https://www.... is not reachable after initial setup
Opened this issue · 2 comments
I got stuck, immediately afterhelm install setup team-setup --values values-setup.yaml
The page https://www.... is not reachable (neither on server nor from extern)
I have proceeded according to "Getting started":
-
sudo install.sh Kubernetesand Helm installed: -
addapted values-setup.yaml
acme:
mail: me@my.domain
production: trueapp:
name: www
domain: <my domain> -
'helm install setup team-setup --values values-setup.yaml' startup traefic router
kubectl get pods shows
NAME READY STATUS RESTARTS AGE
landingpage-7c55f75fcf-9qgtc 1/1 Running 0 48m
svclb-traefik-x4mnw 2/2 Running 0 48m
traefik-774d6bcd6b-79wkl 1/1 Running 0 48m
kubectl exec landingpage-7c55f75fcf-9qgtc -- curl http://localhost
returns the nginx landing page
curl http://localhost or curl https://localhost returns
curl: (7) Failed to connect to localhost port 80/443: Die Wartezeit für die Verbindung ist abgelaufen
curl --insecure https://www... on the host returns the error Gateway Timeout
Any Idea what went wrong?
Wallenstein
I have got a step further. It seems a problem with the ufw firewall that comes with debian
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Nevertheless it blocks the 443 port of traefic. If I disable ufw, access works.
I'm not a kubernetes expert, however what puzzles me is, that
ss -ln | grep 443 does not show any process listening to 443
Seems that I have to dig deeper, if I do not sacrifice my firewall :-(
Wallenstein
Finally I managed it :-)
ufw has set routing to deny by default. Of course I could open all routing. However I only wanted routing on port 80 and 443. Therefore I had to add special routing rules:
(assuming eth0 is the external interface, and cni0 the internal interface to kubernetes cluster)
sudo ufw route allow in on eth0 out on cni0 to 10.42.0.0/12 port 80 #Allow in on port 80
sudo ufw route allow in on eth0 out on cni0 to 10.42.0.0/12 port 443 #Allow in on port 443
sudo ufw route allow in on cni0 out on eth0 # Allow all out from cni0 to eth0
sudo ufw route allow in on cni0 out on cni0 # Allow internal trafic from cni0 to cni0
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere on eth0 ALLOW FWD Anywhere on cni0
10.32.0.0/12 443 on cni0 ALLOW FWD Anywhere on eth0
Anywhere on cni0 ALLOW FWD Anywhere on cni0
10.32.0.0/12 80 on cni0 ALLOW FWD Anywhere on eth0
Anywhere (v6) on eth0 ALLOW FWD Anywhere (v6) on cni0
Anywhere (v6) on cni0 ALLOW FWD Anywhere (v6) on cni0