Traefik Ingress swallows all requests to /api or /dashboard

Traefik Traefik v2
,
1

I am using Traefik as an ingress in my Kubernetes cluster. I have set up the routes using the IngressRoute CRD, and every application has its subdomain, such as traefik.mydomain.com, argocd.mydomain.com, my-app.mydomain dot com.

I can access the Traefik dashboard behind traefik.mydomain dot com without any trouble. Furthermore, I can also access my-app.mydomain dot com.

The problem is that I can't access my-app.mydomain dot com/api because it returns 401 unauthorized. If I change the prefix to my-app.subdomain dot com/v1, no problem. The reason I think it's because of Traefik is that when I try to access argocd.mydomain dot com, instead of requesting my ArgoCD credentials, I have to input my Traefik credentials and it works. Well not completely as it messes the call to the dashboard, but the password requested is my Traefik credentials.

Could you please help me out?

Here is the config for my traefik setup, using the helm chart, as well as the route for ArgoCD's dashboard. Do you think anything wrong in this setup?

Traefik's values.yaml

traefik:
  deployment:
    enabled: true
    kind: Deployment # -- Deployment or DaemonSet
    replicas: 1

  ingressRoute:
    dashboard:
      enabled: true
      matchRule: Host(`traefik.mydomain dot com`)
      entryPoints: ["websecure"]
      # Add custom middlewares : authentication and redirection
      middlewares:
        - name: traefik-dashboard-basicauth

  ports:
    web:
      redirectTo:
        port: websecure
    websecure:
      tls:
        enabled: true

  providers:
    kubernetesCRD:
      enabled: true
      allowExternalNameServices: false
      namespaces: []
    kubernetesIngress:
      enabled: false

  rbac:
    enabled: true

  service:
    enabled: true
    type: LoadBalancer
    annotations: {}
    labels: {}
    spec:
      loadBalancerIP: ###.###.##.###
    loadBalancerSourceRanges: []
    externalIPs: []

  tlsStore:
    default:
      defaultCertificate:
        secretName: mydomain-production-tls

ArgoCD dashboard's route

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: argocd-server
  namespace: argocd
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`argocd.mydomain dot com`)
      priority: 10
      services:
        - name: argocd-server
          port: 80
          scheme: http
    - kind: Rule
      match: Host(`argocd.mydomain dot com`) && Headers(`Content-Type`, `application/grpc`)
      priority: 11
      services:
        - name: argocd-server
          port: 80
          scheme: h2c

  tls:
    secretName: mydomain-production-tls
2

/api and /dashboard are the two paths used by Traefik dashboard, so mis-configuration is likely. Did you check the docs?

3

Thank you for the answer; I've reset the cluster, everything is working fine except for the /api calls swallowed by Traefik. I have no idea what kind of misconfiguration could provoke that. :S I've uploaded my configurations in the OP.

4

Sorry, no clue about k8s, only using Docker, but you need an IP here? With Docker Swarm target IPs are always auto-configured.

5

Hello, thanks for the feedback. This is the address of my externally managed load balancer. This works fairly well, since I wouldn't get any requests in traefik if this was misconfigured. I don't know it this would be automatically configured in a kubernetes setup, compared to Docker. I am not knowledgeable enough to answer you. :sweat_smile: