how do you deal with such setup where Rancher HA and the User-cluster are both behind a firewall?
The HA installation documentation recommends a streaming Loadbalancer in front of Rancher.
If I use same loadbalancer for the User-Cluster, the TLS termination has to be configured on the
rancher cluster. Rancher is than the bottleneck in my understandingā¦
Do you setup another loadbalancer (HA) in front of the User-cluster and expose this to public area
or is there any other solution?
I would like to avoid User-Cluster unavailbility when rancher crashes for some reason (self contained cluster).
Cool thanksā¦ I missed this.
The āauthorized endpointā (singular) makes me wonder a bit because there are many. Letās say 3 control planes. The loadbalancer (same as for rancher) is than the authorized endpoint?
This means another load balancer in front of the user cluster but only for control planes?
External load balancer (NGINX) routing traffic to my 3 rancher nodes
Internal load balancer for control planes (for authorized cluster endpoint)
External load balancer (NGINX) for the user cluster
Things become complicated. Alternative is TLS termination at load balancer (The one where rancher is exposed now to public) I think.
I donāt want to use HA Loadbalancers for every single thing in cluster.
yes, Iām using a second floating ip for the control planes load balancing at the edge nodes (edge nodes = two nodes in failover setup exposed to the internet).
I use nginx at the edge nodes to stream the traffic to the control planes.
Something like thisā¦
stream {
upstream cluster_api_upstream {
least_conn;
server ${cluster_ctrl0_ip}:6443 max_fails=3 fail_timeout=10s;
server ${cluster_ctrl1_ip}:6443 max_fails=3 fail_timeout=10s;
server ${cluster_ctrl2_ip}:6443 max_fails=3 fail_timeout=10s;
}
...
server {
listen ${vpc_fip_cluster}:6443;
proxy_pass cluster_api_upstream;
}
...
}
