I'm trying to upgrade my traefik config from v1 to v2. I have gotten everything working expect gitlab omnibus. traefik recognizes the route but when I connect through traefik, I get an internal server error while connecting directly to the docker port the site loads just fine.
I assume it is related to my tls config as all other non https containers are fine.
Why are you mounting /etc/traefik/ ? If there is a configuration file in ${DWD}/traefik then you are mixing static configuration which you should not do.
there is no config file in the directory. I mapped it strictly to make access to the log files easier. I will map them directly but don't think it will make a difference since no config file is present.
Do you know if the error is produced by traefik or by the target server? What are in the logs?
Some software does not like being behind proxy and require special setup. I understand that you had it working with v1 but apparently there is something different in the way the request travels between hops that breaks it. We need to identify what it is and fix it.
I'd start with finding out if the target server receives request at all or if the error returned by traefik.
Since you calling gitlab via HTTPS, maybe you have a certificate that cannot be verified.
The fact that you can access the application directly does not have to mean that the error comes from traefik - just for future reference. A proxy, such as traefik can affect what headers a passed, and I've seen the cases when misconfigured, that the server would reply okay without traefik, but would retrun server error when request comes through traefik, because of the changes to the request caused by traefik (mis) configuration.
Your logs shows errors in generating the certificate, but it looks like a transient error. Also it's a very small porition of the log is there more?
I'd suggest if you have issues both with acme and getting you the service that you debug them separately. Ususally acme errors do not affect back end much (except for broken https), so you can ignore those while you are debugging your service, but if you feel distracted by these errors, switch acme off temproarely and see if you can get it talk to the service back end without it.
As I said in the previous message, one possible reason is that traefik cannot validate the cert that is supplied by the service. This also should produce a error in the log, but you not showing that, so I don't know if that's happening. Where is that cert on the service come from btw?
I have a similar issue. I have a computer external to the cluster (same network, but not a Kubernetes node) that is running Gitlab (not a container, installed old fashioned right on the drive).
I have the following set up to create a service that connects to it and makes it available in the cluster and then an ingress that references that service to make it accessible publicly:
After all this, my browser does report that the certificate is valid that it's receiving, but it's still receiving an Internal Server Error error 500. I can report that Gitlab is up though. It's a fresh install, and if I access directly in my network or if I point to it via DMZ then it has no issue.
It appears that you are using Ingress object instead of IngressRoute I don't think it support the tls options they way you are specifying them.
Also if your Gitlab is on the same network, why are you using traefik, that is what are you trying to achieve? The direct connect should work.
If it must be traefik, I would not use your kubernetes ingress for that. Ingress purpose is to faciliate traefik from outside to the cluster, this is not your case. You have an opposite direction, from cluster outside. Set up a separate instance of traefik and use that if you must.
Many thanks @zespri for your comment. I'll turn on the logging and look more into Ingress object vs Ingress Route (I'd not heard of IngressRoutes).
I have other services I wish to make available in my cluster via subdomains. Instead of dealing with that routing elsewhere, I'm trying to keep it centralized in Kubernetes ingress (as my load 7 balancer) a bit like:
that way I can access my cluster from outside my local network (remotely when I travel and so other's can collaborate).
I think that the tls is going through right as my browser is reporting the correct tls certificate. I could be reading this wrong though, or possibly the fact that it's passing through the certificate doesn't mean that it can read it properly? I'll report back here when I have more details. Thanks again!