Currently, a single IP used as an external IP from the ingress controller in HA environment. This is enhanced to have multiple external IPs from EFA 2.4.0.
Verify that the IP addresses are associated to the ingress controller by executing the following:
$ k3s kubectl get svc traefik -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE traefik LoadBalancer 10.43.214.249 10.175.100.240,10.175.100.186,10.175.100.117,20.20.20.2,50.50.50.2 80:31135/TCP,443:30102/TCP 105m
The output must have all the management network IPs listed there. The other way to verify that all the IP addresses are bound to the ingress is to verify the output of the following command.
netstat -tuplen | grep :443
$ openssl x509 -text -noout -in /apps/efadata/certs/own/tls.crt | grep -A1
"Subject Alternative Name"
X509v3 Subject Alternative Name:
DNS:efa.extremenetworks.com, IP Address:127.0.0.1, IP
Address:10.175.100.240, IP Address:10.175.100.186, IP Address:10.175.100.117, IP
Address:20.20.20.2, IP Address:50.50.50.2
To confirm that Traefik, the ingress controller is using this cert, run the following:
$ k3s kubectl get deployment traefik -n kube-system -o yaml | grep
'secretName: efasecret'
secretName: efasecret-tls
The secret must be called “efasecret-tls”. To confirm the secret is correct, run the following:
k3s kubectl get secret efasecret-tls -n kube-system -o yaml
Extract the field tls.key from the embedded JSON output and base64-decoded. This results in a certificate which can be verified with the above openssl command.
Note that if the users provide their own certificates (third-party certificates) for the use within EFA and wishes to make use of the MMIP feature, they must ensure that the certificate contains SAN fields for each of the MMIP interfaces and the distinguished VIP interface.