Skip to main content

Kommander Traefik returns 301 (moved permanently) after a major version upgrade

Andrey Dyatlov
  • Updated

Problem

After a major version upgrade, the Kommander Traefik ingress controller responds with HTTP code 301 -- "moved permanently". In the logs of the ingress controller, you may find the following lines:

192.168.83.99 - - [07/Mar/2023:13:51:46 +0000] "GET /path/to/my/service HTTP/1.1" 301 17 "-" "-" 494606 "web-to-443@internal" "-" 0ms

Reason

Starting from DKP v2, the Kommander Traefik ingress controller redirects all the HTTP requests sent to port 80 to the equivalent HTTPS request for port 443.

Solution 1

Reconfigure the external load balancer to send all the requests to Traefik 443 port.

Solution 2

Change the default Traefik behavior following the application customization guide.

Here is an example of the steps you need to perform; please be aware that the steps might be slightly different for your cluster.

1. Copy the additionalArguments section from the ConfigMap with the default Traefik config to the file values.yaml:

kubectl get configmap traefik-10.3.0-d2iq-defaults -n kommander -o jsonpath='{.data.values\.yaml}' | yq eval '. | with_entries(select(.key == "additionalArguments"))' > values.yaml

2. Remove the following settings from the config:

--entrypoints.web.http.redirections.entryPoint.to=:443
--entrypoints.web.http.redirections.entryPoint.scheme=https
grep -v -e "--entrypoints.web.http.redirections.entryPoint.to=:443" -e "--entrypoints.web.http.redirections.entryPoint.scheme=https" values.yaml > values_filtered.yaml
mv values_filtered.yaml values.yaml

The values.yaml should look like this:

---
# TODO: with Traefik 2 we should be able to validate against the proper CA
# https://jira.d2iq.com/browse/D2IQ-75866
additionalArguments:
- "--serversTransport.insecureSkipVerify=true"
- "--metrics.prometheus=true"
- "--providers.kubernetesingress.ingressendpoint.publishedservice=kommander/kommander-traefik"
- "--providers.kubernetesingress.ingressclass=kommander-traefik"
- "--api.insecure=true"
- "--experimental.localPlugins.plugin-rewritebody.moduleName=plugin-rewritebody"
# cross-namespace routing can be removed once we no longer support
# migrating from k1x to k20
- "--providers.kubernetescrd.allowcrossnamespace=true"

3. Create a ConfigMap called traefik-overrides using the values.yaml as its data:

kubectl create configmap traefik-overrides -n kommander --from-file=values.yaml

4. Amend the AppDeployment called traefik:

kubectl patch appdeployment traefik -n kommander --type='merge' -p '{
  "spec": {
    "configOverrides": {
      "name": "traefik-overrides"
    }
  }
}'

5. Wait for about one minute and check that the args in the traefik deployment don't have the following lines (both commands are expected to show nothing):

--entrypoints.web.http.redirections.entryPoint.to=:443
--entrypoints.web.http.redirections.entryPoint.scheme=https
kubectl get deployment kommander-traefik -n kommander -o yaml | grep -F -- "--entrypoints.web.http.redirections.entryPoint.to=:443"
kubectl get deployment kommander-traefik -n kommander -o yaml | grep -F -- "--entrypoints.web.http.redirections.entryPoint.scheme=https"