Kubernetes Traefik v2.3.0 - Web UI 404 删除后未找到 --api.insecure

Kubernetes Traefik v2.3.0 - Web UI 404 Not Found after removing --api.insecure

我是 运行 AKS(Azure Kubernetes 服务)集群中的 Traefik v2.3.0,我目前正在尝试在我的 Traefik UI.[=16= 上设置基本身份验证]

仪表板 (Traefik UI) 在没有任何身份验证的情况下工作正常,但是当我尝试使用基本身份验证访问时,我得到了服务器未找到页面。

这是我的配置。

IngressRoute,BasicAuth、Secret 和 Service 的中间件:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-ui
  namespace: ingress-basic
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`traefik-ui.domain.com`) && PathPrefix(`/`) || PathPrefix(`/dashboard`)
    services:
    - name: traefik-ui
      port: 80
    middlewares:
    - name: traefik-ui-auth
      namespace: ingress-basic
  tls:
    secretName: traefik-ui-cert
---
apiVersion: v1
kind: Secret
metadata:
  name: traefik-secret
  namespace: ingress-basic
data:
  users: |2
    dWlhZG06JGFwcjEkanJMZGtEb1okaS9BckJmZzFMVkNIMW80bGtKWFN6LwoK
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-ui-auth
  namespace: ingress-basic
spec:
  basicAuth:
    secret: traefik-secret
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-ui
  namespace: ingress-basic
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: traefik-ingress-lb
  sessionAffinity: None
  type: ClusterIP

DaemonSet 和服务:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: traefik-ingress
  namespace: ingress-basic
spec:
  selector:
    matchLabels:
      app: traefik-ingress-lb
  template:
    metadata:
      labels:
        app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: size
                operator: In
                values:
                - small
      containers:
      - args:
        - --api.dashboard=true
        - --accesslog
        - --accesslog.fields.defaultmode=keep
        - --accesslog.fields.headers.defaultmode=keep
        - --entrypoints.web.address=:80
        - --entrypoints.websecure.address=:443
        - --entrypoints.metrics.address=:8082
        - --providers.kubernetesIngress.ingressClass=traefik-cert-manager
        - --certificatesresolvers.default.acme.email=info@domain.com
        - --certificatesresolvers.default.acme.storage=acme.json
        - --certificatesresolvers.default.acme.tlschallenge
        - --providers.kubernetescrd
        - --ping=true
        - --pilot.token=xxxxxx-xxxx-xxxx-xxxxx-xxxxx-xx
        - --metrics.statsd=true
        - --metrics.statsd.address=localhost:8125
        - --metrics.statsd.addEntryPointsLabels=true
        - --metrics.statsd.addServicesLabels=true
        image: traefik:v2.3.0
        imagePullPolicy: IfNotPresent
        name: traefik-ingress-lb
        ports:
        - containerPort: 80
          name: web
          protocol: TCP
        - containerPort: 8080
          name: admin
          protocol: TCP
        - containerPort: 443
          name: websecure
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /acme/acme.json
          name: acme
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik-ingress
      serviceAccountName: traefik-ingress
      terminationGracePeriodSeconds: 60
      tolerations:
      - effect: NoSchedule
        key: size
        operator: Equal
        value: small
      volumes:
      - hostPath:
          path: /srv/configs/acme.json
          type: ""
        name: acme

使用此配置: kubectl exec -it -n ingress-basic traefik-ingress-2m88q -- curl http://localhost:8080/dashboard/

404 page not found

删除中间件并在 DaemonSet 配置中添加“--api.insecure”时: kubectl exec -it -n ingress-basic traefik-ingress-1hf4q -- curl http://localhost:8080/dashboard/

<!DOCTYPE html><html><head><title>Traefik</title><meta charset=utf-8><meta name=description content="Traefik UI"><meta name=format-detection content="telephone=no"><meta name=msapplication-tap-highlight content=no><meta name=viewport content="user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1,width=device-width"><link rel=icon type=image/png href=statics/app-logo-128x128.png><link rel=icon type=image/png sizes=16x16 href=statics/icons/favicon-16x16.png><link rel=icon[...]</body></html>

请告诉我我做错了什么?还有其他方法吗?

此致,

这是 IngressRoute 的另一种形式,适用于您的环境。

我认为 99% 的问题是实际的路由匹配,特别是如果你说 --api.insecure 有效。 另外根据经验,日志记录和访问日志对 DaemonSet 定义有很大帮助。

    - --log
    - --log.level=DEBUG
    - --accesslog
    ---
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: traefik-ui
      namespace: ingress-basic
    spec:
      entryPoints:
        - websecure
      routes:
      - match: Host(`traefik-ui.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
        kind: Rule
        services:
        - name: api@internal
          kind: TraefikService
        middlewares:
          - name: traefik-basic-auth
      tls:
        secretName: traefik-ui-cert