Traefik & VNC web apps: works in docker, but not in kubernetes

I'm using traefik to expose several docker web apps that use VNC, examples are: webtop, jdownloader2, filezilla, etc...

When I use only docker to deploy both these apps & traefik, everything works.

When I use kubernetes (either both the app & traefik deployed in kubernetes or only traefik deployed in kubernetes and using externalName to point to docker deployed app), I'm getting errors in the VNC web app (KasmVNC gives TypeErrors, Jdownloader immediately disconnects).

Everything seems the same to me and I cannot figure out why it's working in docker, but not kubernetes...

Docker Compose example -> This works

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    ports:
      - "8081:80"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - dockerproxy

  doublecommander:
    image: lscr.io/linuxserver/doublecommander:latest
    container_name: doublecommander
    networks:
      - dockerproxy
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=Etc/UTC
    volumes:
      - doublecommander:/config
    restart: always
    ports:
      - 13002:3000
    labels:
      traefik.enable: true
      traefik.http.routers.doublecommander.entrypoints: web
      traefik.http.routers.doublecommander.rule: Host(`doublecommander.<DOMAIN>`)
      traefik.http.services.doublecommander.loadbalancer.server.port: 3000

networks:
  dockerproxy:
    external: true
volumes:
   doublecommander:

Kubernetes example with webtop deployment inside kubernetes -> This gives me errors (Uncaught TypeError in KasmVNC)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: webtop
  namespace: utilities
  annotations:
    keel.sh/policy: all
    keel.sh/trigger: poll            
    keel.sh/pollSchedule: "@every 24h"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webtop
  template:
    metadata:
      labels:
        app: webtop
        app.kubernetes.io/name: webtop
    spec:
      containers:
      - name: webtop
        image: lscr.io/linuxserver/webtop:latest
        env:
        - name: PUID
          value: "1000"
        - name: PGID
          value: "1000"
        - name: TZ
          value: "Europe/Brussels"
        resources:
          limits:
            memory: "2Gi"
            cpu: "2000m"
          requests:
            memory: "1.5Gi"
            cpu: "1500m"    
        ports:
        - containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
  name: webtop
  namespace: utilities
spec:
  selector:
    app: webtop
  ports:
  - protocol: TCP
    port: 3000
    targetPort: 3000
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: webtop-traefik
  namespace: utilities
  annotations: 
    kubernetes.io/ingress.class: traefik
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`webtop.kubernetes.<DOMAIN>`) || Host(`webtop.<DOMAIN>`)
      kind: Rule
      services:
        - name: webtop
          port: 3000
          scheme: http

Kubernetes example with externalName (doublecommander deployed in docker on another computer) -> This also gives me errors

---
apiVersion: v1
kind: Service
metadata:
  name: doublecommander
  namespace: traefik
spec:
  externalName: 10.10.10.2
  type: ExternalName
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: doublecommander
  namespace: traefik
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`doublecommander.kubernetes.<DOMAIN>`) || Host(`doublecommander.<DOMAIN>`)
      kind: Rule
      services:
        - name: doublecommander
          port: 13002

Traefik Helm Values

globalArguments:
  - "--global.sendanonymoususage"

logs:
  general:
    level: INFO
  access:
    enabled: true
    format: json
    filters:
      statuscodes: "400-499"

deployment:
  enabled: true
  replicas: 3

ports:
  traefik:
    port: 9000
    exposedPort: 9000
    protocol: TCP
  web:
    expose:
      default: false
  websecure:
    port: 8443
    expose:
      default: true
    exposedPort: 443
    protocol: TCP
    tls:
      enabled: true
      middlewares:
        - traefik-secureheaders@kubernetescrd
        - traefik-ratelimit@kubernetescrd
  metrics:
    port: 9100
    expose:
      default: true
    exposedPort: 9100
    protocol: TCP

ingressRoute:
  dashboard:
    enabled: false

providers:
  kubernetesCRD:
    enabled: true
    namespaces: []
    allowCrossNamespace: true
    allowExternalNameServices: true
    ingressClass: traefik

  kubernetesIngress:
    enabled: true
    namespaces: []
    ingressClass: traefik
    allowCrossNamespace: true
    allowExternalNameServices: true
    publishedService:
      enabled: true

dashboard:
  enabled: true

rbac:
  enabled: true
  
# Will define my own services because I want to expose traefik both through tailscale and through kube-vip
service:
  enabled: false

Example of error:

image1722×558 130 KB

Resolved by increasing respondingTimeout values in the helm values of traefik:

...
ports:
  traefik:
    port: 9000
    exposedPort: 9000
    protocol: TCP
  web:
    expose:
      default: false
  websecure:
    port: 8443
    expose:
      default: true
    asDefault: true
    exposedPort: 443
    protocol: TCP

    # Necessary for VNC and other apps to work without issues. Otherwise you get connection and timeout issues.
    transport:
      respondingTimeouts:
        readTimeout: 420
        writeTimeout: 420
        idleTimeout: 420
...

Why this is necessary for traefik in kubernetes but not in docker is a mystery to me (and this increases timeouts for every service but there is a feature request for that: Setting timeout per service/router · Issue #10962 · traefik/traefik · GitHub)

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.