Kubernetes Ingress not working with Traefik and TLS

Question

I am trying to get some stuff working on K8s (1.21.0 on Ubuntu 20.04 on bare metal) and am likely missing something simple. I have installed Traefik (2.4.8) using their helm chart (9.19.1) and the following values file:

deployment:
  kind: DaemonSet

dashboard:
  enabled: true

hostNetwork: true
ports:
  web:
    port: 80
  websecure:
    port: 443

securityContext:
  capabilities:
    drop: [ALL]
    add: [NET_BIND_SERVICE]
  readOnlyRootFilesystem: true
  runAsGroup: 0
  runAsNonRoot: false
  runAsUser: 0

additionalArguments:
  - "--log.level=DEBUG"

I can ssh tunnel in and see the Traefik dashboard. I installed httpbin to have something to test against:

kind: Service
metadata:
  name: httpbin
  namespace: default
spec:
  selector:
    app: httpbin
  ports:
    - port: 8080
      protocol: TCP
      targetPort: 80
---
apiVersion: v1
kind: Pod
metadata:
  name: httpbin
  namespace: default
  labels:
    app: httpbin
spec:
  containers:
    - image: kennethreitz/httpbin:latest
      name: httpbin
      ports:
        - containerPort: 80
          protocol: TCP

I created a secret with my certificate (a real *.brandseye.com cert) and an Ingress:

kind: Ingress
metadata:
  name: test-ingress
  namespace: default
spec:
  tls:
    - hosts:
        - aragorn.brandseye.com
      secretName: brandseye-com-cert
  rules:
    - host: aragorn.brandseye.com
      http:
        paths:
          - path: /get
            pathType: Exact
            backend:
              service:
                name: httpbin
                port:
                  number: 8080

Now I can go to: http://aragorn.brandseye.com/get and it works. However https://aragorn.brandseye.com/get gives a 404. The correct certificate is used.

The Traefik looks seem ok:

time="2021-05-18T13:35:38Z" level=debug msg="Configuration received from provider kubernetes: {\"http\":{\"routers\":{\"test-ingress-default-aragorn-brandseye-com-get\":{\"service\":\"default-httpbin-8080\",\"rule\":\"Host(`aragorn.brandseye.com`) \\u0026\\u0026 Path(`/get`)\"}},\"services\":{\"default-httpbin-8080\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.20.1.9:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"tls\":{}}" providerName=kubernetes
time="2021-05-18T13:35:38Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [web websecure]" routerName=test-ingress-default-aragorn-brandseye-com-get
time="2021-05-18T13:35:38Z" level=debug msg="No store is defined to add the certificate MIIGkDCCBXigAwIBAgIQCYfAPbF1vuf5b72JgcBPEDANBgkqhk, it will be added to the default store."
time="2021-05-18T13:35:38Z" level=debug msg="Adding certificate for domain(s) *.brandseye.com,brandseye.com"
time="2021-05-18T13:35:38Z" level=debug msg="No default certificate, generating one"
time="2021-05-18T13:35:38Z" level=debug msg="Added outgoing tracing middleware ping@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=ping@internal middlewareName=tracing
time="2021-05-18T13:35:38Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=kube-system-traefik-dashboard-d012b7f875133eeab4e5@kubernetescrd entryPointName=traefik middlewareName=tracing middlewareType=TracingForwarder
time="2021-05-18T13:35:38Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=traefik-traefik-dashboard-d012b7f875133eeab4e5@kubernetescrd middlewareName=tracing
time="2021-05-18T13:35:38Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-05-18T13:35:38Z" level=debug msg="Creating middleware" serviceName=default-httpbin-8080 middlewareName=pipelining middlewareType=Pipelining entryPointName=web routerName=test-ingress-default-aragorn-brandseye-com-get@kubernetes
time="2021-05-18T13:35:38Z" level=debug msg="Creating load-balancer" routerName=test-ingress-default-aragorn-brandseye-com-get@kubernetes serviceName=default-httpbin-8080 entryPointName=web
time="2021-05-18T13:35:38Z" level=debug msg="Creating server 0 http://172.20.1.9:80" serviceName=default-httpbin-8080 serverName=0 entryPointName=web routerName=test-ingress-default-aragorn-brandseye-com-get@kubernetes
time="2021-05-18T13:35:38Z" level=debug msg="Added outgoing tracing middleware default-httpbin-8080" middlewareType=TracingForwarder entryPointName=web routerName=test-ingress-default-aragorn-brandseye-com-get@kubernetes middlewareName=tracing
time="2021-05-18T13:35:38Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-05-18T13:35:38Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-05-18T13:35:38Z" level=debug msg="No default certificate, generating one"

Any ideas? Tx.

If I look at the router details on the Traefik Dashboard it has nothing in the TLS block which doesn't seem right:

Answer 1

I don't know if this will help you or no. But my configuration work well like this.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: laznp-www-ingress-route
  namespace: wordpress
spec:
  entryPoints:
    - websecure
routes:
  - match: Host(`laznp.id`)
    kind: Rule
    services:
      - name: laznp-www-svc
        port: 80
tls: {}

I use IngressRoute kind from Traefik CRD, hope it help.