I'm trying to use Traefik v2 chart 8.1.2 / app v2.2 as my ingress controller but it seems that it does not work with Ingress resources just IngressRoute? I get 404 on Ingresses.
Actually it seems like a bug because the routes etc are there I can see in the Dashboard but they are just giving 404.
So after digging a bit I came up with this:
additionalArguments:
- --entrypoints.web.http.redirections.entrypoint.to=:443
- --entrypoints.web.http.redirections.entrypoint.permanent=true
I have enabled it but going towards a non-existant route gives a 302 while going towards a Kubernetes Ingress source provided route actually fowards the traffic to the service on plain http.
Both http and https actually work directly towards a given existing service though I would assume that it should have redirected me to https?
Could you please send us your full values.yaml files and the ingress you want to expose please.
@michael sure thing here it is.
apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
name: traefik-v2
namespace: kube-system
spec:
releaseName: traefik-v2
chart:
repository: https://containous.github.io/traefik-helm-chart
version: "8.1.3"
name: traefik
values:
deployment:
replicas: 2
service:
annotations:
service.beta.kubernetes.io/azure-load-balancer-resource-group: x
spec:
externalTrafficPolicy: Local
loadBalancerIP: "x"
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- traefik-v2
topologyKey: failure-domain.beta.kubernetes.io/zone
additionalArguments:
- --api.insecure
- --api.dashboard
- --entryPoints.websecure.http.tls=true
- --entrypoints.web.http.redirections.entrypoint.to=:443
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --providers.kubernetesingress
- --providers.kubernetesingress.ingressclass=public
- --providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik-v2
- --providers.kubernetescrd.ingressclass=public
- --serverstransport.insecureskipverify
- --entryPoints.metrics.address=:8082
- --metrics.prometheus.entryPoint=metrics
- --metrics.prometheus
# - --log.level=DEBUG
- --accesslog
Ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
helm.fluxcd.io/antecedent: kube-system:helmrelease/cluster-idp
kubernetes.io/ingress.class: public
creationTimestamp: "2020-04-27T09:28:54Z"
generation: 1
labels:
app.kubernetes.io/instance: cluster-idp
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: dex
app.kubernetes.io/version: 2.21.0
helm.sh/chart: dex-2.9.0
name: cluster-idp-dex
namespace: kube-system
resourceVersion: "948590"
selfLink: /apis/extensions/v1beta1/namespaces/kube-system/ingresses/cluster-idp-dex
uid: 4fc192f0-5787-49a6-abc2-ac1417bf9277
spec:
rules:
- host: x
http:
paths:
- backend:
serviceName: cluster-idp-dex
servicePort: 32000
path: /
tls:
- hosts:
- idp.x
secretName: dex-idp-tls
status:
loadBalancer:
ingress:
- ip: x
@ekarlso could you try by adding --entrypoints.web.http.redirections.entryPoint.scheme=https
to your
additionalArguments.
To have something like that:
additionalArguments:
- --api.insecure
- --api.dashboard
- --entryPoints.websecure.http.tls=true
- --entrypoints.web.http.redirections.entrypoint.to=:443
- --entrypoints.web.http.redirections.entrypoint.scheme=https # Required
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --providers.kubernetesingress
- --providers.kubernetesingress.ingressclass=public
- --providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik-v2
- --providers.kubernetescrd.ingressclass=public
- --serverstransport.insecureskipverify
- --entryPoints.metrics.address=:8082
- --metrics.prometheus.entryPoint=metrics
- --metrics.prometheus
# - --log.level=DEBUG
- --accesslog
Hi, I tested this and it still doenst work acutally. HTTP / Web endpoint is still responding.
@michael or anyone else you got an idea on this?
@ekarlso Have you check that you have all the annotations set correctly https://docs.traefik.io/routing/providers/kubernetes-ingress/#annotations ?
Especially this one traefik.ingress.kubernetes.io/router.tls: "true"
and this one traefik.ingress.kubernetes.io/router.entrypoints: ep1,ep2
@michael I am experiencing the same problem. I am guessing this is related to this change which was included yesterday*(https://github.com/containous/traefik/pull/6588/commits/eb0c3564293f83c45fe835105df9ddb3209b7b13). After this change, I think the http entrypoint router's priority is higher than the one of the redirect, thus causing traefik to use that route and not the redirect route.
Additionally what is also very weird is that setting --entrypoints.web.http.redirections.entrypoint.priority
does not seem to work either (tried setting it to 1, 0, and -1000)
- on a side note: Are changes also backported? I am using v2.2.0, so not the latest and still have this and I believe when I asked this question (https://github.com/containous/traefik-helm-chart/issues/166) yesterday morning the redirect was still working
It's the opposite: with the fix in v2.2.1, the redirection have an higher priority than http router.
ah. that now it makes perfect sense.
Yes if you set --entrypoints.web.http.redirections.entrypoint.priority=200000
it works or going to v2.2.1 also solves this. Perfect!
Worked very nicely with 2.2.1 !
But the problem now is that if you are using CertManager it tries to create a Ingress that seems to be hit by the redirect so LetsEncrypt or alike doesnt work. @SimonTheLeg or @michael is there a way around this?
hmm haven't tried cert-manager yet. We are just using the acme functionality built into traefik, which works
Did you find a solution? I thought I was smart to create a general redirect, but now cert-manager won't do its thing
Ok, got a working solution on how to create a global http-to-https redirect except for cert-manager. Cert-manager/Let's encrypt is the only service that needs http. (This example can also be applied to other situations where http is exceptionally needed)
apiVersion: cert-manager.io/v1alpha3
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.acme_email }}
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector: {}
http01:
ingress:
class: traefik
ingressTemplate:
metadata:
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: "web"
traefik.ingress.kubernetes.io/router.tls: "false"
traefik.ingress.kubernetes.io/router.priority: "42"
Now the traefik config:
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entryPoint.permanent=true"
- "--entrypoints.web.http.redirections.entryPoint.priority=10"
important is that the priority of web
is higher (42) then the one of websecure
(10)