Problem
After a major version upgrade, the Kommander Traefik ingress controller responds with HTTP code 301 -- "moved permanently". In the logs of the ingress controller, you may find the following lines:
192.168.83.99 - - [07/Mar/2023:13:51:46 +0000] "GET /path/to/my/service HTTP/1.1" 301 17 "-" "-" 494606 "web-to-443@internal" "-" 0ms
Reason
Starting from DKP v2, the Kommander Traefik ingress controller redirects all the HTTP requests sent to port 80 to the equivalent HTTPS request for port 443.
Solution 1
Reconfigure the external load balancer to send all the requests to Traefik 443 port.
Solution 2
Change the default Traefik behavior following the application customization guide.
Here is an example of the steps you need to perform; please be aware that the steps might be slightly different for your cluster.
1. Copy the additionalArguments
section from the ConfigMap with the default Traefik config to the file values.yaml
:
kubectl get configmap traefik-10.3.0-d2iq-defaults -n kommander -o jsonpath='{.
data.values\.yaml}' | yq eval '. | with_entries(select(.key == "additionalArguments"))' > values.yaml
2. Remove the following settings from the config:
--entrypoints.web.http.redirections.entryPoint.to=:443
--entrypoints.web.http.redirections.entryPoint.scheme=https
grep -v -e "--entrypoints.web.http.redirections.entryPoint.to=:443" -e "--entrypoints.web.http.redirections.entryPoint.scheme=https" values.yaml > values_filtered.yaml
mv values_filtered.yaml values.yaml
The values.yaml
should look like this:
---
# TODO: with Traefik 2 we should be able to validate against the proper CA
# https://jira.d2iq.com/browse/D2IQ-75866
additionalArguments:
- "--serversTransport.insecureSkipVerify=true"
- "--metrics.prometheus=true"
- "--providers.kubernetesingress.ingressendpoint.publishedservice=kommander/kommander-traefik"
- "--providers.kubernetesingress.ingressclass=kommander-traefik"
- "--api.insecure=true"
- "--experimental.localPlugins.plugin-rewritebody.moduleName=plugin-rewritebody"
# cross-namespace routing can be removed once we no longer support
# migrating from k1x to k20
- "--providers.kubernetescrd.allowcrossnamespace=true"
3. Create a ConfigMap called traefik-overrides
using the values.yaml
as its data:
kubectl create configmap traefik-overrides -n kommander --from-file=values.yaml
4. Amend the AppDeployment called traefik
:
kubectl patch appdeployment traefik -n kommander --type='merge' -p '{
"spec": {
"configOverrides": {
"name": "traefik-overrides"
}
}
}'
5. Wait for about one minute and check that the args in the traefik deployment don't have the following lines (both commands are expected to show nothing):
--entrypoints.web.http.redirections.entryPoint.to=:443
--entrypoints.web.http.redirections.entryPoint.scheme=https
kubectl get deployment kommander-traefik -n kommander -o yaml | grep -F -- "--entrypoints.web.http.redirections.entryPoint.to=:443"
kubectl get deployment kommander-traefik -n kommander -o yaml | grep -F -- "--entrypoints.web.http.redirections.entryPoint.scheme=https"