parent
6a3c757deb
commit
0087eff87e
@ -0,0 +1,126 @@
|
||||
---
|
||||
date: 2022-09-04T05:04:00+01:00
|
||||
title: Kubernetes/k3s Rancher with Traefik for HTTP/3
|
||||
author: pcdummy
|
||||
tags:
|
||||
- kubernetes
|
||||
- rancher
|
||||
- traefik
|
||||
---
|
||||
|
||||
Yesterday a friend of mine [Rei Bauer](https://my.stargazer.at/) told me about HTTP/3 and how much faster it made here website.
|
||||
|
||||
She got new tools, I WANT THAT TOO.
|
||||
|
||||
For me thats not a 5 minutes job as I have to replace [ingress-nginx](https://github.com/kubernetes/ingress-nginx) with [traefik](https://traefik.io/).
|
||||
<!--more-->
|
||||
|
||||
### Remove the current L7 Loadbalancer
|
||||
|
||||
#### Remove Traefik
|
||||
|
||||
I have choosen to not use the k3s/rancher version (v2.6.x) of Traefik but use the latest and greatest (v2.8.x), so i modified my k3s with the following command:
|
||||
|
||||
**Do NOT use that command as it**
|
||||
|
||||
```bash
|
||||
curl -sfL https://get.k3s.io | sh -s - server --datastore-endpoint="mysql://k3s:<mysqlpw>@tcp(maxscale-rw.example.com:3306)/k3s" --disable servicelb --disable traefik
|
||||
```
|
||||
|
||||
Let's see what it does:
|
||||
|
||||
- --disable servicelb
|
||||
I replaced servicelb with metallb
|
||||
- --disable traefik
|
||||
I/we will use our own version of traefik
|
||||
|
||||
When you use the given command (with your own "datastore-endpoint") you will see that you loose access to all L7 Ingresses, so please be aware of that and make sure you have access over ssh to your cluster.
|
||||
|
||||
#### Remove ingress-nginx
|
||||
|
||||
```bash
|
||||
helm uninstall -n kube-system ingress-nginx
|
||||
```
|
||||
|
||||
If you haven't lost layer 7 access to your cluster in the last step you will have lost it now :)
|
||||
|
||||
### Install traefik from the upstream sources
|
||||
|
||||
- Add the upstream source
|
||||
|
||||
```bash
|
||||
helm repo add traefik https://helm.traefik.io/traefik
|
||||
```
|
||||
|
||||
- Save my *traefik-values.yaml* somewhere:
|
||||
|
||||
```yaml
|
||||
rbac:
|
||||
enabled: true
|
||||
ports:
|
||||
web:
|
||||
hostPort: 80
|
||||
websecure:
|
||||
hostPort: 443
|
||||
http3:
|
||||
advertisedPort: 443
|
||||
tls:
|
||||
enabled: true
|
||||
podAnnotations:
|
||||
prometheus.io/port: "8082"
|
||||
prometheus.io/scrape: "true"
|
||||
providers:
|
||||
kubernetesIngress:
|
||||
publishedService:
|
||||
enabled: true
|
||||
priorityClassName: "system-cluster-critical"
|
||||
tolerations:
|
||||
- key: "CriticalAddonsOnly"
|
||||
operator: "Exists"
|
||||
- key: "node-role.kubernetes.io/control-plane"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
service:
|
||||
type: NodePort
|
||||
ipFamilyPolicy: "PreferDualStack"
|
||||
|
||||
experimental:
|
||||
http3:
|
||||
enabled: true
|
||||
additionalArguments:
|
||||
- "--accesslog"
|
||||
- "--providers.kubernetesingress.allowexternalnameservices"
|
||||
- "--providers.kubernetescrd.allowexternalnameservices"
|
||||
- "--entrypoints.websecure.http3.advertisedport=443"
|
||||
- "--certificatesresolvers.letsencrypt-prod.acme.tlschallenge"
|
||||
- "--certificatesresolvers.letsencrypt-prod.acme.email=support@example.com"
|
||||
- "--certificatesresolvers.letsencrypt-prod.acme.storage=/data/acme.json"
|
||||
- "--certificatesresolvers.letsencrypt-prod.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
|
||||
image:
|
||||
name: traefik
|
||||
tag: v2.8.4
|
||||
proxyProtocol:
|
||||
enabled: true
|
||||
trustedIPs:
|
||||
- 10.0.0.0/8
|
||||
forwardedHeaders:
|
||||
enabled: true
|
||||
trustedIPs:
|
||||
- 10.0.0.0/8
|
||||
ssl:
|
||||
enabled: true
|
||||
permanentRedirect: true
|
||||
```
|
||||
|
||||
- Change the acme email address there
|
||||
|
||||
- Install traefik
|
||||
|
||||
```bash
|
||||
helm install -n kube-system traefik traefik/traefik -f traefik-values.yaml
|
||||
```
|
||||
|
||||
Have fun with Traefik, it's internal ACME resolver and HTTP/3.
|
Loading…
Reference in New Issue