Traefik V2 not working on Ingress

I'm trying to use Traefik v2 chart 8.1.2 / app v2.2 as my ingress controller but it seems that it does not work with Ingress resources just IngressRoute? I get 404 on Ingresses.

Hi @ekarlso,

For me your question seems related to this one.
I hope it will help you.

Actually it seems like a bug because the routes etc are there I can see in the Dashboard but they are just giving 404.

So after digging a bit I came up with this:

additionalArguments:
  - --entrypoints.web.http.redirections.entrypoint.to=:443
  - --entrypoints.web.http.redirections.entrypoint.permanent=true

I have enabled it but going towards a non-existant route gives a 302 while going towards a Kubernetes Ingress source provided route actually fowards the traffic to the service on plain http.

Both http and https actually work directly towards a given existing service though I would assume that it should have redirected me to https?

1 Like

Could you please send us your full values.yaml files and the ingress you want to expose please.

@michael sure thing here it is.

 apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
  name: traefik-v2
  namespace: kube-system
spec:
  releaseName: traefik-v2
  chart:
    repository: https://containous.github.io/traefik-helm-chart
    version: "8.1.3"
    name: traefik
  values:
    deployment:
      replicas: 2
    service:
      annotations:
        service.beta.kubernetes.io/azure-load-balancer-resource-group: x
      spec:
        externalTrafficPolicy: Local
        loadBalancerIP: "x"
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: app.kubernetes.io/instance
            operator: In
            values:
            - traefik-v2
        topologyKey: failure-domain.beta.kubernetes.io/zone
    additionalArguments:
      - --api.insecure
      - --api.dashboard
      - --entryPoints.websecure.http.tls=true
      - --entrypoints.web.http.redirections.entrypoint.to=:443
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --providers.kubernetesingress
      - --providers.kubernetesingress.ingressclass=public
      - --providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik-v2
      - --providers.kubernetescrd.ingressclass=public
      - --serverstransport.insecureskipverify
      - --entryPoints.metrics.address=:8082
      - --metrics.prometheus.entryPoint=metrics
      - --metrics.prometheus
      # - --log.level=DEBUG
      - --accesslog

Ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    helm.fluxcd.io/antecedent: kube-system:helmrelease/cluster-idp
    kubernetes.io/ingress.class: public
  creationTimestamp: "2020-04-27T09:28:54Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: cluster-idp
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: dex
    app.kubernetes.io/version: 2.21.0
    helm.sh/chart: dex-2.9.0
  name: cluster-idp-dex
  namespace: kube-system
  resourceVersion: "948590"
  selfLink: /apis/extensions/v1beta1/namespaces/kube-system/ingresses/cluster-idp-dex
  uid: 4fc192f0-5787-49a6-abc2-ac1417bf9277
spec:
  rules:
  - host: x
    http:
      paths:
      - backend:
          serviceName: cluster-idp-dex
          servicePort: 32000
        path: /
  tls:
  - hosts:
    - idp.x
    secretName: dex-idp-tls
status:
  loadBalancer:
    ingress:
    - ip: x

@ekarlso could you try by adding --entrypoints.web.http.redirections.entryPoint.scheme=https to your
additionalArguments.

To have something like that:

additionalArguments:
      - --api.insecure
      - --api.dashboard
      - --entryPoints.websecure.http.tls=true
      - --entrypoints.web.http.redirections.entrypoint.to=:443
      - --entrypoints.web.http.redirections.entrypoint.scheme=https # Required
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --providers.kubernetesingress
      - --providers.kubernetesingress.ingressclass=public
      - --providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik-v2
      - --providers.kubernetescrd.ingressclass=public
      - --serverstransport.insecureskipverify
      - --entryPoints.metrics.address=:8082
      - --metrics.prometheus.entryPoint=metrics
      - --metrics.prometheus
      # - --log.level=DEBUG
      - --accesslog

Hi, I tested this and it still doenst work acutally. HTTP / Web endpoint is still responding.

1 Like

@michael or anyone else you got an idea on this?

@ekarlso Have you check that you have all the annotations set correctly https://docs.traefik.io/routing/providers/kubernetes-ingress/#annotations ?

Especially this one traefik.ingress.kubernetes.io/router.tls: "true" and this one traefik.ingress.kubernetes.io/router.entrypoints: ep1,ep2

@michael I am experiencing the same problem. I am guessing this is related to this change which was included yesterday*(https://github.com/containous/traefik/pull/6588/commits/eb0c3564293f83c45fe835105df9ddb3209b7b13). After this change, I think the http entrypoint router's priority is higher than the one of the redirect, thus causing traefik to use that route and not the redirect route.

Additionally what is also very weird is that setting --entrypoints.web.http.redirections.entrypoint.priority does not seem to work either (tried setting it to 1, 0, and -1000)

It's the opposite: with the fix in v2.2.1, the redirection have an higher priority than http router.

1 Like

ah. that now it makes perfect sense.

Yes if you set --entrypoints.web.http.redirections.entrypoint.priority=200000 it works or going to v2.2.1 also solves this. Perfect!

Worked very nicely with 2.2.1 !

But the problem now is that if you are using CertManager it tries to create a Ingress that seems to be hit by the redirect so LetsEncrypt or alike doesnt work. @SimonTheLeg or @michael is there a way around this?

1 Like

hmm haven't tried cert-manager yet. We are just using the acme functionality built into traefik, which works

Did you find a solution? I thought I was smart to create a general redirect, but now cert-manager won't do its thing

Ok, got a working solution on how to create a global http-to-https redirect except for cert-manager. Cert-manager/Let's encrypt is the only service that needs http. (This example can also be applied to other situations where http is exceptionally needed)

apiVersion: cert-manager.io/v1alpha3
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: {{ .Values.acme_email }}
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - selector: {}
        http01:
          ingress:
            class: traefik
            ingressTemplate:
              metadata:
                annotations:
                  traefik.ingress.kubernetes.io/router.entrypoints: "web"
                  traefik.ingress.kubernetes.io/router.tls: "false"
                  traefik.ingress.kubernetes.io/router.priority: "42"

Now the traefik config:

          - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
          - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
          - "--entrypoints.web.http.redirections.entryPoint.permanent=true"
          - "--entrypoints.web.http.redirections.entryPoint.priority=10"

important is that the priority of web is higher (42) then the one of websecure (10)

1 Like