Hi there,
I'm currently setting up a k8s cluster with traefik and the traefik kubernetes-crd for ingress.
I've got everything up and running, and it works perfect and fast.
The only issue I cannot seem to tackle or find any solution on the internet is how to passthrough the client ip to the service.
I'm getting the pod ip or 127.0.0.1
Even in x-forwarded-for header I'm getting the external server ip.
I'm spending days on this and so far no luck whatsoever xD
I need the client ip if I wanna add a useful ip whitelist for my customers.
Any help or thoughts are very much appreciated. 
Thnx. Lars
This is my setup:
Linux Debian 10
K8s 1.18
Traefik 2.1
Using the custom CRD setup of Traefik
calico pod network cidr: 10.244.0.0/16
Container setup in deployment:
containers:
- name: traefik
image: traefik:v2.1
args:
- --log.level=DEBUG
- --api
- --api.insecure
- --entrypoints.web.address=:80
- --entrypoints.web.forwardedHeaders.insecure=true
- --entrypoints.web.proxyProtocol.insecure=true
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.forwardedHeaders.insecure=true
- --entrypoints.websecure.proxyProtocol.insecure=true
- --providers.kubernetescrd
- --certificatesresolvers.le.acme.httpchallenge
- --certificatesresolvers.le.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.le.acme.email=<omitted>
- --certificatesresolvers.le.acme.storage=/etc/traefik/live/acme.json
volumeMounts:
- mountPath: /etc/traefik/live
name: traefik-cache
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
- name: admin
containerPort: 8080
Service:
---
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
type: LoadBalancer
externalIPs:
- {{ ipv4.address }}
selector:
app: traefik
externalTrafficPolicy: Local
ports:
- protocol: TCP
port: 80
name: web
targetPort: 80
- protocol: TCP
port: 443
name: websecure
targetPort: 443
- protocol: TCP
port: 8080
name: admin
targetPort: 8080
Whoami dummy deployment:
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: whoami
labels:
app: whoami
spec:
replicas: 2
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: containous/whoami
ports:
- name: web
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: whoami
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: simpleingressroute
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`host`)
kind: Rule
middlewares:
- name: redirect-to-https
namespace: default
services:
- name: whoami
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`host`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certResolver: le
options:
name: versiontls12
namespace: default
result:
Hostname: whoami-678c86b5c7-2ztjh
IP: 127.0.0.1
IP: 10.244.3.170 <-- pod ip
RemoteAddr: 10.244.3.177:33388
Host: host
Cache-Control: max-age=0
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: {{ external server ip }}
X-Forwarded-Host: host
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-57f986cd46-bc46g
X-Real-Ip: {{ external server ip }}