Hi, I am converting my application that was running successfully on docker to Kubernetes and face some basic issues which I am struggling to fix.
-
Traffic is redirected to https in config, so http://traefik.minikube/service/whoami is getting redirected to https://traefik.minikube/service/whoami. But dashboard is still served at http, https returns 404.
-
Basic auth for dashboard is not working although the middleware is setup for username/password = admin/adminadmin.
-
I want the whoami service to only be served at https. But if I remove entrypoint web from its config, then page returns 404 on https://traefik.minikube/service/whoami
Running on minikube, here is my config:
crd.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressrouteudps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteUDP
plural: ingressrouteudps
singular: ingressrouteudp
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsstores.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSStore
plural: tlsstores
singular: tlsstore
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: traefikservices.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TraefikService
plural: traefikservices
singular: traefikservice
scope: Namespaced
secret.yaml
---
apiVersion: v1
data:
tls.crt: LS0tLS....
tls.key: LS0t....
kind: Secret
metadata:
name: certificates
namespace: default
type: Opaque
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basic-auth
namespace: default
spec:
basicAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
# admin/adminadmin
data:
users: |2
YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl
cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo=
traefik.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
volumes:
- name: config
configMap:
name: traefik-config-map
- name: certificates
secret:
secretName: certificates
containers:
- name: traefik
image: traefik:v2.2.1
args:
- --providers.kubernetescrd=true
- --providers.kubernetesingress=true
ports:
- name: web
containerPort: 80
- name: admin
containerPort: 8080
- name: websecure
containerPort: 443
volumeMounts:
- mountPath: /etc/traefik/traefik.toml
name: config
subPath: traefik.toml
- mountPath: "/var/ssl/certificates"
name: certificates
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- protocol: TCP
port: 80
name: web
targetPort: 80
- protocol: TCP
port: 443
name: websecure
targetPort: 80
- protocol: TCP
port: 8080
name: admin
targetPort: 8080
---
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config-map
data:
traefik.toml: |-
[global]
checkNewVersion = false
sendAnonymousUsage = false
[retry]
attempts = 3
maxMem = 3
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
permanent = true
[entryPoints.websecure]
address = ":443"
[log]
level = "DEBUG"
[accessLog]
[api]
insecure = true
dashboard = true
debug = true
[providers]
[providers.file]
directory = "/etc/traefik"
watch = true
[providers.kubernetesCRD]
[[tls.certificates]]
keyFile = "/var/ssl/certificates/tls.key"
certFile = "/var/ssl/certificates/tls.crt"
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
preferServerCipherSuites = true
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
]
[tls.options.mintls13]
minVersion = "VersionTLS13"
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
keyFile = "/var/ssl/certificates/tls.key"
certFile = "/var/ssl/certificates/tls.crt"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: default
spec:
tls: {}
entryPoints:
- web
- websecure
routes:
- match: Host(`traefik.minikube`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: basic-auth
whoami-app.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: whoami
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: containous/whoami
ports:
- name: web
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: whoami
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami
namespace: default
spec:
tls: {}
entryPoints:
- web
- websecure
routes:
- match: PathPrefix(`/service/whoami`)
kind: Rule
services:
- name: whoami
port: 80
Some screenshots: