https://rancher.com/ logo
#k3s
Title
# k3s
a

adamant-kite-43734

06/15/2022, 5:19 PM
This message was deleted.
c

creamy-pencil-82913

06/15/2022, 6:17 PM
that should work as far as I can tell, but both Traefik v1 and Kubernetes 1.20 are end of support so there probably aren’t too many folks poking at that any more.
🎯 1
The last version of the v1 chart we shipped was v1.81, so the values might be different than what you’re using? https://github.com/helm/charts/blob/eb09d8d77b15dc214781c7a1cb1e1d343812bd9a/stable/traefik/values.yaml
hmm no, looks like it’s still ssl.cipherSuites
r

rich-zoo-49735

06/15/2022, 6:39 PM
Thanks for the 👀 Brad. We’re working on the move to k8s 1.21 and traefik v2 soon, so hopefully setting a custom set of ciphers goes more smoothly with that version.
c

creamy-pencil-82913

06/15/2022, 6:40 PM
in the mean time I would probably just go look at what the chart is doing - see what the resulting config looks like in the cluster
r

rich-zoo-49735

06/15/2022, 6:41 PM
The resulting config looks good as far as I can tell:
Copy code
kubectl -n kube-system get cm traefik -o yaml
apiVersion: v1
data:
  traefik.toml: |
    # traefik.toml
    logLevel = "info"
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.tls]
          minVersion = "VersionTLS12"
          cipherSuites = [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
          ]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
          ...
c

creamy-pencil-82913

06/15/2022, 6:43 PM
can you hit the pod directly and get a TLS response?
r

rich-zoo-49735

06/15/2022, 7:05 PM
Looks like yes:
Copy code
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
c

creamy-pencil-82913

06/15/2022, 7:07 PM
might be something with the service then? Is it passing health checks? Do you see the pod IP in the endpoints list for the service?
r

rich-zoo-49735

06/15/2022, 7:10 PM
Checks passing, traefik pod IP is present in the traefik load balancer service endpoints list 👍
c

creamy-pencil-82913

06/15/2022, 7:33 PM
hmm. You just can’t hit it on the node port?
72 Views