Global http to https redirect in v2

From my experience ingerss on perm looks different from ingerss in cloud, and I suspect, althought I do not know for sure that they also may look different between azure, aws and gce, so it's already something that varies. So while I kind of see where you are coming from I feel like I'm missing some information.

What platform are you hosting kubernetes in? What type of ingress did you use before traefik that used to be compatible?

Well yeah probably Ingresses are not quite portable between cloud vendors. My case here belongs to a k8s on premise. We've been using traefik v1 from the beginning. But still, I like portability. Maybe someone can point out portability of Ingresses between cloud vendors here.

But since the combination of IngressRoutes and Ingresses actually works there is nothing to complain about. That's the combination of simplicity and complexity I was writing about. Only the v2 docs lack some information here and there. The thing with the priority should be documented better. As well the combination of Ingresses And IngressRoute, I had to spend some hours yesterday to figure the v2 stuff out.

It's a bit a hijack :wink:

This one don't catch the http in the catchall. It don't redirect http to https.

version: "3.3"

networks:
    traefik:
        external: true

services:

  traefik:
    image: "traefik:v2.0"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web-secure.address=:443"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web-secure"
      #- "--certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myhttpchallenge.acme.email=me@mail.com"
      - "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
    labels:
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    networks:
      - "traefik"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  inner-whoami:
    image: "containous/whoami"
    container_name: "inner-whoami"
    networks:
      - "traefik"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.inner-whoami.rule=Host(`sub.domaine.com`)"
      - "traefik.http.routers.inner-whoami.entrypoints=web"
      - "traefik.http.routers.inner-whoami-secured.rule=Host(`sub.domaine.com`)"
      - "traefik.http.routers.inner-whoami-secured.entrypoints=web-secure"
      - "traefik.http.routers.inner-whoami-secured.tls=true"
      - "traefik.http.routers.inner-whoami-secured.tls.certresolver=myhttpchallenge"

I tried to comment the lines of whoami related to the router for http but it just makes http going into a 404 error.

1 Like

@Thibd could you resolve your problem? I'm having the same problem and I'm using similar configs...
Could you share your solution if you found one?

Hi @Dan42

I tried to use labels for redirect on each service and I still had errors. After getting some help it was that the http challenge has to be done on port 80, so that, .

- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web-secure"

Has to be replaced by :

- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"

I did not re-test it with the above code. I will stick with on adding labels on each service because this is for a remote dev environement and it gives some flexibility. Tell me if if you had some success.

Regards

Hi @Thibd,
my cert configs were correct.
I played around, but in the end I only got it working with the provided (Post #3) dynamic .toml file configs.
Setting the redirect with labels didn't work out for me and I don't know why. The middleware and the router didn't show up in traefik dashboard. Adding the suggested noop service via labels didn't change anything.

same I am also stuck on this http to https redirect

Indeed it seems crazy I'm going to have to deploy a service in kubernetes that is never hit. As-is, when deploying the almost exact manifest you provided it yields Cannot create service: service not found traefik/dummy.

@raffis what did you use for a dummy service, something that takes almost no resources I presume? Advice welcome.

EDIT: I found a small test image I had around to test rolling updates - rosskevin/example-nginx:1.0

what did you use for a dummy service, something that takes almost no resources I presume?

It appears that you are mixing up a service and a pod. Otherwise resource usage of a service would be no concern.

A service is not live without a deployment and the subsequent running/ready pod which consumes resources, all for what should be an inconsequential config.

No, I'm not mixed up at all.

"not live"? What do you mean?

An IngressRoute won't be live unless there is a live kubernetes service (see the error I posted). A kubernetes service won't be live without a ready kubernetes deployment/pod.

In order to create a global https redirect, I need all of the above, and the running pod (that is never hit) consumes resources.

It appears that you use "live" in some colloquial meaning but you do not define what that meaning is. If you look at kubertens documentation there is no categorization of kubernetes objects or CRDs to live and not-live (except for liveness probe that only applies to pods). They either exist in the cluster or they do not.

So when you say:

A service is not live without a deployment

This is either incorrect (it's perfectly possible to create a service without a depoyment), or irrelevant (the fact that a service is not related to other kubernetes object does not matter for traefik).

So I'm asking again, what do you mean by saying that a service (or IngressRoute ) is "live"?

Ok, please provide a sample of an IngressRoute with a kubernetes service that is "registered" with kubernetes and has no errors in the log that can satisfy this global https redirect case. Can you? I do not believe you can.

Live is in referring to a liveness probe, a kubernetes term from the the deployment manifest measures a pod's state. A service is useless without a deployment, just as an IngressRoute without a service. Colloquial no, transitive, yes. A service cannot transitively be live unless it is linked to a pod that is both "ready" and "live".

Feel free to parse semantics all you like, as far as I can tell, you need all of the above to perform a global https redirect.

All I'm saying, and I feel I'm repeating myself is that you can create a service without pod or deployment, and this will be enough for the purpose of IngressRoute. The error that you cited is because you did not created the service.

No arrguments, that having a dummy service just for the purpose of pleasuring traefik seems unnescessary, the point is, it does not cost any non-trivial resources, and you do not need deployment and/or pods for that to work.

You can not. As I posted above, a service descriptor pointed at a non-existent deployment yields:

Cannot create service: service not found traefik/dummy.

Where traefik is the namespace and dummy is the non-existent deployment.

Well that must be because you need to point and IngressRoute to a service, not to a deployment, no?

IngressRoute in the above case points to a service and the service points to a non-existent deployment.

In the above case no service definition was actually given, so it's hard to reason about it. I would question why would some one point a service to a non-existent deployment.

"service not found" means that there is no service defined with that name. Please check if you have service named dummy in namespace named traefik at the point in time when you get this error message.