You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
151 lines
3.6 KiB
Markdown
151 lines
3.6 KiB
Markdown
---
|
|
date: 2022-09-04T05:04:00+01:00
|
|
title: Kubernetes/k3s Rancher with Traefik for HTTP/3
|
|
author: jochum
|
|
tags:
|
|
- kubernetes
|
|
- rancher
|
|
- traefik
|
|
---
|
|
|
|
Yesterday a friend of mine [Rei Bauer](https://my.stargazer.at/) told me about HTTP/3 and how much faster it made her website.
|
|
|
|
She got new tools, I WANT THAT TOO.
|
|
|
|
For me that wasn't a 5 minutes job as I had to replace [ingress-nginx](https://github.com/kubernetes/ingress-nginx) with [traefik](https://traefik.io/).
|
|
<!--more-->
|
|
|
|
### Remove the current L7 Loadbalancer
|
|
|
|
- Remove Traefik
|
|
|
|
I have choosen to not use the k3s/rancher version (v2.6.x) of Traefik but use the latest and greatest (v2.8.x), so i modified my k3s with the following command:
|
|
|
|
**Do NOT use that command as is**
|
|
|
|
```bash
|
|
curl -sfL https://get.k3s.io | sh -s - server --datastore-endpoint="mysql://k3s:<mysqlpw>@tcp(maxscale-rw.example.com:3306)/k3s" --disable servicelb --disable traefik
|
|
```
|
|
|
|
Let's see what it does:
|
|
|
|
- *--disable servicelb* - Do not install servicelb, I replaced it with metallb.
|
|
- *--disable traefik* - Do not install traefik
|
|
|
|
When you use the given command (with your own "datastore-endpoint") you will see that you loose access to all L7 Ingresses, so please be aware of that and make sure you have access over ssh to your cluster.
|
|
|
|
- Remove ingress-nginx
|
|
|
|
```bash
|
|
helm uninstall -n kube-system ingress-nginx
|
|
```
|
|
|
|
If you haven't lost layer 7 access to your cluster in the last step you will loose it now :)
|
|
|
|
### Install traefik from the upstream sources
|
|
|
|
- Add the upstream helm catalog
|
|
|
|
```bash
|
|
helm repo add traefik https://helm.traefik.io/traefik
|
|
```
|
|
|
|
- Save my *traefik-values.yaml* somewhere:
|
|
|
|
```yaml
|
|
rbac:
|
|
enabled: true
|
|
ports:
|
|
web:
|
|
hostPort: 80
|
|
http:
|
|
redirections:
|
|
entryPoint:
|
|
to: websecure
|
|
scheme: https
|
|
|
|
websecure:
|
|
hostPort: 443
|
|
http3:
|
|
advertisedPort: 443
|
|
tls:
|
|
enabled: true
|
|
websecure-udp:
|
|
port: 8443
|
|
hostPort: 443
|
|
protocol: UDP
|
|
podAnnotations:
|
|
prometheus.io/port: "8082"
|
|
prometheus.io/scrape: "true"
|
|
providers:
|
|
kubernetesIngress:
|
|
publishedService:
|
|
enabled: true
|
|
allowExternalNameServices: true
|
|
kubernetesCRD:
|
|
allowExternalNameServices: true
|
|
priorityClassName: "system-cluster-critical"
|
|
tolerations:
|
|
- key: "CriticalAddonsOnly"
|
|
operator: "Exists"
|
|
- key: "node-role.kubernetes.io/control-plane"
|
|
operator: "Exists"
|
|
effect: "NoSchedule"
|
|
- key: "node-role.kubernetes.io/master"
|
|
operator: "Exists"
|
|
effect: "NoSchedule"
|
|
|
|
experimental:
|
|
http3:
|
|
enabled: true
|
|
additionalArguments:
|
|
- "--certificatesresolvers.letsencrypt-prod.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
|
|
image:
|
|
name: traefik
|
|
tag: v2.8.4
|
|
proxyProtocol:
|
|
enabled: true
|
|
trustedIPs:
|
|
- 10.0.0.0/8
|
|
forwardedHeaders:
|
|
enabled: true
|
|
trustedIPs:
|
|
- 10.0.0.0/8
|
|
ssl:
|
|
enabled: true
|
|
permanentRedirect: true
|
|
|
|
certResolvers:
|
|
letsencrypt-prod:
|
|
email: support@jochum.dev
|
|
tlsChallenge: true
|
|
storage: /data/acme.json
|
|
|
|
logs:
|
|
# general:
|
|
# format: json
|
|
access:
|
|
enabled: true
|
|
# format: json
|
|
fields:
|
|
headers:
|
|
defaultmode: drop
|
|
names:
|
|
User-Agent: keep
|
|
Content-Type: keep
|
|
RequestLine: keep
|
|
|
|
persistence:
|
|
enabled: true
|
|
```
|
|
|
|
- Change the acme email address there
|
|
|
|
- Install traefik
|
|
|
|
```bash
|
|
helm install -n kube-system traefik traefik/traefik -f traefik-values.yaml
|
|
```
|
|
|
|
Have fun with Traefik, it's internal ACME resolver and HTTP/3.
|