Traefik dashboard refuses connection using minikube - traefik

I try to deploy Traefik (v1.7) to local minikube cluster using helm
helm install --values values.yml stable/traefik
values.yml:
dashboard:
enabled: true
domain: dashboard.localhost
kubernetes:
namespaces:
- default
- kube-system
I added dashboard.localhost to the /etc/hosts file
But I can not get access to the dashboard.
curl http://dashboard.localhost:31745/
404 page not found
curl http://dashboard.localhost/
no response...
In a browser:
minikube service list
|----------------------|-----------------------------------|--------------------------------|-----|
| NAMESPACE | NAME | TARGET PORT | URL |
|----------------------|-----------------------------------|--------------------------------|-----|
| default | coiled-cardinal-traefik | http://192.168.99.111:31731 |
| | | http://192.168.99.111:31745 |
| default | coiled-cardinal-traefik-dashboard | No node port |
| default | kubernetes | No node port |
| default | traefik-web-ui | No node port |
| kube-system | kube-dns | No node port |
| kube-system | tiller-deploy | No node port |
| kube-system | traefik-web-ui | No node port |
| kubernetes-dashboard | dashboard-metrics-scraper | No node port |
| kubernetes-dashboard | kubernetes-dashboard | No node port |
|----------------------|-----------------------------------|--------------------------------|-----|
kubectl get svc coiled-cardinal-traefik --namespace default -w
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
coiled-cardinal-traefik LoadBalancer 10.111.40.100 <pending> 80:31731/TCP,443:31745/TCP 36m
any idaes?
UPDATE:
A created and applied two services according to the Traefik docs.
My variant:
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: default
spec:
selector:
app: traefik
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: default
spec:
rules:
- host: dashboard.localhost
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
Traefic 1.7 docs variant:
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik-ui.minikube
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80
My /etc/hosts
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
127.0.0.1 test
192.168.99.111 dashboard.localhost
192.168.99.111 traefik-ui.minikube
open http://traefik-ui.minikube
The end result is ERR_CONNECTION_TIMED_OUT...

To access dashboard you have to create two services, as explained in traefik docs:
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik-ui.minikube
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80
and then add an entry in etc/hosts:
echo "$(minikube ip) traefik-ui.minikube" | sudo tee -a /etc/hosts

Related

Unable to self sign certificate nginx ingress k3s

I'm new to K3s, and have struggle with this step for a few days.
Environment: Ubuntu 20.04 | K3s installation without Traefik.
K3s installation script:
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --no-deploy=traefik" sh -s -
Nginx ingress installation script
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm install my-release nginx-stable/nginx-ingress
Cert-manager installation script
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.3.1 \
--set installCRDs=true
Verified with Cert-manager verifier
Create a testing namespace to play with kubectl create ns practice-cls
Test service deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: kuard
namespace: practice-cls
spec:
selector:
matchLabels:
app: kuard
replicas: 1
template:
metadata:
labels:
app: kuard
spec:
containers:
- image: gcr.io/kuar-demo/kuard-amd64:1
imagePullPolicy: Always
name: kuard
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: kuard
namespace: practice-cls
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
selector:
app: kuard
Issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
namespace: cert-manager
spec:
selfSigned: {}
service ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
namespace: practice-cls
annotations:
cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
spec:
tls:
- hosts:
- example.example.com
secretName: quickstart-example-tls
rules:
- host: example.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kuard
port:
number: 80
ingressClassName: nginx
# kubectl describe ing kuard -n practice-cls
Name: kuard
Labels: <none>
Namespace: practice-cls
Address: 10.227.224.141
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
quickstart-example-tls terminates example.example.com
Rules:
Host Path Backends
---- ---- --------
example.example.com
/ kuard:80 (10.42.0.76:8080)
Annotations: cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning AddedOrUpdatedWithWarning 6m9s nginx-ingress-controller Configuration for practice-cls/kuard was added or updated ; with warning(s): TLS secret quickstart-example-tls is invalid: secret doesn't exist or of an unsupported type
I don't know if there was anything wrong with this, the kuard image was just a tutorial service from cert-manager. And I got ERR_SSL_UNRECOGNIZED_NAME_ALERT from the manifests above.
Let me know if there's some more information to troubleshoot this.
Thank you guys
After a while searching and experiment, I manage to handle this by:
Using K8s nginx ingress instead of the official one provide by nginx themself
Enable SSL passthrough either by editing the deployment of nginx controller or enable that right when installing
The nginx ingress controller (produced by Nginx, the company), has picky code that will not support the default Opaque Secret type for the TLS secret. Check that your "quickstart-example-tls" Secret has its type set to: kubernetes.io/tls, or one of the supported types in their list.
// IsSupportedSecretType checks if the secret type is supported.
func IsSupportedSecretType(secretType api_v1.SecretType) bool {
return secretType == api_v1.SecretTypeTLS ||
secretType == SecretTypeCA ||
secretType == SecretTypeJWK ||
secretType == SecretTypeOIDC
}
The community supported Kubernetes Nginx Ingress Controller does not have this restriction, and supports Opaque secret types just fine.

argocd & traefik: argocd unreachable

I'm struggling with exposing argocd using traefik.
Argocd is well deployed on my kubernetes. I'm able to reach it using port forwarding:
curl -I -k https://localhost:36651
HTTP/1.1 200 OK
I've deployed this ingressroute:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: argocd-server
namespace: argocd
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`argocd.localhost`)
priority: 10
services:
- name: argocd-server
port: 80
- kind: Rule
match: Host(`argocd.localhost`) && Headers(`Content-Type`, `application/grpc`)
priority: 11
services:
- name: argocd-server
port: 80
scheme: h2c
tls:
certResolver: default
options: {}
When I'm trying to reach it, I'm getting an 404.
curl argocd.localhost
404 page not found
I've also tried to reach https directly:
curl -I -k https://argocd.localhost:8443/
HTTP/2 307
location: https://argocd.localhost:8443/
It's getting me a redirection to https://argocd.localhost:8443/, which is the same that requested on curl command...
Any ideas?

Istio Egress Gateways with TLS Origination CERTIFICATE_VERIFY_FAILED

I'm trying to setup istio (v1.7.3) on AKS (v1.16.13) in a way that for some of the HTTP destinations a TLS Origination will be performed. So when one of my pods is invoking abc.mydomain.com with HTTP, the Egress request will be upgraded to HTTPS and the TLS verification done through the Egress gateway.
I have followed these 2 tutorials to achieve that:
https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/
https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/
I ended up with something like this (abc.mydomain.com is an external URL so that why I created a ServiceEntry for it):
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: abc.mydomain.com
spec:
hosts:
- abc.mydomain.com
ports:
- number: 80
name: http
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
namespace: istio-system
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- abc.mydomain.com
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-abc
namespace: istio-system
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: abc
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: abc.mydomain.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-abc-through-egress-gateway
namespace: istio-system
spec:
hosts:
- abc.mydomain.com
gateways:
- istio-egressgateway
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: abc
port:
number: 443
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 443
route:
- destination:
host: abc.mydomain.com
port:
number: 443
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-tls-for-abc
namespace: istio-system
spec:
host: abc.mydomain.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
credentialName: abc # this must match the secret created earlier without the "-cacert" suffix
sni: abc.mydomain.com
I'm creating a secret for my CA root with: kubectl create secret generic abc-cacert --from-file=ca.crt=mydomainrootca.crt -n istio-system
I've used the same certificate for my java applications and I can successfully invoke HTTPS for the same url using JKS. It seems the certificate is loaded properly into egress (kubectl logs -f -l istio=egressgateway -n istio-system):
2020-10-06T20:00:36.611607Z info sds resource:abc-cacert new connection
2020-10-06T20:00:36.612907Z info sds Skipping waiting for gateway secret
2020-10-06T20:00:36.612994Z info cache GenerateSecret abc-cacert
2020-10-06T20:00:36.613063Z info sds resource:abc-cacert pushed root cert to proxy
When I invoke curl abc.mydomain.com from a pod running on my cluster I'm getting this error from egress gateway:
[2020-10-06T19:33:40.902Z] "GET / HTTP/1.1" 503 UF,URX "-" "TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 91 172 - "192.244.0.191" "curl/7.64.0" "b618b1e6-e543-4053-bf2f-8ae56664545f" "abc.mydomain.com" "192.223.24.254:443" outbound|443||abc.mydomain.com - 192.244.0.188:8443 192.244.0.191:41306 abc.mydomain.com -
Any idea what I might be doing wrong? I'm quite new to istio and I don't understand all of the need of DestinationRule/VirtualService so please bare with me.
UPDATE1
After putting the DestinationRules in the namespace where my pod is running, I'm getting the following:
curl abc.mydomain.com
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.17.10</center>
</body>
</html>
Here is the output of istioctl proxy-status:
NAME CDS LDS EDS RDS ISTIOD VERSION
istio-egressgateway-695dc4fc7c-p5p42.istio-system SYNCED SYNCED SYNCED SYNCED istiod-5c6b7b5b8f-csggg 1.7.3
istio-ingressgateway-5689f7c67-j54m7.istio-system SYNCED SYNCED SYNCED SYNCED istiod-5c6b7b5b8f-csggg 1.7.3
test-5bbfdb8f4b-hg7vf.test SYNCED SYNCED SYNCED SYNCED istiod-5c6b7b5b8f-csggg 1.7.3

TLS setup on K8S Ingress with Traefik

I have a setup that is not too much different than the user guide for use with k8s. For some reason I can only access http://app.minikube and not https://app.minikube.
Can someone look at my setup and see what I am obviously missing?
apiVersion: v1
kind: Service
metadata:
name: myapp
labels:
app: myapp
spec:
ports:
- name: http
port: 80
targetPort: 7777
selector:
app: myapp
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myingress
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: app.minikube
http:
paths:
- path: /
backend:
serviceName: myapp
servicePort: http
tls:
- secretName: mytls
FYI, according to the Traefik user guide, the hosts definition in tls is unneeded, which is why I left it out.
The field hosts in the TLS configuration is ignored. Instead, the domains provided by the certificate are used for this purpose. It is recommended to not use wildcard certificates as they will match globally)
You're missing the hosts section:
tls:
- hosts:
- my-host.example.com
secretName: my-secret

Running Nexus in Kubernetes using ingress with path other than /

I have trouble running Nexus 3 in Kubernetes via ingress, when I specify a path other than "/". Nexus does not load fully when i visit the web portal as https://www.myportal.com/mypath. I have a true certificate. This is my ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/rewrite-target: /
ingress.kubernetes.io/add-base-url: "true"
name: myingress
spec:
rules:
- host: mynexus.com
http:
paths:
- path: /mypath
backend:
serviceName: mynexus-sonatype-nexus
servicePort: 9988
tls:
- hosts:
- mynexus.com
secretName: mynexus-cert-secret