arch - Network

kubernetes is dumb and i can't stop using it

kubernetes is dumb and i can't stop using it

Wonder if it’s worth doing the TLS termination on the HAProxy side rather than the cluster side.

Wonder if it’s worth doing the TLS termination on the HAProxy side rather than the cluster side.

Hehehe yes

Hehehe yes

Fellow Kubernetes admins - do you also use wildcards, or just let cert-manager provision a cert per-domain/subdomain?#kubernetes #kubeadmin

Fellow Kubernetes admins - do you also use wildcards, or just let cert-manager provision a cert per-domain/subdomain?

#kubernetes #kubeadmin

This is both hilarious and sad (https://projectcontour.io/resources/faq/).I might swap back to per-subdomain certificates anyways, but I...

This is both hilarious and sad (https://projectcontour.io/resources/faq/).

I might swap back to per-subdomain certificates anyways, but I really like the idea of having the single wildcard for *.gmem.ca in my cluster.

The Contour commit. Bit hefty, some cleanup to do on the repo, but I need sleep...

The Contour commit. Bit hefty, some cleanup to do on the repo, but I need sleep https://git.gmem.ca/arch/infra/commit/1a7ddaa36748283dc12363ee6e115f7c58bf4559

Dangit I restarted Discord and it updated.

Dangit I restarted Discord and it updated.

k8s-ci-robot and fejta-bot are the worst things to see on a Kubernetes GitHub issue.

k8s-ci-robot and fejta-bot are the worst things to see on a Kubernetes GitHub issue.

[starts writing api docs]idk its just like, vibes

[starts writing api docs]

idk its just like, vibes

Anyways, I mildly brute forced it but I’ve swapped to Contour (and Envoy) as my Kubernetes ingress controller. Or rather, my Gatway API...

Anyways, I mildly brute forced it but I’ve swapped to Contour (and Envoy) as my Kubernetes ingress controller. Or rather, my Gatway API controller.

oh god oh no contour can produce a graph

oh god oh no contour can produce a graph

Me, wondering why one of my self hosted services randomly 503s.The Kubernetes service with a selector that has also selected the Valkey...

Me, wondering why one of my self hosted services randomly 503s.

The Kubernetes service with a selector that has also selected the Valkey instance: hehe

you have observed this posti hope it was enjoyable

you have observed this post

i hope it was enjoyable

Traefik has also somehow managed to defeat me.How is it proving so hard to just drop in another ingress controller? Having all sorts of...

Traefik has also somehow managed to defeat me.

How is it proving so hard to just drop in another ingress controller? Having all sorts of issues Both Envoy and Traefik randomly 502 some of my services, or mess up HAProxy for whatever reason. I can't tell if this is because I'm trying to swap to a service NodePort from my ingress-nginx host networking or what.

Uugh. Whatever. I'll put it back down for now. I'm annoyed :P

Contour/Envoy also randomly 503s requests and I can't figure out why.Blegh. I'm tired. Bed.

Contour/Envoy also randomly 503s requests and I can't figure out why.

Blegh. I'm tired. Bed.

I have been defeated by both Istio and Contour tonight. Mildly tempted to poke around Traefik but maybe that'll be a tomorrow thing.I get...

I have been defeated by both Istio and Contour tonight. Mildly tempted to poke around Traefik but maybe that'll be a tomorrow thing.

I get why wildcard certs aren't common in Kubernetes clusters, but, like, it should be possible.

It doesn't error out, it simply doesn't serve a cert.https://paste.gmem.ca/paste/a257ed27-3ad0-4782-a61c-c238b37e2450/raw

It doesn't error out, it simply doesn't serve a cert.

https://paste.gmem.ca/paste/a257ed27-3ad0-4782-a61c-c238b37e2450/raw

So what I'm learning:Despite doing everything I can with TLSCertificateDelegation, projectcontour.io/tls-cert-namespace and whatever else, I...

So what I'm learning:

Despite doing everything I can with TLSCertificateDelegation, projectcontour.io/tls-cert-namespace and whatever else, I can't get Contour to use my wildcard cert (cert-manager/gmem-ca-wildcard) for my ingresses since the cert SAN doesn't exactly match the tls.hosts entries in my ingress?

Was really hoping to find something drop-in so I could migrate to Gateway API as I needed/wanted. Not super interested in using the HTTProxy CRD :/ #kubernetes

curl: (35) TLS connect error: error:0A0000C6:SSL routines::packet length too long(╯°□°）╯︵ ┻━┻

curl: (35) TLS connect error: error:0A0000C6:SSL routines::packet length too long

(╯°□°）╯︵ ┻━┻

um, help??

um, help??