diff --git a/content/post/flutter-simple-router.md b/content/post/20201008-flutter-simple-router.md similarity index 100% rename from content/post/flutter-simple-router.md rename to content/post/20201008-flutter-simple-router.md diff --git a/content/post/20220904-rancher-traefik.md b/content/post/20220904-rancher-traefik.md new file mode 100644 index 0000000..dcfa986 --- /dev/null +++ b/content/post/20220904-rancher-traefik.md @@ -0,0 +1,126 @@ +--- +date: 2022-09-04T05:04:00+01:00 +title: Kubernetes/k3s Rancher with Traefik for HTTP/3 +author: pcdummy +tags: + - kubernetes + - rancher + - traefik +--- + +Yesterday a friend of mine [Rei Bauer](https://my.stargazer.at/) told me about HTTP/3 and how much faster it made here website. + +She got new tools, I WANT THAT TOO. + +For me thats not a 5 minutes job as I have to replace [ingress-nginx](https://github.com/kubernetes/ingress-nginx) with [traefik](https://traefik.io/). + + +### Remove the current L7 Loadbalancer + +#### Remove Traefik + +I have choosen to not use the k3s/rancher version (v2.6.x) of Traefik but use the latest and greatest (v2.8.x), so i modified my k3s with the following command: + +**Do NOT use that command as it** + +```bash +curl -sfL https://get.k3s.io | sh -s - server --datastore-endpoint="mysql://k3s:@tcp(maxscale-rw.example.com:3306)/k3s" --disable servicelb --disable traefik +``` + +Let's see what it does: + +- --disable servicelb + I replaced servicelb with metallb +- --disable traefik + I/we will use our own version of traefik + +When you use the given command (with your own "datastore-endpoint") you will see that you loose access to all L7 Ingresses, so please be aware of that and make sure you have access over ssh to your cluster. + +#### Remove ingress-nginx + +```bash +helm uninstall -n kube-system ingress-nginx +``` + +If you haven't lost layer 7 access to your cluster in the last step you will have lost it now :) + +### Install traefik from the upstream sources + +- Add the upstream source + + ```bash + helm repo add traefik https://helm.traefik.io/traefik + ``` + +- Save my *traefik-values.yaml* somewhere: + + ```yaml + rbac: + enabled: true + ports: + web: + hostPort: 80 + websecure: + hostPort: 443 + http3: + advertisedPort: 443 + tls: + enabled: true + podAnnotations: + prometheus.io/port: "8082" + prometheus.io/scrape: "true" + providers: + kubernetesIngress: + publishedService: + enabled: true + priorityClassName: "system-cluster-critical" + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + service: + type: NodePort + ipFamilyPolicy: "PreferDualStack" + + experimental: + http3: + enabled: true + additionalArguments: + - "--accesslog" + - "--providers.kubernetesingress.allowexternalnameservices" + - "--providers.kubernetescrd.allowexternalnameservices" + - "--entrypoints.websecure.http3.advertisedport=443" + - "--certificatesresolvers.letsencrypt-prod.acme.tlschallenge" + - "--certificatesresolvers.letsencrypt-prod.acme.email=support@example.com" + - "--certificatesresolvers.letsencrypt-prod.acme.storage=/data/acme.json" + - "--certificatesresolvers.letsencrypt-prod.acme.caserver=https://acme-v02.api.letsencrypt.org/directory" + image: + name: traefik + tag: v2.8.4 + proxyProtocol: + enabled: true + trustedIPs: + - 10.0.0.0/8 + forwardedHeaders: + enabled: true + trustedIPs: + - 10.0.0.0/8 + ssl: + enabled: true + permanentRedirect: true + ``` + +- Change the acme email address there + +- Install traefik + + ```bash + helm install -n kube-system traefik traefik/traefik -f traefik-values.yaml + ``` + +Have fun with Traefik, it's internal ACME resolver and HTTP/3. \ No newline at end of file