Proxmox behind Traefik on Kubernetes

Hi there, I'm trying to reverse proxy some proxmox servers. In order to do so, you need:

  • A service defined for each "ExternalName"
  • An ingressRoute
  • A certificate

I believe that I configured each of these correctly, but VNC still doesn't work. The rest of the UI works great. For HAProxy, I had to get sticky cookies enabled and that fixed VNC there.

Can anyone tell me what I'm doing wrong here?

kind: Service
apiVersion: v1
metadata:
  name: proxmox-1a
  namespace: traefik
  annotations:
    traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
    traefik.ingress.kubernetes.io/service.sticky.cookie.name: "proxmox-1a"
spec:
  type: ExternalName
  ports:
    - name: https
      port: 8006
      targetPort: 8006
  externalName: 10.1.0.31
---
kind: Service
apiVersion: v1
metadata:
  name: proxmox-1b
  namespace: traefik
  annotations:
    traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
    traefik.ingress.kubernetes.io/service.sticky.cookie.name: "proxmox-1b"
spec:
  type: ExternalName
  ports:
    - name: https
      port: 8006
      targetPort: 8006
  externalName: 10.1.0.35
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: skip-ssl
  namespace: traefik
spec:
  insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: proxmox
  namespace: traefik
  annotations: 
    kubernetes.io/ingress.class: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`<address>`)
      kind: Rule
      services:
        - name: proxmox-1a
          port: 8006
          serversTransport: skip-ssl
          sticky:
            cookie:
              name: proxmox-1a
              sameSite: strict
        - name: proxmox-1b
          port: 8006
          serversTransport: skip-ssl
          sticky:
            cookie:
              name: proxmox-1b
              sameSite: strict
      middlewares:
        - name: default-headers
          namespace: traefik
        - name: cors-headers
          namespace: traefik
  tls:
    secretName: <certificate>