Traefik v2 terminate TLS at AWS ELB does not work

Traefik Traefik v2 (latest)
1

It seems that I am unable to make TLS termination at the AWS ELB work with traefik 2. If I configure the load balancer backend to be https and give tls information to the dashboard ingress, everything works fine.
If I use the definitions below with the http backend and no tls information on the ingress route, the Dashboard (or any other ingressroute I create) gives a 404 on any of its paths.

Traefik version is 2.4.7.

Any suggestions and/or explanations are appreciated.

Thanks,
Nick

The Service definition is as follows:

apiVersion: v1
kind: Service
metadata:
  annotations:
    external-dns.alpha.kubernetes.io/hostname: <REDACTED>
    meta.helm.sh/release-name: traefik-ingress
    meta.helm.sh/release-namespace: traefik
    service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: "60"
    service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: <REDACTED>
    service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: <REDACTED>
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:<REDACTED>:certificate/<REDACTED>
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-2017-01
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: websecure
  creationTimestamp: "2021-04-20T23:05:53Z"
  finalizers:
  - service.kubernetes.io/load-balancer-cleanup
  labels:
    app.kubernetes.io/instance: traefik-ingress
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: traefik
    helm.sh/chart: traefik-9.17.5
  name: traefik-ingress
  namespace: traefik
  resourceVersion: "258297587"
  selfLink: /api/v1/namespaces/traefik/services/traefik-ingress
  uid: 876cb9e5-26b6-42bb-ba0a-ab9d388eb719
spec:
  clusterIP: 172.20.112.76
  externalTrafficPolicy: Cluster
  ports:
  - name: web
    nodePort: 31009
    port: 80
    protocol: TCP
    targetPort: web
  - name: websecure
    nodePort: 31896
    port: 443
    protocol: TCP
    targetPort: websecure
  selector:
    app.kubernetes.io/instance: traefik-ingress
    app.kubernetes.io/name: traefik
  sessionAffinity: None
  type: LoadBalancer

The ingress route for the Dashboard is as follows:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    meta.helm.sh/release-name: traefik-ingress
    meta.helm.sh/release-namespace: traefik
  creationTimestamp: "2021-04-20T23:05:53Z"
  generation: 6
  labels:
    app.kubernetes.io/managed-by: Helm
  name: traefik-ingress-dashboard
  namespace: traefik
  resourceVersion: "258297983"
  selfLink: /apis/traefik.containo.us/v1alpha1/namespaces/traefik/ingressroutes/traefik-ingress-dashboard
  uid: 8cec6fbe-ce4d-40e3-848e-a7477907f7b3
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) || PathPrefix(`/_oauth`)
    middlewares:
    - name: traefik-forward-auth
    services:
    - kind: TraefikService
      name: api@internal
  tls: {}
2

SOLVED - I had overlooked that tls was enabled on the traefik pod websecure port. :man_facepalming:

1 Like
3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.