Re: k3s example
I finished a k3s example using Ansible.
Traefik v2 can no longer configure Ingress resources with passthrough TLS. Instead, Traefik v2 uses a custom resource, IngressRouteTCP, provided by k3s. My example shows creating these to match the advertised addresses of the client and mgmt APIs, e.g., ctrl1-client.ziti.example.com
, ctrl1-mgmt.ziti.example.com
.
I've split the client and management APIs on separate web listeners to match your use case. This means the console is only reachable via the ctrl1-mgmt
URL, not ctrl1-client
, and the ziti
CLI, too, must use the mgmt URL.
Additionally, I showed how to configure the controller with an alternative server certificate and one additional IngressRouteTCP that matches the alternative host, e.g., ctrl1-alt.ziti.example.com
. The controller chart input values ask Cert Manager to issue this additional certificate from the same issuer as the client/mgmt server certificate. Still, you can point this to your own ClusterIssuer to obtain a certificate to, for example, obtain the alt cert from LetsEncrypt to use with BrowZer.
Throughout the example I used *.sslip.io instead of creating DNS records. These magic wildcard records resolve to the IPv4 address in the record name.
The example playbook's tasks save the kubeconfig from the target host on the Ansible controller while changing the cluster server address to the target host's IP. This helped me test by providing a kubeconfig I could use to interact with the deployed K3s cluster, but it is not necessary for deploying K3s.
Traefik v2, which is included in k3s, also supports Gateway API. This would allow you to avoid using Traefik's custom resources and standardize a k3s deployment on Gateway API's TCPRoute resource. Link to the revision of the playbook that uses Gateway experimental channel instead of Traefik's IngressRouteTCP
CRD.