From 3b3d6f9e25ecf0d2000b6026397a9b2cde26d533 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 11 May 2020 21:09:20 -0700 Subject: [PATCH] Update NLB setup doc for K3s Rancher installs --- .../en/installation/options/nlb/_index.md | 84 ++++++++++++------- 1 file changed, 55 insertions(+), 29 deletions(-) diff --git a/content/rancher/v2.x/en/installation/options/nlb/_index.md b/content/rancher/v2.x/en/installation/options/nlb/_index.md index 78d170d6714..333e4a03a56 100644 --- a/content/rancher/v2.x/en/installation/options/nlb/_index.md +++ b/content/rancher/v2.x/en/installation/options/nlb/_index.md @@ -10,7 +10,11 @@ This how-to guide describes how to set up a Network Load Balancer (NLB) in Amazo These examples show the load balancer being configured to direct traffic to three Rancher server nodes. If Rancher is installed on an RKE Kubernetes cluster, three nodes are required. If Rancher is installed on a K3s Kubernetes cluster, only two nodes are required. -> **Note:** Rancher only supports using the Amazon NLB when terminating traffic in `tcp` mode for port 443 rather than `tls` mode. This is due to the fact that the NLB does not inject the correct headers into requests when terminated at the NLB. This means that if you want to use certificates managed by the Amazon Certificate Manager (ACM), you should use an ALB. +This tutorial is about one possible way to set up your load balancer, not the only way. Other types of load balancers, such as a Classic Load Balancer or Application Load Balancer, could also direct traffic to the Rancher server nodes. + +Rancher only supports using the Amazon NLB when terminating traffic in `tcp` mode for port 443 rather than `tls` mode. This is due to the fact that the NLB does not inject the correct headers into requests when terminated at the NLB. This means that if you want to use certificates managed by the Amazon Certificate Manager (ACM), you should use an ALB. + +# Setting up the Load Balancer Configuring an Amazon NLB is a multistage process: @@ -19,38 +23,46 @@ Configuring an Amazon NLB is a multistage process: 3. [Create Your NLB](#3-create-your-nlb) 4. [Add listener to NLB for TCP port 80](#4-add-listener-to-nlb-for-tcp-port-80) -> **Prerequisite:** These instructions assume you have already created Linux instances in EC2. The load balancer will direct traffic to these two nodes. +# Requirements + +These instructions assume you have already created Linux instances in EC2. The load balancer will direct traffic to these nodes. # 1. Create Target Groups Begin by creating two target groups for the **TCP** protocol, one with TCP port 443 and one regarding TCP port 80 (providing redirect to TCP port 443). You'll add your Linux nodes to these groups. -Your first NLB configuration step is to create two target groups. Technically, only port 443 is needed to access Rancher, but its convenient to add a listener for port 80 which will be redirected to port 443 automatically. The NGINX ingress controller on the nodes will make sure that port 80 gets redirected to port 443. +Your first NLB configuration step is to create two target groups. Technically, only port 443 is needed to access Rancher, but it's convenient to add a listener for port 80, because traffic to port 80 will be automatically redirected to port 443. + +Regardless of whether an NGINX Ingress or Traefik Ingress controller is used, the Ingress should redirect traffic from port 80 to port 443. 1. Log into the [Amazon AWS Console](https://console.aws.amazon.com/ec2/) to get started. Make sure to select the **Region** where your EC2 instances (Linux nodes) are created. 1. Select **Services** and choose **EC2**, find the section **Load Balancing** and open **Target Groups**. 1. Click **Create target group** to create the first target group, regarding TCP port 443. +> **Note:** Health checks are handled differently based on the Ingress. For details, refer to [this section.](#health-check-paths-for-nginx-ingress-and-traefik-ingresses) + ### Target Group (TCP port 443) Configure the first target group according to the table below. Screenshots of the configuration are shown just below the table. -| Option | Setting | -| ----------------------------------- | ----------------- | -| Target Group Name | `rancher-tcp-443` | -| Protocol | `TCP` | -| Port | `443` | +| Option | Setting | +| --------- | ----------------- | +| Target Group Name | `rancher-tcp-443` | | Target type | `instance` | +| Protocol | `TCP` | +| Port | `443` | | VPC | Choose your VPC | -| Protocol
(Health Check) | `HTTP` | -| Path
(Health Check) | `/healthz` | -| Port (Advanced health check) | `override`,`80` | -| Healthy threshold (Advanced health) | `3` | -| Unhealthy threshold (Advanced) | `3` | -| Timeout (Advanced) | `6 seconds` | -| Interval (Advanced) | `10 second` | -| Success codes | `200-399` | +Health check settings: + +| Option | | +| ---------------------------|------| +| Protocol | TCP | +| Port | `override`,`80` | +| Healthy threshold | `3` | +| Unhealthy threshold | `3` | +| Timeout | `6 seconds` | +| Interval | `10 seconds` | Click **Create target group** to create the second target group, regarding TCP port 80. @@ -58,21 +70,24 @@ Click **Create target group** to create the second target group, regarding TCP p Configure the second target group according to the table below. Screenshots of the configuration are shown just below the table. -| Option | Setting | -| ----------------------------------- | ---------------- | -| Target Group Name | `rancher-tcp-80` | +| Option | Setting | +| --------- | ---------------- | +| Target Group Name | `rancher-tcp-80` | +| Target type | `instance` | | Protocol | `TCP` | | Port | `80` | -| Target type | `instance` | -| VPC | Choose your VPC | -| Protocol
(Health Check) | `HTTP` | -| Path
(Health Check) | `/healthz` | -| Port (Advanced health check) | `traffic port` | -| Healthy threshold (Advanced health) | `3` | -| Unhealthy threshold (Advanced) | `3` | -| Timeout (Advanced) | `6 seconds` | -| Interval (Advanced) | `10 second` | -| Success codes | `200-399` | +| VPC | Choose your VPC | + +Health check settings: + +| Option | | +| ---------------------------|------| +| Protocol | TCP | +| Port | `traffic port` | +| Healthy threshold | `3` | +| Unhealthy threshold | `3` | +| Timeout | `6 seconds` | +| Interval | `10 seconds` | # 2. Register Targets @@ -153,3 +168,14 @@ After AWS creates the NLB, click **Close**. 5. From the **Forward to** drop-down, choose `rancher-tcp-80`. 6. Click **Save** in the top right of the screen. + +# Health Check Paths for NGINX Ingress and Traefik Ingresses + +K3s and RKE Kubernetes clusters handle health checks differently because they use different Ingresses by default. + +For RKE Kubernetes clusters, NGINX Ingress is used by default, whereas for K3s Kubernetes clusters, Traefik is the default Ingress. + +- **Traefik:** The health check path is `/ping`. By default `/ping` is always matched (regardless of Host), and a response from [Traefik itself](https://docs.traefik.io/operations/ping/) is always served. +- **NGINX Ingress:** The default backend of the NGINX Ingress controller has a `/healthz` endpoint. By default `/healthz` is always matched (regardless of Host), and a response from [`ingress-nginx` itself](https://github.com/kubernetes/ingress-nginx/blob/0cbe783f43a9313c9c26136e888324b1ee91a72f/charts/ingress-nginx/values.yaml#L212) is always served. + +To simulate an accurate health check, it is a best practice to use the Host header (Rancher hostname) combined with `/ping` or `/healthz` (for K3s or for RKE clusters, respectively) wherever possible, to get a response from the Rancher Pods, not the Ingress. \ No newline at end of file