IngressRoute failing for UI

Traefik Traefik v2 (latest)
1

I have following service for vault deployment

kind: Service
apiVersion: v1
metadata:
  namespace: dev
  name: vault
  labels:
    app: vault
spec:
  ports:
    - name: vault
      port: 80
      targetPort: 8200
  selector:
    app: vault

If I do port-forward with kubectl -n dev port-forward service/vault 8200:80 then I can access http://localhost:8200/ui in my browser.

But with following

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: vault-external
  namespace: dev
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`vault.dev.domain.com`)
      kind: Rule
      services:
        - name: vault
          port: 80
      middlewares:
        - name: permited-ips

when I try to open vault.dev.domain.com/ui I get 404 page not found
What's wrong here ?

2

I've not had any success when declaring multiple entrypoints which include both a non-tls and tls endpoint on a single IngressRoute, try splitting this into two manifests, and when declaring the websecure entrypoint, you should also declare a tls certResolver, even if it's default. A good reference for configuring this can be pulled from our docs -- Traefik CRD TLS Documentation - Traefik

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: simpleingressroute
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`your.example.com`) && PathPrefix(`/notls`)
    kind: Rule
    services:
    - name: whoami
      port: 80

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`your.example.com`) && PathPrefix(`/tls`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    certResolver: myresolver
3

I set it up as you mentioned

---

kind: Service
apiVersion: v1
metadata:
  namespace: dev
  name: vault
  labels:
    app: vault
    env: dev
spec:
  ports:
    - name: vault
      port: 80
      targetPort: 8200
  selector:
    app: vault

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: vault-external
  namespace: dev
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`vault.dev.domain.com`) && PathPrefix(`/ui`)
      kind: Rule
      services:
        - name: vault
          port: 80

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: vault-external-secure
  namespace: dev
spec:
  entryPoints:
     - websecure
  routes:
    - match: Host(`vault.dev.domain.com`) && PathPrefix(`/ui`)
      kind: Rule
      services:
        - name: vault
          port: 80
  tls:
    certResolver: primary
    domains:
      - main: dev.domain.com
        sans:
          - "*.dev.domain.com"

When I try to open http://vault.dev.domain.com/ui OR https://vault.dev.domain.com/ui in a browser I got

Screen Shot 2020-06-23 at 2.51.56 PM
Screen Shot 2020-06-23 at 2.51.56 PM1508×970 278 KB

4

Have you configured vault to serve requests from /ui as it's basepath? It appears the front-end is attempting to communicated with the API at /v1/system/health, so unless you have a rule configured to route /v1, that's going to fail.

5

BUMP

I'm dealing with this issue right now too (not on kubernetes).

Just to provide more details, vault listens on 8200 as an endpoint for the CLI and API calls, and if configured, it will also serve a web-interface on 8200/ui.
So we need a route to catch the URL of the vault service and route it to the service on port 8200 (this is the default port for Vault)
AND
We need a route to catch URL/ui and route it to 8200/ui

I'm not sure if there is another way to accomplish this