This message was deleted Rancher Users #k3s

Join Slack

This message was deleted.

# k3s

adamant-kite-43734

06/15/2022, 5:19 PM

This message was deleted.

creamy-pencil-82913

06/15/2022, 6:17 PM

that should work as far as I can tell, but both Traefik v1 and Kubernetes 1.20 are end of support so there probably aren’t too many folks poking at that any more.

🎯 1

creamy-pencil-82913

06/15/2022, 6:20 PM

The last version of the v1 chart we shipped was v1.81, so the values might be different than what you’re using? https://github.com/helm/charts/blob/eb09d8d77b15dc214781c7a1cb1e1d343812bd9a/stable/traefik/values.yaml

creamy-pencil-82913

06/15/2022, 6:21 PM

hmm no, looks like it’s still ssl.cipherSuites

rich-zoo-49735

06/15/2022, 6:39 PM

Thanks for the 👀 Brad. We’re working on the move to k8s 1.21 and traefik v2 soon, so hopefully setting a custom set of ciphers goes more smoothly with that version.

creamy-pencil-82913

06/15/2022, 6:40 PM

in the mean time I would probably just go look at what the chart is doing - see what the resulting config looks like in the cluster

rich-zoo-49735

06/15/2022, 6:41 PM

The resulting config looks good as far as I can tell:

Copy code

kubectl -n kube-system get cm traefik -o yaml
apiVersion: v1
data:
  traefik.toml: |
    # traefik.toml
    logLevel = "info"
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.tls]
          minVersion = "VersionTLS12"
          cipherSuites = [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
          ]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
          ...

creamy-pencil-82913

06/15/2022, 6:43 PM

can you hit the pod directly and get a TLS response?

rich-zoo-49735

06/15/2022, 7:05 PM

Looks like yes:

Copy code

* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

creamy-pencil-82913

06/15/2022, 7:07 PM

might be something with the service then? Is it passing health checks? Do you see the pod IP in the endpoints list for the service?

rich-zoo-49735

06/15/2022, 7:10 PM

Checks passing, traefik pod IP is present in the traefik load balancer service endpoints list 👍

creamy-pencil-82913

06/15/2022, 7:33 PM

hmm. You just can’t hit it on the node port?

74 Views

Open in Slack

Previous Next