Issues with WSL2 and traefik on k3s

Traefik Traefik v2
1

Hi guys,

I struggling accessing test webpages on my k3s setup with Traefik ingress. Here's what I had done so far:

- Configured wsl2 with networkmode mirrored

- Setup k3s with Traefik disabled

- Deployed Traefik via helm with the following values.yaml

service:
  type: LoadBalancer
ports:
  web:

    port: 8000
    exposedPort: 8000
    protocol: TCP

  websecure:
    port: 8443
    exposedPort: 8443
    protocol: TCP
    tls:
      enabled: true

# --- Your other existing values ---
ingressRoute:
  dashboard:
    enabled: true
    matchRule: Host(`dashboard.localtest.me`)
    entryPoints:
      - web
      - websecure

providers:
  kubernetesGateway:
    enabled: true

gateway:
  namespacePolicy: All%

- Deployed the following test application

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-world
  labels:
    app: hello-world
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-world
  template:
    metadata:
      labels:
        app: hello-world
    spec:
      containers:
      - name: hello-world
        image: hashicorp/http-echo
        args:
        - "-text=Hello, World!"
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: hello-world
spec:
  selector:
    app: hello-world
  ports:
    - protocol: TCP
      port: 80
      targetPort: 5678
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-world-ingress
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  rules:
  - host: test.localtest.me
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: hello-world
            port:
              number: 80

- Tried to access the deployment via:

curl -H "Host: echo.localhost" http://localhost:8000

But this is not working. To exclude network issues I started a docker container on the wsl2 instance

docker run -d --name wsl-echo-test -p 9000:9000 --env HTTP_PORT=9000 mendhak/http-https-echo

This service can be accessed from the browser as also via curl. When I check the logout from svlc-traefik the port forwarding seems also be correct. So don't have any idea what's wrong with the setup.... Any ideas or help?

Thanks

Framas

+ trap exit TERM INT
+ BIN_DIR=/usr/sbin
+ check_iptables_mode
+ set +e
+ lsmod
+ grep -qF nf_tables
+ '[' 1 '=' 0 ]
+ mode=legacy
+ set -e
+ info 'legacy mode detected'
[INFO]  legacy mode detected
+ set_legacy
+ ln -sf xtables-legacy-multi /usr/sbin/iptables
+ ln -sf xtables-legacy-multi /usr/sbin/iptables-save
+ ln -sf xtables-legacy-multi /usr/sbin/iptables-restore
+ ln -sf xtables-legacy-multi /usr/sbin/ip6tables
+ start_proxy
+ grep -Eq :
+ echo 0.0.0.0/0
+ iptables -t filter -I FORWARD -s 0.0.0.0/0 -p TCP --dport 8000 -j ACCEPT
+ echo 10.43.80.66
+ grep -Eq :
+ cat /proc/sys/net/ipv4/ip_forward
+ '[' 1 '==' 1 ]
+ iptables -t filter -A FORWARD -d 10.43.80.66/32 -p TCP --dport 8000 -j DROP
+ iptables -t nat -I PREROUTING -p TCP --dport 8000 -j DNAT --to 10.43.80.66:8000
+ iptables -t nat -I POSTROUTING -d 10.43.80.66/32 -p TCP -j MASQUERADE
+ '[' '!' -e /pause ]
+ mkfifo /pause
2

What is not working? Connection refused, page not found (404)?

It seems your rule does not match your Host header.

Enable and check Traefik debug log (doc) and also Traefik access log in JSON format (doc).

3

I don't think so. From the private address it's working but not from localhost.

image
image982×444 39.5 KB

There might be sth wrong about the iptables rules from svclb-traefik service (see log above)

4

What is not working? Connection refused, page not found (404)?

Don’t know much about k3s, but this seems strange:

curl -H "Host: echo.localhost"

 vs

rules:
  - host: test.localtest.me
5

Oh my bad on my first message I copied the wrong command. It should be like the 2nd in the screenshot - and there you will see that connection via localhost could not be established (timeout). Also tcp connect test via netcat to 192.168.1.230 is working and to localhost 8000 it times out. So I think it might have sth to do with the iptables rulset - seems not to work properly on wsl2...

6

Which Linux distribution do you run in WSL?

7

Hi, I'm using Arch Linux with k3s-bin from aur (which wraps only the install and provides a systemd unit).