Traefik Nomad deployment with Consul Connect

Traefik Traefik v2
1

I'm trying to get Traefik with Consul Connect to work but no rule is working.
My goal is that Traefik is deployed by nomad as a system service on every node, listening on TCP 80 / 443 / 8090. For the moment the traefik dashboard should be on 8090.
I do must admit that I don't know how to configure traefik with consul connect and that I feel a bit lost. This is a test environment and in theory this sounds like a great solution.

job "traefik2-b2" {
  datacenters = ["dc1"]
  type        = "system"

  group "traefik" {
    network{
      mode = "host"
      port "http" {
        static = 80
      }
      port "https" {
        static = 443
      }
      port "api" {
        static = 8090
      }
    }

    service {
      name = "traefik-web"
      port = "http"
      #check {
      #  name     = "Alive"
      #  type     = "tcp"
      #  port     = "http"
      #  interval = "10s"
      #  timeout  = "2s"
      #}
      #connect {
      #  native = true
      #}
    }

    service {
      name = "traefik-websecure"
      port = "https"
      #check {
      #  name     = "Alive"
      #  type     = "tcp"
      #  port     = "https"
      #  interval = "10s"
      #  timeout  = "2s"
      #}
      #connect {
      #  native = true
      #}
    }

    service {
      name = "traefik-api"
      port = "api"
      #check {
      #  name     = "Alive"
      #  type     = "tcp"
      #  port     = "api"
      #  interval = "10s"
      #  timeout  = "2s"
      #}
      tags = [
        "traefik",
        "metrics",
        "metrics_port=8090",
        "metrics_scheme=http",
        "metrics_path=/metrics",
        "traefik.tags=clusterservice",
        "traefik.enable=true",
        #"traefik.consulcatalog.connect=false",
        "traefik.http.routers.metrics.rule=PathPrefix(`/metrics`)",
        "traefik.http.routers.metrics.entrypoints=api",
        "traefik.http.routers.metrics.service=prometheus@internal",
        "traefik.http.routers.api.rule=(PathPrefix(`/api`) || PathPrefix(`/dashboard`))",
        "traefik.http.routers.api.entrypoints=api",
        "traefik.http.routers.api.service=api@internal",
        "traefik.http.routers.api.middlewares=AdminAuth@file"
      ]
      connect {
        native = true
      }
    }

    task "traefik" {
      driver = "docker"

      config {
        image        = "traefik:v2.6.6"
        #network_mode = "host"

        volumes = [
          "local/dynamic.toml:/etc/traefik/dynamic.toml",
        ]

        args = [
          "--api.dashboard=true",
          "--global.checkNewVersion=true",
          "--global.sendAnonymousUsage=true",
          "--log.level=DEBUG",
          "--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000",
          "--metrics.prometheus.manualRouting=true",
          "--metrics.prometheus.entrypoint=api",
          "--entrypoints.http.address=:80",
          "--entrypoints.https.address=:443",
          "--entrypoints.api.address=:8090",
          "--accesslog=false",
          "--accesslog.fields.defaultmode=keep",
          "--accesslog.fields.headers.defaultmode=keep",
          "--providers.file.filename=/etc/traefik/dynamic.toml",
          "--providers.file.watch=true",
          "--serversTransport.insecureSkipVerify=true",
          "--serversTransport.maxIdleConnsPerHost=0",
          "--providers.consulcatalog.connectAware=true",
          "--providers.consulcatalog.connectByDefault=true",
          "--providers.consulcatalog.exposedByDefault=false",
          "--providers.consulcatalog.prefix=traefik",
          "--providers.consulcatalog.constraints=Tag(`traefik.tags=clusterservice`)",
          "--providers.consulcatalog.endpoint.address=127.0.0.1:8501",
          "--providers.consulcatalog.endpoint.scheme=https",
          "--providers.consulcatalog.endpoint.tls.insecureskipverify=true",
        ]
      }

      template {
        change_mode   = "signal"
        change_signal = "SIGHUP"

        data = <<EOF
# Dynamic config preparation
[http.middlewares]
  [http.middlewares.AdminAuth.basicAuth]
    removeHeader = false
    realm = "Services"
    headerField = "X-WebAuth-User"
    users = [
      "admin:<SECRET>",
    ]
EOF

        destination = "local/dynamic.toml"
      }

      resources {
        cpu    = 300
        memory = 128
      }
    }
  }
}
2

Hello @Madic,

I actually wrote a first answer a day or two ago, but unfortunately it failed to be sent because of my internet connection at that time and I ended up losing the draft :cry:

So let me try it once more while remembering the context, when you say it's not working you meant Traefik returning a "404 Not Found" error or just being unable to access the api entrypoint itself, with maybe a timeout or connection refused while trying to access the node port 8090?

Could you also provide the logs for the Traefik instance? It might show us if there is an error in the provider configuration which would prevent it from building the routing to the Dashboard

Alternatively you can also attempt exposing the Dashboard with your dynamic configuration, dynamic.toml . I don't have a TOML example in hand but here is a YAML format to expose the dashboard with the file provider:

http:
  routers:
    dashboard:
      rule: PathPrefix(`/api`) || PathPrefix(`/dashboard`)
      entrypoints:
        - api
      service: api@internal

I hope this helps :slight_smile:

3

You're right. I should have been more clear about the error behaviour.
I am unable to access the node port on 8090. Connection refused. Also on the host I can't see traefik listening on any port, via "ss -tlpn".