Hi this is my first time working with Traefik. I followed the quick start kubernetes documentation and added HTTPS with HTTP-01 challenge Let's Encrypt and TLS termination. The certificate is valid and the endpoints are accessible. However the Traefik pod slowly accumulates memory, even when nothing is calling the endpoints and eventually crashes due to out of memory. I'm hoping there is some noob error in my config that someone can point out. Any help is very much appreciated.
>> kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ovrservices-ingress <none> mydomain.com 80, 443 25h
whoami-ingress <none> mydomain.com 80, 443 3d7h
>> kubectl describe ingress mydomain-ingress
Name: mydomain-ingress
Labels: <none>
Namespace: default
Address:
Ingress Class: <none>
Default backend: <default>
TLS:
mydomain-tls terminates mydomain.com
Rules:
Host Path Backends
---- ---- --------
mydomain.com
/ traefik-service:80 (10.244.2.196:80)
Annotations: cert-manager.io/issuer: letsencrypt-prod
Events: <none>
>> kubectl get pods
NAME READY STATUS RESTARTS AGE
traefik-deployment-5b55f44d4d-jdptm 1/1 Running 21 (16m ago) 5h9m
whoami-7f55677887-nwg84 1/1 Running 0 3d7h
>> kubectl describe pod traefik-deployment-5b55f44d4d-jdptm
Name: traefik-deployment-5b55f44d4d-jdptm
Namespace: default
Priority: 0
Service Account: traefik-account
Node: aks-pool1-38186103-vmss000000/10.224.0.7
Start Time: Mon, 22 May 2023 13:22:48 -1000
Labels: app=traefik
pod-template-hash=5b55f44d4d
Annotations: kubectl.kubernetes.io/restartedAt: 2023-05-21T17:36:55-10:00
Status: Running
IP: ipmasked
IPs:
IP: ipmasked
Controlled By: ReplicaSet/traefik-deployment-5b55f44d4d
Containers:
traefik:
Container ID: containerd://448decb60a76db36537530acdffff8f8559b0ea49e629c7256a75dc3c491d226
Image: traefik:v2.10
Image ID: docker.io/library/traefik@sha256:7347d4d189642064337fe4eb615d14de2d44f287cb7e1189752fb7399a5ad843
Ports: 80/TCP, 443/TCP
Host Ports: 0/TCP, 0/TCP
Args:
--log.level=DEBUG
--providers.kubernetesingress
--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
State: Running
Started: Mon, 22 May 2023 18:16:49 -1000
Last State: Terminated
Reason: OOMKilled
Exit Code: 137
Started: Mon, 22 May 2023 18:12:29 -1000
Finished: Mon, 22 May 2023 18:16:33 -1000
Ready: True
Restart Count: 21
Limits:
cpu: 500m
memory: 512Mi
Requests:
cpu: 250m
memory: 64Mi
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-blnfm (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-blnfm:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/memory-pressure:NoSchedule op=Exists
node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 20m (x21 over 5h10m) kubelet Created container traefik
Normal Started 20m (x21 over 5h10m) kubelet Started container traefik
Warning BackOff 16m (x20 over 3h57m) kubelet Back-off restarting failed container
Normal Pulled 16m (x22 over 5h10m) kubelet Container image "traefik:v2.10" already present on machine
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mydomain-ingress
annotations:
cert-manager.io/issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- mydomain.com
secretName: mydomain-tls
rules:
- host: mydomain.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: traefik-service
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
name: traefik-service
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- name: web
port: 80
targetPort: web
- name: websecure
port: 443
targetPort: websecure
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v2.10
resources:
requests: # these lines
memory: "64Mi"
cpu: "250m"
limits: # and these lines
memory: "512Mi"
cpu: "500m"
args:
- --log.level=DEBUG
- --providers.kubernetesingress
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami-ingress
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
kubernetes.io/ingress.class: "traefik"
spec:
tls:
- hosts:
- mydomain.com
secretName: mydomain-tls
rules:
- host: mydomain.com
http:
paths:
- path: /who
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- name: web
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- name: web
port: 80
targetPort: web
selector:
app: whoami
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-account
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-role
subjects:
- kind: ServiceAccount
name: traefik-account
namespace: default # Using "default" because we did not specify a namespace when creating the ClusterAccount.
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: myemail@email.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-prod
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: traefik
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mydomain-certificate
namespace: default
spec:
secretName: mydomain-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: mydomain.com
dnsNames:
- mydomain.com
---