Traefik on kubernetes, stuck to access dashboard

Traefik Traefik v2
1

Hi,

I'm trying to deploy traefik on kuebernetes cluster. I'm using the helm chart to deploy it. All is ready and working except the traefik dashboard !!!

I get it working using the 9000 port when I expose it in sevice. But I want to remove this exposed port and use api@internal (just like I use it in docker swarm). But traefik send me 404 to all requests to my dashboard FQDN.

traefik is running in a dedicated namespace, not in kube-system.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik
  namespace: traefik-system
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`traefik.domain.local`)
      kind: Rule
      services:
        - kind: TraefikService
          name: api@internal

Traefik is deployed with this arguments:

args:
            - '--entrypoints.metrics.address=:9101/tcp'
            - '--entrypoints.traefik.address=:9000/tcp'
            - '--entrypoints.web.address=:80/tcp'
            - '--entrypoints.websecure.address=:443/tcp'
            - '--api.dashboard=true'
            - '--ping=true'
            - '--metrics.prometheus=true'
            - '--metrics.prometheus.entrypoint=metrics'
            - '--providers.kubernetescrd'
            - '--providers.kubernetescrd.allowCrossNamespace=true'
            - '--providers.kubernetesingress'
            - '--accesslog=true'
            - '--accesslog.format=json'
            - '--accesslog.fields.defaultmode=keep'
            - '--accesslog.fields.headers.defaultmode=drop'
            - '--providers.kubernetesingress.ingressclass=traefik'
            - '--api=true'
            - '--api.insecure=true'
            - '--serversTransport.insecureSkipVerify=true'

I have tried to use web (80) instead of websecure to avoid any problems with certificates without any success.

This commands returns nothing. Is it normal ?

kubectl -n traefik-system get traefikservices.traefik.containo.us 
No resources found in traefik-system namespace.

When I can reach the dashboard using the exposed 9000 port, I can see the api@internal service in "http services" tab.

Any idea pleeaaassseee ??

2

Hi @agp,

Thanks for your interest in Traefik.

Just looking at the IngressRoute resource you describe, and I see some issues:

  • traefik annotation are not working on IngressRoutes, they are effective only on native Ingresses.
    You can find the IngressRoute specifications in our documentation.. Note: the ingress class annotation is not a traefik one, so you can keep it.
  • In spec.entryPoints, you specified only the websecure endpoint, so the router will not be appended to the web entrypoint.

Let me know if it helps.

Thanks,
Maxence

3

ok I have removed all annotations and added the web entrypoint without any success.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik
  namespace: traefik-system
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`traefik.domain.local`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      kind: Rule
      services:
        - kind: TraefikService
          name: api@internal

In comparison with a docker swarm cluster, the port 9000 is not exposed and is not used by traefik. The service is using api@internal. The kubernetes cluster is in the same configuration but the dashboard is reachable. Traefik starts the port 9000, 80, 443, and a service called api@internal (which I can't find with kubectl). is there a way to verify if api@internal is well created and its kind is TraefikService ??

The dashboard is working only if I use a standard ingress with the port 9000 exposed.

4

Hi @agp,

Your ingress route is better so far.
Here is a configuration that is working on my side.

kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-deployment
  labels:
    app: traefik

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
          image: traefik:v2.7
          args:
            - --log.level=debug
            - --api.insecure=false
            - --api.dashboard=true
            - --providers.kubernetescrd
            - --entrypoints.web.address=:80
          ports:
            - name: web
              containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-service

spec:
  type: LoadBalancer
  ports:
    - targetPort: web
      port: 80
  selector:
    app: traefik
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`match.example.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
      kind: Rule
      services:
        - kind: TraefikService
          name: api@internal

It is a bit simpler than yours, but could check that your configuration is similar and that the one I gave you in working?

NOTE: when accessing the dashboard in your browser, be sure to add a trailing / at the end. e.g: example.com/dashboard/

Thanks,
Maxence

1 Like
5

Hello,

sorry for the time. The dashboard is not working with any of above configuration with api@internal and ingress route. It needs to expose port 9000 to access to dashboard using http/9000 port.

I don't know why traefik can not use its api@internal endpoint ??

6

Hi @agp,

I don't understand why it is not working. Could you please share your latest configuration (static, dynamic, services, ingresses)?

Thanks,
Maxence

7

Hello. I will prepare all configuration to post here.

I'm currently trying to create a standalone test k8s where I could try multiple configurations without blocking the prod service.

8

Same problem here, i have reinstall traefik with last helm chart (GitHub - traefik/traefik-helm-chart: Traefik v2 helm chart / 10.24.0) and I can no longer activate the dashboard...

Even with a local ip (loadbalancer):9000/dashboard/ => 404

While in the logs in debug mode I can see that it is activated :

  "api": {
    "dashboard": true
  },

PS : Port 9000 is well exposed :

ports:
  traefik:
    port: 9000    
    expose: true
    exposedPort: 9000
    protocol: TCP

If have fix access on local with :

additionalArguments:
  - "--api.insecure=true"