带有ArgoCD配置问题的Traefik,ArgoCD无法到达
Traefik& ArgoCD
设置
大家好! 我已经在Ubuntu服务器上设置了Barybones Kubernetes并安装了Traefik。到目前为止,一切都很好。 TLS起作用,我可以连接到我的仪表板,并在我的域上连接一个演示应用程序。 我的traefik仪表板可以在创建并添加到IngressRoute的简单基本作物中间件上固定。正如我所期望的那样,现在仅确保我的仪表板在 traefik.example.com 下,但是我在 example.com.com 下的演示应用不受影响。
现在的问题
到了怪异的部分: 我安装了掌舵的argoCD和一个值图表,该图表向服务器添加了 - 不确保标志。之后,我为 argocd.example.com 创建了一个IngressRoute,而无需任何中间件(!)并尝试了它。 令我惊讶的是,我看到的不是ArgoCD登录屏幕,而是我的中间件弹出窗口。进入Middlwware凭据后,我被转发到了ArgoCD UI,但没有任何可行。
我的第一个尝试是与我的中间件相同的auth创建argocd用户,就像我的中间件一样,这可能是一个解决方法。 之后,我暂时删除了中间件和ArgoCD,就像魅力一样! 我真的无法向自己解释为什么会发生这种情况。中间软件不应首先存在,但是即使在那里,为什么该服务在没有成功的情况下可以使用,但在成功的身份验证之后也不是。
您在下面找到我的资源。我会为任何建议和解决方法感到高兴!我只是想用中间件保护我的Traefik-dashboard,但使用ArgOCD的标准登录页面。
我的资源:
IncressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
annotations:
name: argocd-server
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`argocd.example.de`)
priority: 10
services:
- name: argo-cd-argocd-server
port: 80
- kind: Rule
match: Host(`argocd.example.de`) && Headers(`Content-Type`, `application/grpc`)
priority: 11
services:
- name: argo-cd-argocd-server
port: 80
scheme: h2c
tls:
secretName: argo-cert
中间件
API Version: traefik.containo.us/v1alpha1
Kind: Middleware
Metadata:
Creation Timestamp: 2022-04-26T12:47:50Z
Generation: 1
Managed Fields:
API Version: traefik.containo.us/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:basicAuth:
.:
f:secret:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-04-26T12:47:50Z
Resource Version: 24871428
UID: 8ba3ef4d-0514-44b5-a98d-a1a0790b989a
Spec:
Basic Auth:
Secret: traefik-basic-auth
Events: <none>
ArgoCD Server Pod片段
Command:
argocd-server
--staticassets
/shared/app
--repo-server
argo-cd-argocd-repo-server:8081
--logformat
text
--loglevel
info
--redis
argo-cd-argocd-redis:6379
--insecure
State: Running
Traefik & ArgoCD
Setup
Hello everybody!
I've setup a barebones Kubernetes on my Ubuntu Server and installed Traefik. So far so good. TLS works and I can connect to my dashboard and an demo-application over my domain.
My Traefik dashboard is secured over a simple basic-auth middleware that is created and added to the IngressRoute. As I expected only my dashboard under traefik.example.com is now secured but my demo-application under example.com is not affected.
Problem
Now to the weird part:
I installed ArgoCD with helm and an values chart that adds the --insecure flag to the server. Afterwards I created an IngressRoute for argocd.example.com without any middleware (!) and tried it.
To my surprise I saw the not the ArgoCD Login Screen, but my middleware popup. After I entered my middlwware credentials, i got forwarded to the argocd UI but nothing works.
My first try was to create argoCD User with the same auth like my middleware in hope, that this could be a workaround.
After that I deleted temporarely my middleware and ArgoCD works like a charm!
I really can't explain to myself why this happens. The middleware should not be there in the first place, but even when it's there, why does the service works without but not after successfull authentication.
You find my resources below. I would be happy about any suggestion and workaround! I simply want to secure my traefik-dashboard with a middleware but use the standard login page from argocd.
My Resources:
IngressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
annotations:
name: argocd-server
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`argocd.example.de`)
priority: 10
services:
- name: argo-cd-argocd-server
port: 80
- kind: Rule
match: Host(`argocd.example.de`) && Headers(`Content-Type`, `application/grpc`)
priority: 11
services:
- name: argo-cd-argocd-server
port: 80
scheme: h2c
tls:
secretName: argo-cert
Middleware
API Version: traefik.containo.us/v1alpha1
Kind: Middleware
Metadata:
Creation Timestamp: 2022-04-26T12:47:50Z
Generation: 1
Managed Fields:
API Version: traefik.containo.us/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:basicAuth:
.:
f:secret:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-04-26T12:47:50Z
Resource Version: 24871428
UID: 8ba3ef4d-0514-44b5-a98d-a1a0790b989a
Spec:
Basic Auth:
Secret: traefik-basic-auth
Events: <none>
ArgoCD Server Pod snippet
Command:
argocd-server
--staticassets
/shared/app
--repo-server
argo-cd-argocd-repo-server:8081
--logformat
text
--loglevel
info
--redis
argo-cd-argocd-redis:6379
--insecure
State: Running
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
问题在于Traefik的标准配置Yaml。
如果您查看匹配路线,您会发现该路由将与“/api/”结束的任何内容匹配。这是非常不幸的,因为argoCD取决于呼叫“ argocd.example.com/api/v1/”。
因此,对GUI的第一个呼叫起作用,但是ARGCD很快尝试加载任何设置或数据,traefik的“ API”路线被击中。
仅将完整的hostName/subdoain名称添加到traefik“或”规则中只是修复了它。
The problem was in the standard config yaml of traefik.
If you take a look at the matching route, that you'll see that the route will match anything that ends with "/api/". This is very unfortunate as argocd depends on the call "argocd.example.com/api/v1/".
So the first call to the gui works, but as soon argcd try to load any settings or data, the "api" route from traefik got hit.
It was simply fixed with adding the full hostname/subdomain name to the traefik "or" rule.