HTTPS redirect does not if I use traefik in non privileged mode

What I expect to see

We want to use traefik on our Kubernetes cluster in the nonprivileged mode. So we basically build a custom traefik image where we embedded the `traefik:v1.7.26-alpine image and created a user. Everything is working fine besides https redirect. https redirect works fine if I don't use traefik in non priviliged mode.

What did you see instead

For example, if I just type http://hello.com, then it should redirect to https://hello.com. This is not working.

Output of traefik version : ( What version of Traefik are you using? )

Version:      v1.7.26
Codename:     maroilles
Go version:   go1.14.6
Built:        2020-07-28_03:45:27PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

We are running traefik on top of kubernetes. In below I am giving the deployment and service and dockerfiles

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
    name: traefik
spec:
    selector:
        matchLabels:
            app: traefik
    replicas: 1
    template:
        metadata:
            labels:
                app: traefik
        spec:
            containers:
            - name: traefik
              image: docker.cognigy.com:5000/traefik:1.7.26-alpine_non_priviledged
              resources:
                requests:
                    memory: "70Mi"
                    cpu: "200m"
                limits:
                    memory: "200Mi"
                    cpu: "2000m"
              args: [
                "--api",
                "--kubernetes",
                "--entryPoints=Name:http Address::8000 Redirect.EntryPoint:https",
                "--entryPoints=Name:https Address::4430 TLS:/run/secrets/traefik.cert,/run/secrets/traefik.key TLS.MinVersion:VersionTLS12 ProxyProtocol.TrustedIPs:0.0.0.0/0 WhiteList.UseXForwardedFor:true",
                "--defaultentrypoints=http,https",
                "--metrics.prometheus=true"
              ]
              ports:
                - name: http
                  containerPort: 8000
                - name: https
                  containerPort: 4430
              volumeMounts:
                 - name: traefik
                   mountPath: /var/run/secrets/
            volumes:
            - name: traefik
              secret:
                  secretName: cognigy-traefik
                  items:
                    - key: tls.crt
                      path: traefik.cert
                    - key: tls.key
                      path: traefik.key
            imagePullSecrets:
            - name: cognigy-registry-token

service.yaml

apiVersion: v1
kind: Service
metadata:
    name: traefik
    labels:
        app: traefik
spec:
    ports:
    - name: traefik-http
      port: 80
      targetPort: 8000
      protocol: TCP
    - name: traefik-https
      port: 443
      targetPort: 4430
      protocol: TCP
    - protocol: TCP
      port: 8080
      name: admin
    externalIPs:
      - x.x.x.x
    type: LoadBalancer
    selector:
        app: traefik

dockerfile

FROM traefik:1.7.26-alpine

RUN addgroup -g 1000 traefik && \
    adduser -D -u 1000 -G traefik traefik

USER traefik

Can someone guide me on what I am missing here?

Hmm -- not exactly sure but I would venture it's maybe a permissions problem between for example the root user and your traefik user? Can the traefik user read the tls.key?? Usually the permission on the key are 600.

But if we use https directly then it works. For example, if I directly hit https://hello.com works, but http to https redirect does not work. If traefik user could not read tls.key then https should not work at all, is not it?

Where does hello.com resolve? The reverse proxy or the backend target?

https resolve is happening in reverse-proxy and then traefik forward the request to the backend service.

Yea looking at your problem again I see what you are saying. The redirect is taking place. Have you tried using curl -v to see if that provides any information or the log files?