don't have to deploy traefik as a DaemonSet neither... it's just a matter of how much "true HA" you need :)
    Nicolas Steinmetz
    @nsteinmetz
    and if you need volumes for certificates, you can delegate them to cert-manager
    Dennis van der Veeke
    @MrDienns
    oh, really? okay. yeah here and there i'm still figuring out how kubernetes nodes connect to each other
    Guillaume
    @dracorpg
    it kind of defeats the purpose of preferring traefik to nginx-ingress, though, IMHO (using cert-manager)
    Dennis van der Veeke
    @MrDienns
    and yeah im tryingn to setup certificates, what would be the easiest option? consul? cert-manager?
    Nicolas Steinmetz
    @nsteinmetz
    Guillaume
    @dracorpg
    fastest & easiest, to me, is a single instance of traefik as ingress controller (with a PVC for storing its acme.json)
    Nicolas Steinmetz
    @nsteinmetz
    take care that cert-manager objects changed since I wrote the tutorial - have a look at the official doc for latest specs
    there were some relifting around the 0.8 or 0.9 releases and letsencrypt will only authorise >= 0.8 release of cert-manager
    Dennis van der Veeke
    @MrDienns
    ah, so cert-manager creates them as secrets? that's neat
    Nicolas Steinmetz
    @nsteinmetz
    yes !
    Guillaume
    @dracorpg
    @nsteinmetz nice, but I don't see how traefik is told to rely on the secrets created by cert-manager? is it a built-in feature that requires no special config?
    (not even talking about using them, it actually also has to request the certificates from cert-manager in the first place too)
    Nicolas Steinmetz
    @nsteinmetz
    look at my blog post :
    • you will create a certificate object
    • iin the ingress, you will pass the secret as tls property
    Dennis van der Veeke
    @MrDienns
    i'd simply like to setup SSL on traefik as easy and as manageable as possible, preferably fully automated
    Guillaume
    @dracorpg
    What is awesome with traefik is that it will dynamically and automatically request certificates for all your HTTPS-exposed Ingress resources
    Dennis van der Veeke
    @MrDienns
    as in, i create an ingress, and something somewhere automatically decides to invoke lets encrypt, creates an ssl certificate, keeps it somewhere, and serves it
    though for now i probably do want to keep my traefik daemonset, just for that extra balancing
    Guillaume
    @dracorpg
    @nsteinmetz BTW, traefik accepts basically any config option as command-line argument so should you wish to, you can dispense with the configmap
    Nicolas Steinmetz
    @nsteinmetz
    hmm you could automate all of this when creating your k8s deployments. Then renew is automated and so once. So you do it once for all :)
    yeah I know, it was to train myself for configmaps :)
    cert-manage will retrive and renew certificates on its own and pass them to traefik - so it's the same at the end (and you don't need volumes to store acme.json :-P )
    Guillaume
    @dracorpg
    hey, but I still don't understand how they're passed to traefik though!
    Dennis van der Veeke
    @MrDienns
    through an annotation i suppose? just how basic auth works
    at least that's what i'd guess
    Nicolas Steinmetz
    @nsteinmetz
    piVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      annotations:
        traefik.ingress.kubernetes.io/redirect-entry-point: https
        traefik.ingress.kubernetes.io/redirect-permanent: "true"
        ingress.kubernetes.io/ssl-redirect: "true"
        ingress.kubernetes.io/ssl-temporary-redirect: "false"
      name: traefik-web-ui
    spec:
      rules:
      - host: traefik.k8s.cerenit.fr
        http:
          paths:
          - path: /
            backend:
              serviceName: traefik-ingress-service-clusterip
              servicePort: admin
      tls:
      - secretName: traefik-cert
    the secretName is the certifiate object you created with cert-manager.
    Guillaume
    @dracorpg
    oh! you can specify a secret as certificate source in Ingress objects, got it! never got to use that, so I totally missed it
    Nicolas Steinmetz
    @nsteinmetz
    and your certificate is (to update with new specs from cert-manager) :
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Certificate
    metadata:
      name: traefik-cert
    spec:
      secretName: traefik-cert
      issuerRef:
        name: letsencrypt-prod
      commonName: traefik.k8s.cerenit.fr
      acme:
        config:
        - http01:
            ingressClass: traefik
          domains:
          - traefik.k8s.cerenit.fr
    Guillaume
    @dracorpg
    yeah, that part I got ^^
    Nicolas Steinmetz
    @nsteinmetz
    :-)
    indeed, traefik is not used for cert generation with this setup - only as reverse proxy
    Guillaume
    @dracorpg
    @MrDienns AFAIK having a ingress controller (be it traefik or any other) running as DaemonSet is merely a way of ensuring that the number of loadbalancer pods scales proportionally with the number of nodes in your cluster. There is no mechanism (that I know of) to make a loadbalancer pod forward requests preferrably to an application pod that is running on the same node, so you're not avoiding cross-node traffic by having a LB on each node.
    Dennis van der Veeke
    @MrDienns
    yeah, that is fine
    Dennis van der Veeke
    @MrDienns
    @nsteinmetz i have setup secret manager according to this site: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/certificate-management/acme/
    so far, so good, i can see all created pods doing stuff and I see a secret being created which has a certificate in it, so yay, however, it seems to still serve the default traefik certificate
    Screenshot 2019-09-13 at 19.00.56.png
    Dennis van der Veeke
    @MrDienns
    though i did notice it has two certificates in the tls.cert value, im not sure if this is normal
    Screenshot 2019-09-13 at 19.26.29.png
    Christian
    @zeeZ
    the second one is likely the intermediate
    you usually include the certificate chain up to (without) the root or whatever certificate you're confident the client has, in order for it to be able to verify the chain