team-container icon indicating copy to clipboard operation
team-container copied to clipboard

Published 20 hours ago verified publisher icon ct-Open-Source

https://www.... is not reachable after initial setup

Open Wallenstein61 opened this issue 5 years ago • 2 comments

I got stuck, immediately afterhelm install setup team-setup --values values-setup.yaml

The page https://www.... is not reachable (neither on server nor from extern)

I have proceeded according to "Getting started":

  • sudo install.sh Kubernetes and Helm installed:

  • addapted values-setup.yaml acme: mail: [email protected] production: true

    app: name: www domain: <my domain>

  • 'helm install setup team-setup --values values-setup.yaml' startup traefic router

kubectl get pods shows

NAME                           READY   STATUS    RESTARTS   AGE
landingpage-7c55f75fcf-9qgtc   1/1     Running   0          48m
svclb-traefik-x4mnw            2/2     Running   0          48m
traefik-774d6bcd6b-79wkl       1/1     Running   0          48m

kubectl exec landingpage-7c55f75fcf-9qgtc -- curl http://localhost returns the nginx landing page

curl http://localhost or curl https://localhost returns curl: (7) Failed to connect to localhost port 80/443: Die Wartezeit für die Verbindung ist abgelaufen

curl --insecure https://www... on the host returns the error Gateway Timeout

Any Idea what went wrong?

Wallenstein

Wallenstein61 avatar Jul 12 '20 17:07 Wallenstein61

I have got a step further. It seems a problem with the ufw firewall that comes with debian

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

Nevertheless it blocks the 443 port of traefic. If I disable ufw, access works.

I'm not a kubernetes expert, however what puzzles me is, that
ss -ln | grep 443 does not show any process listening to 443

Seems that I have to dig deeper, if I do not sacrifice my firewall :-(

Wallenstein

Wallenstein61 avatar Jul 13 '20 14:07 Wallenstein61

Finally I managed it :-)

ufw has set routing to deny by default. Of course I could open all routing. However I only wanted routing on port 80 and 443. Therefore I had to add special routing rules:

(assuming eth0 is the external interface, and cni0 the internal interface to kubernetes cluster)

sudo ufw route allow in on eth0 out on cni0 to 10.42.0.0/12 port 80 #Allow in on port 80 sudo ufw route allow in on eth0 out on cni0 to 10.42.0.0/12 port 443 #Allow in on port 443 sudo ufw route allow in on cni0 out on eth0 # Allow all out from cni0 to eth0 sudo ufw route allow in on cni0 out on cni0 # Allow internal trafic from cni0 to cni0

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

Anywhere on eth0           ALLOW FWD   Anywhere on cni0
10.32.0.0/12 443 on cni0   ALLOW FWD   Anywhere on eth0
Anywhere on cni0           ALLOW FWD   Anywhere on cni0
10.32.0.0/12 80 on cni0    ALLOW FWD   Anywhere on eth0
Anywhere (v6) on eth0      ALLOW FWD   Anywhere (v6) on cni0
Anywhere (v6) on cni0      ALLOW FWD   Anywhere (v6) on cni0

Wallenstein61 avatar Jul 13 '20 16:07 Wallenstein61