You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
homepage/content/post/20220904-rancher-traefik.md

3.6 KiB

date title author tags
2022-09-04T05:04:00+01:00 Kubernetes/k3s Rancher with Traefik for HTTP/3 jochum [kubernetes rancher traefik]

Yesterday a friend of mine Rei Bauer told me about HTTP/3 and how much faster it made her website.

She got new tools, I WANT THAT TOO.

For me that wasn't a 5 minutes job as I had to replace ingress-nginx with traefik.

Remove the current L7 Loadbalancer

  • Remove Traefik

    I have choosen to not use the k3s/rancher version (v2.6.x) of Traefik but use the latest and greatest (v2.8.x), so i modified my k3s with the following command:

    Do NOT use that command as is

    curl -sfL https://get.k3s.io | sh -s - server --datastore-endpoint="mysql://k3s:<mysqlpw>@tcp(maxscale-rw.example.com:3306)/k3s" --disable servicelb --disable traefik
    

    Let's see what it does:

    • --disable servicelb - Do not install servicelb, I replaced it with metallb.
    • --disable traefik - Do not install traefik

    When you use the given command (with your own "datastore-endpoint") you will see that you loose access to all L7 Ingresses, so please be aware of that and make sure you have access over ssh to your cluster.

  • Remove ingress-nginx

    helm uninstall -n kube-system ingress-nginx
    

    If you haven't lost layer 7 access to your cluster in the last step you will loose it now :)

Install traefik from the upstream sources

  • Add the upstream helm catalog

    helm repo add traefik https://helm.traefik.io/traefik
    
  • Save my traefik-values.yaml somewhere:

    rbac:
      enabled: true
    ports:
      web:
        hostPort: 80
        http:
          redirections:
            entryPoint:
              to: websecure
              scheme: https
    
      websecure:
        hostPort: 443
        http3:
          advertisedPort: 443
        tls:
          enabled: true
      websecure-udp:
        port: 8443
        hostPort: 443
        protocol: UDP
    podAnnotations:
      prometheus.io/port: "8082"
      prometheus.io/scrape: "true"
    providers:
      kubernetesIngress:
        publishedService:
          enabled: true
        allowExternalNameServices: true
      kubernetesCRD:
        allowExternalNameServices: true
    priorityClassName: "system-cluster-critical"
    tolerations:
    - key: "CriticalAddonsOnly"
      operator: "Exists"
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"
      effect: "NoSchedule"
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"
    
    experimental:
      http3:
        enabled: true
    additionalArguments:
      - "--certificatesresolvers.letsencrypt-prod.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
    image:
      name: traefik
      tag: v2.8.4
    proxyProtocol:
      enabled: true
      trustedIPs:
        - 10.0.0.0/8
    forwardedHeaders:
      enabled: true
      trustedIPs:
        - 10.0.0.0/8
    ssl:
      enabled: true
      permanentRedirect: true
    
    certResolvers:
      letsencrypt-prod:
        email: support@jochum.dev
        tlsChallenge: true
        storage: /data/acme.json
    
    logs:
      # general:
      #   format: json
      access:
        enabled: true
        # format: json
        fields:
          headers:
            defaultmode: drop
            names:
              User-Agent: keep
              Content-Type: keep
              RequestLine: keep
    
    persistence:
      enabled: true
    
  • Change the acme email address there

  • Install traefik

    helm install -n kube-system traefik traefik/traefik -f traefik-values.yaml
    

Have fun with Traefik, it's internal ACME resolver and HTTP/3.