by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Nicolas Steinmetz
    @nsteinmetz
    look at my blog post :
    • you will create a certificate object
    • iin the ingress, you will pass the secret as tls property
    Dennis van der Veeke
    @MrDienns
    i'd simply like to setup SSL on traefik as easy and as manageable as possible, preferably fully automated
    Guillaume
    @dracorpg
    What is awesome with traefik is that it will dynamically and automatically request certificates for all your HTTPS-exposed Ingress resources
    Dennis van der Veeke
    @MrDienns
    as in, i create an ingress, and something somewhere automatically decides to invoke lets encrypt, creates an ssl certificate, keeps it somewhere, and serves it
    though for now i probably do want to keep my traefik daemonset, just for that extra balancing
    Guillaume
    @dracorpg
    @nsteinmetz BTW, traefik accepts basically any config option as command-line argument so should you wish to, you can dispense with the configmap
    Nicolas Steinmetz
    @nsteinmetz
    hmm you could automate all of this when creating your k8s deployments. Then renew is automated and so once. So you do it once for all :)
    yeah I know, it was to train myself for configmaps :)
    cert-manage will retrive and renew certificates on its own and pass them to traefik - so it's the same at the end (and you don't need volumes to store acme.json :-P )
    Guillaume
    @dracorpg
    hey, but I still don't understand how they're passed to traefik though!
    Dennis van der Veeke
    @MrDienns
    through an annotation i suppose? just how basic auth works
    at least that's what i'd guess
    Nicolas Steinmetz
    @nsteinmetz
    piVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      annotations:
        traefik.ingress.kubernetes.io/redirect-entry-point: https
        traefik.ingress.kubernetes.io/redirect-permanent: "true"
        ingress.kubernetes.io/ssl-redirect: "true"
        ingress.kubernetes.io/ssl-temporary-redirect: "false"
      name: traefik-web-ui
    spec:
      rules:
      - host: traefik.k8s.cerenit.fr
        http:
          paths:
          - path: /
            backend:
              serviceName: traefik-ingress-service-clusterip
              servicePort: admin
      tls:
      - secretName: traefik-cert
    the secretName is the certifiate object you created with cert-manager.
    Guillaume
    @dracorpg
    oh! you can specify a secret as certificate source in Ingress objects, got it! never got to use that, so I totally missed it
    Nicolas Steinmetz
    @nsteinmetz
    and your certificate is (to update with new specs from cert-manager) :
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Certificate
    metadata:
      name: traefik-cert
    spec:
      secretName: traefik-cert
      issuerRef:
        name: letsencrypt-prod
      commonName: traefik.k8s.cerenit.fr
      acme:
        config:
        - http01:
            ingressClass: traefik
          domains:
          - traefik.k8s.cerenit.fr
    Guillaume
    @dracorpg
    yeah, that part I got ^^
    Nicolas Steinmetz
    @nsteinmetz
    :-)
    indeed, traefik is not used for cert generation with this setup - only as reverse proxy
    Guillaume
    @dracorpg
    @MrDienns AFAIK having a ingress controller (be it traefik or any other) running as DaemonSet is merely a way of ensuring that the number of loadbalancer pods scales proportionally with the number of nodes in your cluster. There is no mechanism (that I know of) to make a loadbalancer pod forward requests preferrably to an application pod that is running on the same node, so you're not avoiding cross-node traffic by having a LB on each node.
    Dennis van der Veeke
    @MrDienns
    yeah, that is fine
    Dennis van der Veeke
    @MrDienns
    @nsteinmetz i have setup secret manager according to this site: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/certificate-management/acme/
    so far, so good, i can see all created pods doing stuff and I see a secret being created which has a certificate in it, so yay, however, it seems to still serve the default traefik certificate
    Screenshot 2019-09-13 at 19.00.56.png
    Dennis van der Veeke
    @MrDienns
    though i did notice it has two certificates in the tls.cert value, im not sure if this is normal
    Screenshot 2019-09-13 at 19.26.29.png
    Christian
    @zeeZ
    the second one is likely the intermediate
    you usually include the certificate chain up to (without) the root or whatever certificate you're confident the client has, in order for it to be able to verify the chain
    Dennis van der Veeke
    @MrDienns
    i see, so that behavior can be normal
    it has done that for all domains so i suppose it is
    though its still not serving the certificate that's been created
    Christian
    @zeeZ
    How did you check? For example I've got to restart chrome to see a certificate change
    Dennis van der Veeke
    @MrDienns
    i checked in incognito and asked some other people to check
    Dennis van der Veeke
    @MrDienns
    ah its working now, i had to mark the 443 endpoint as TLS with
            - --entryPoints=Name:https Address::443 TLS
            - --entryPoints=Name:http Address::80
            - --defaultentrypoints=https,http
    Ciaran
    @ciaranlangton

    I'm having issues with a LoadBalancer, I updated a LoadBalancer adding a port, and now the loadbalancer can no longer be ensured due to a 500 internal server error

      Normal   EnsuringLoadBalancer        35m (x102 over 8h)  service-controller  Ensuring load balancer
      Normal   EnsuringLoadBalancer        89s (x12 over 31m)  service-controller  Ensuring load balancer
      Warning  CreatingLoadBalancerFailed  89s (x12 over 31m)  service-controller  Error creating load balancer (will retry): failed to ensure load balancer for service tcpingress/tcpingress: 500 Internal Server Error: {"error":"Internal Server Error"}

    the yaml for the LoadBalancer is as follows:

    apiVersion: v1
    kind: Service
    metadata:
      name: tcpingress
      namespace: tcpingress
    spec:
      selector:
        app: tcpingress
      type: LoadBalancer
      ports:
        - name: redactedOne
          protocol: TCP
          port: 33745
          targetPort: 33745
        - name: redactedTwo
          protocol: TCP
          port: 33746
          targetPort: 33746
    Michał Frąckiewicz
    @SystemZ
    Did you try with other ports ?
    Ciaran
    @ciaranlangton
    yes, I originally had a much higher port, so I changed it down to one above the other, to no effect
    Michał Frąckiewicz
    @SystemZ
    It's strange for me that you need to expose the same port that you use internally
    Ciaran
    @ciaranlangton
    if that may be the problem, that can be changed
    Michał Frąckiewicz
    @SystemZ
    usually you would need expose port like 443 or 80, just saying
    are you trying with HTTP / HTTPS or it's something different ?
    Ciaran
    @ciaranlangton
    yeah, it's not a HTTP service, both are just TCP based applications
    Michał Frąckiewicz
    @SystemZ
    oh, ok
    Ciaran
    @ciaranlangton
    the first one is a database, which has worked fine over the LB for ~4 weeks now with no issue, but adding the second port stops the LB from being completed on OVH's end
    Michał Frąckiewicz
    @SystemZ
    some range of ports were reserved maybe you just run over them
    Ciaran
    @ciaranlangton
    yeah, I'll try some other ports and report back
    Michał Frąckiewicz
    @SystemZ
    if you leave one port it works ok ?
    Ciaran
    @ciaranlangton
    correct, the first port has been there for ~4 weeks fully functional
    Michał Frąckiewicz
    @SystemZ
    oh, maybe it's some bug or LB doesn't support more than one port, hard to tell
    Ciaran
    @ciaranlangton
    I just took the second one out now, and it ensures properly
    Normal EnsuredLoadBalancer 3s service-controller Ensured load balancer
    Yeah, I read the docs and it said that there were a maximum of 6 ports on an LB