Hi, I finally moving my local kubernetes test (on k3d) to AKS, and I'm struggling getting HTTPS work.
I've configured external-dns to update cloudflare dns (with proxy enabled), cert-manager to do HTTP-01 challenges with let's encrypt, and trying to expose my services via Kubernetes Ingress (without traefik CRDs).
I tried to follow the guides found around on the various topics, but the result of putting the pieces together were a failure. The last iteration results in 404 for every endpoint that I try to reach.
Here's the traefik deployment (i left out labels and selectors):
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
name: traefik
namespace: traefik-system
spec:
minReadySeconds: 0
replicas: 1
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "9100"
prometheus.io/scrape: "true"
spec:
containers:
- args:
- --ping=true
- --providers.kubernetesingress
- --providers.kubernetesingress.ingressEndpoint.publishedService=traefik-system/traefik
- --metrics.prometheus=true
- --metrics.prometheus.entrypoint=metrics
- --entrypoints.metrics.address=:9100/tcp
- --entrypoints.traefik.address=:9000/tcp
- --entrypoints.websecure.address=:8443/tcp
- --entrypoints.websecure.http.tls=true
- --entrypoints.web.address=:8000/tcp
- --log.level=DEBUG
- --accesslog=true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: docker.io/traefik:v2.11.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /ping
port: 9000
scheme: HTTP
initialDelaySeconds: 2
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
name: traefik
ports:
- containerPort: 9100
name: metrics
protocol: TCP
- containerPort: 9000
name: traefik
protocol: TCP
- containerPort: 8000
name: web
protocol: TCP
- containerPort: 8443
name: websecure
protocol: TCP
readinessProbe:
failureThreshold: 1
httpGet:
path: /ping
port: 9000
scheme: HTTP
initialDelaySeconds: 2
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /data
name: data
- mountPath: /tmp
name: tmp
securityContext:
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
serviceAccountName: traefik
terminationGracePeriodSeconds: 60
volumes:
- emptyDir: {}
name: data
- emptyDir: {}
name: tmp
And the service
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
ports:
- name: web
port: 80
protocol: TCP
targetPort: web
- name: websecure
port: 443
protocol: TCP
targetPort: websecure
type: LoadBalancer
My app ingress looks like this
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
name: htdp
namespace: htdp
spec:
rules:
- host: htdp.mydomain.com
http:
paths:
- backend:
service:
name: htdp
port:
number: 8000
path: /
pathType: Prefix
tls:
- hosts:
- htdp.mydomain.com
secretName: tls-htdp-ingress-http
If I try to access htdp.mydomain.com/projects, my app project doesn't receive anything, and traefik access log reports this:
"GET /projects HTTP/1.1" 404 19 "-" "-" 434 "-" "-" 0ms
What am I doing wrong?