Working HTTPS example for GKE?

[ghost]

Hi,
I am on Google Container Engine and I am trying to get the HTTPS working for two days already without any success. On port 80 all is great but HTTPS just won't work. The further I got was:

$ curl -v https://foo.bar
* Rebuilt URL to: https://foo.bar/
* timeout on name lookup is not supported
*   Trying 130.211.x.x...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to foo.bar(130.211.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:/Users/ijaro/AppData/Local/Programs/Git/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Curl_http_done: called premature == 1
* stopped the pause stream!
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

From what I've gathered it might be the fact that Traefik is not terminating the ssl but it forwards it onto the backend on port 80 which causes the unknown protocol error. But I am really, REALLY, just guessing here, I have no freaking idea.

There are a few examples, even on the official page, on how to setup Traefik on Kubernetes, but there is literally no working HTTPS example that I could find.

Also I am not using Google's Load Balancer(1 IP = 1 certificate) but I am using Kubernetes LB.

Another thing is that using file configuration is not working, Kubernetes takes over(ingress), but I get backend XYZ for frontend XYP does not exist, skipping. I think Traefik cannot parse the ingress configuration or something.

[emilevauge]

@ivanjaros could you give us your toml config ?

[ghost]

OK, so after really busy weekend I have been able to get this up and running in GKE. There are a few quirks that one needs to figure out since the documentation is actually good, but for some reason I didn't saw/understood/noticed most of the things that I had to solve on my own before and only after I solved it I saw mentions about various stuff in the docs. One has to read the docs word by word I guess.

Anyway, some of the issues that one has to watch out for is:

• never use named port references, always numeric
• ingress is basically a frontend rule(service is equivalent of backend), it has to be formatted like any other(so kubernetes will process it) but actually the data is processed by Traefik so for example paths like /foo/bar/* will work in k8s but not in Traefik(it has to be /foo/bar/) and also Traefik allows the path rule type to be changed via annotation.
• Traefik does not support wildcards for host definition in inress, this is the biggest pain with Traefik right now for me, since there is no annotation to switch from Host rule type to HostRegex.
• Traefik does not support * wildcard in paths or host definitions
• for SSL to work, there has to be at least one certificate provided(but this might be only limitation when one is using the build-in LE support)
• when using redirect from 80 to 443, Traefik uses 302 instead of 301
• no support for custom certificate storage, I am experimenting with cron´worker that will be udating the config file since I handle LE certificates on my own
• Traefik requires "--kubernetes" flag for ingress to work
• Traefik will be showing errors about non existing endpoints and falling back to cluster ip constantly
• Traefik will not log traffic into log(which is weird, I think when I tried it for the first time I saw some entries)

and other things that I cannot remember right now. Not all related to kubernetes or gke.