I'm using helm chart version traefik-26.0.0 from Traefik Charts | charts, app version v2.10.6
I can't connect to ports 9000 opened by the following config changes I made to the default helm values, from the IngressRoute that I enabled for the dashboard. I even exposed ports.traefik, and I've added an ingress rule for port 9000 on the security group on the NLB created by the traefik LoadBalancer type Service in EKS.
config
ingressClass:
enabled: true
isDefaultClass: true
name: traefik-internal
## Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik-internal
logs:
general:
level: DEBUG
access:
# -- To enable access logs
enabled: true
ports:
traefik:
exposed: true
metrics:
exposed: true
web:
redirectTo:
port: websecure
providers:
kubernetesIngress:
publishedService:
enabled: true
service:
# -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)
annotations:
# make the aws Load Balancer Controller, rather than the cloud controller, create the LB:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
# use IP targets: requires fewer SG rules; not sure if this is documented for Traefik in AWS
# the default is "instance"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
# place the load balancer service in a public subnet so it can be routable from the internet
# the default is "internal" which won't work for public applications
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
tests
k -n traefik get svc # get the CLUSTER-IP and EXTERNAL-IP
k -n traefik run -it --rm netshoot --image=nicolaka/netshoot
nc -zv <CLUSTER-IP> 443 # connects (websecure entrypoint)
nc -zv <CLUSTER-IP> 9000 # does not connect
# back on my host
host <EXTERNAL-IP> # resolves
nc -zv <EXTERNAL-IP> 443 # connects (websecure entrypoint)
nc -zv <EXTERNAL-IP> 9000 # does not connect
The Service is not showing the dashboard port as being exposed, even though I set ports.traefik.expose to true:
Name: traefik-internal
Namespace: traefik
Labels: app.kubernetes.io/instance=traefik-internal-traefik
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=traefik
helm.sh/chart=traefik-26.0.0
Annotations: meta.helm.sh/release-name: traefik-internal
meta.helm.sh/release-namespace: traefik
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: tf_handle=traefik-internal-vepp70v
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-scheme: internal
service.beta.kubernetes.io/aws-load-balancer-type: external
Selector: app.kubernetes.io/instance=traefik-internal-traefik,app.kubernetes.io/name=traefik
Type: LoadBalancer
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.100.182.219
IPs: 10.100.182.219
LoadBalancer Ingress: foo
Port: web 80/TCP
TargetPort: web/TCP
NodePort: web 31785/TCP
Endpoints: 172.31.69.180:8000
Port: websecure 443/TCP
TargetPort: websecure/TCP
NodePort: websecure 31296/TCP
Endpoints: 172.31.69.180:8443
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
I would think it is necessary to have the traefik 9000 port exposed on the Service in order to have the dashboard IngressRoute work, since a traefik route specifies an entrypoint, and the rules and backend associated with it.
The startup logs show no errors, and the pods from the traefik deployment are healthy.
If I use the web entrypoint, I can access the dashboard (while remembering to put that darn trailing slash after "dashboard" in the URL!)