Kubernetes Traefik v2.3.0-WebUI 404删除后找不到

Question

我正在AKS (Azure Kubernetes Service)集群中运行Traefik v2.3.0，目前我正在尝试在Traefik UI上设置一个基本身份验证。

仪表板(Traefik )在没有任何身份验证的情况下工作正常，但是当我尝试使用基本身份验证访问时，我会让服务器找不到页面。

这是我的配置。

IngressRoute，用于BasicAuth、秘密和服务的中间件：

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-ui
  namespace: ingress-basic
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`traefik-ui.domain.com`) && PathPrefix(`/`) || PathPrefix(`/dashboard`)
    services:
    - name: traefik-ui
      port: 80
    middlewares:
    - name: traefik-ui-auth
      namespace: ingress-basic
  tls:
    secretName: traefik-ui-cert
---
apiVersion: v1
kind: Secret
metadata:
  name: traefik-secret
  namespace: ingress-basic
data:
  users: |2
    dWlhZG06JGFwcjEkanJMZGtEb1okaS9BckJmZzFMVkNIMW80bGtKWFN6LwoK
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-ui-auth
  namespace: ingress-basic
spec:
  basicAuth:
    secret: traefik-secret
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-ui
  namespace: ingress-basic
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: traefik-ingress-lb
  sessionAffinity: None
  type: ClusterIP

DaemonSet和服务：

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: traefik-ingress
  namespace: ingress-basic
spec:
  selector:
    matchLabels:
      app: traefik-ingress-lb
  template:
    metadata:
      labels:
        app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: size
                operator: In
                values:
                - small
      containers:
      - args:
        - --api.dashboard=true
        - --accesslog
        - --accesslog.fields.defaultmode=keep
        - --accesslog.fields.headers.defaultmode=keep
        - --entrypoints.web.address=:80
        - --entrypoints.websecure.address=:443
        - --entrypoints.metrics.address=:8082
        - --providers.kubernetesIngress.ingressClass=traefik-cert-manager
        - --certificatesresolvers.default.acme.email=info@domain.com
        - --certificatesresolvers.default.acme.storage=acme.json
        - --certificatesresolvers.default.acme.tlschallenge
        - --providers.kubernetescrd
        - --ping=true
        - --pilot.token=xxxxxx-xxxx-xxxx-xxxxx-xxxxx-xx
        - --metrics.statsd=true
        - --metrics.statsd.address=localhost:8125
        - --metrics.statsd.addEntryPointsLabels=true
        - --metrics.statsd.addServicesLabels=true
        image: traefik:v2.3.0
        imagePullPolicy: IfNotPresent
        name: traefik-ingress-lb
        ports:
        - containerPort: 80
          name: web
          protocol: TCP
        - containerPort: 8080
          name: admin
          protocol: TCP
        - containerPort: 443
          name: websecure
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /acme/acme.json
          name: acme
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik-ingress
      serviceAccountName: traefik-ingress
      terminationGracePeriodSeconds: 60
      tolerations:
      - effect: NoSchedule
        key: size
        operator: Equal
        value: small
      volumes:
      - hostPath:
          path: /srv/configs/acme.json
          type: ""
        name: acme

使用此配置: kubectl exec -it -n ingress basic ingress 2m88q- curl http://localhost:8080/dashboard/

404 page not found

当删除中间件并在DaemonSet配置中添加“-api.security”时: kubectl exec -it -n ingress基本traefik-ingress 1 hf4q- curl http://localhost:8080/dashboard/

<!DOCTYPE html><html><head><title>Traefik</title><meta charset=utf-8><meta name=description content="Traefik UI"><meta name=format-detection content="telephone=no"><meta name=msapplication-tap-highlight content=no><meta name=viewport content="user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1,width=device-width"><link rel=icon type=image/png href=statics/app-logo-128x128.png><link rel=icon type=image/png sizes=16x16 href=statics/icons/favicon-16x16.png><link rel=icon[...]</body></html>

请让我知道我在这里做错了什么？还有别的办法吗？

致以敬意，

Answer 1

下面是关于IngressRoute的另一篇文章，它适合您的环境。

我认为99%的问题是实际的路由匹配，特别是如果你说--api.insecure有效的话。此外，作为经验的一条规则，日志记录和访问日志在DaemonSet定义中将有很大帮助。

    - --log
    - --log.level=DEBUG
    - --accesslog

    ---
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: traefik-ui
      namespace: ingress-basic
    spec:
      entryPoints:
        - websecure
      routes:
      - match: Host(`traefik-ui.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
        kind: Rule
        services:
        - name: api@internal
          kind: TraefikService
        middlewares:
          - name: traefik-basic-auth
      tls:
        secretName: traefik-ui-cert