Ingress Controller Configuration

Currently, a single IP used as an external IP from the ingress controller in HA environment. This is enhanced to have multiple external IPs from EFA 2.4.0.

Verify that the IP addresses are associated to the ingress controller by executing the following:

$ k3s kubectl get svc traefik -n kube-system

NAME          TYPE           CLUSTER-IP      EXTERNAL-IP
PORT(S)                          AGE

traefik   LoadBalancer   10.43.214.249
10.175.100.240,10.175.100.186,10.175.100.117,20.20.20.2,50.50.50.2
80:31135/TCP,443:30102/TCP   105m

The output must have all the management network IPs listed there. The other way to verify that all the IP addresses are bound to the ingress is to verify the output of the following command.

netstat -tuplen | grep :443

EFA‘s default SSL certificate is also updated by an Add or Delete MMIP operation. This is necessary because EFA‘s ingress controller must be able to select the correct certificate to authenticate the incoming connection. This is achieved by comparing each of the controller certificate‘s Subject Alternate Names (SANs) fields with the IP of the incoming connection (because this is TLS, and it happens logically before the L7 connection is established). EFA regenerates an SSL certificate and ensure that all MMIP IP addresses are listed as SANs. The users can confirm this with the following command:
$ openssl x509 -text -noout -in /apps/efadata/certs/own/tls.crt | grep -A1 
"Subject Alternative Name"

            X509v3 Subject Alternative Name:

                DNS:efa.extremenetworks.com, IP Address:127.0.0.1, IP
Address:10.175.100.240, IP Address:10.175.100.186, IP Address:10.175.100.117, IP
Address:20.20.20.2, IP Address:50.50.50.2

To confirm that Traefik, the ingress controller is using this cert, run the following:

$ k3s kubectl get deployment traefik -n kube-system -o yaml | grep 
'secretName: efasecret'

              secretName: efasecret-tls

The secret must be called “efasecret-tls”. To confirm the secret is correct, run the following:

k3s kubectl get secret efasecret-tls -n kube-system -o yaml

Extract the field tls.key from the embedded JSON output and base64-decoded. This results in a certificate which can be verified with the above openssl command.

Note that if the users provide their own certificates (third-party certificates) for the use within EFA and wishes to make use of the MMIP feature, they must ensure that the certificate contains SAN fields for each of the MMIP interfaces and the distinguished VIP interface.