search

ct-Open-Source / team-container

A collection of containers to prepare a server for collaboration.
117 stars 40 forks source link

https://www.... is not reachable after initial setup #42

Open Wallenstein61 opened 4 years ago

Wallenstein61 commented 4 years ago

I got stuck, immediately afterhelm install setup team-setup --values values-setup.yaml

The page https://www.... is not reachable (neither on server nor from extern)

I have proceeded according to "Getting started":

kubectl get pods shows

NAME                           READY   STATUS    RESTARTS   AGE
landingpage-7c55f75fcf-9qgtc   1/1     Running   0          48m
svclb-traefik-x4mnw            2/2     Running   0          48m
traefik-774d6bcd6b-79wkl       1/1     Running   0          48m

kubectl exec landingpage-7c55f75fcf-9qgtc -- curl http://localhost returns the nginx landing page

curl http://localhost or curl https://localhost returns curl: (7) Failed to connect to localhost port 80/443: Die Wartezeit für die Verbindung ist abgelaufen

curl --insecure https://www... on the host returns the error Gateway Timeout

Any Idea what went wrong?

Wallenstein

Wallenstein61 commented 4 years ago

I have got a step further. It seems a problem with the ufw firewall that comes with debian

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

Nevertheless it blocks the 443 port of traefic. If I disable ufw, access works.

I'm not a kubernetes expert, however what puzzles me is, that
ss -ln | grep 443 does not show any process listening to 443

Seems that I have to dig deeper, if I do not sacrifice my firewall :-(

Wallenstein

Wallenstein61 commented 4 years ago

Finally I managed it :-)

ufw has set routing to deny by default. Of course I could open all routing. However I only wanted routing on port 80 and 443. Therefore I had to add special routing rules:

(assuming eth0 is the external interface, and cni0 the internal interface to kubernetes cluster)

sudo ufw route allow in on eth0 out on cni0 to 10.42.0.0/12 port 80 #Allow in on port 80 sudo ufw route allow in on eth0 out on cni0 to 10.42.0.0/12 port 443 #Allow in on port 443 sudo ufw route allow in on cni0 out on eth0 # Allow all out from cni0 to eth0 sudo ufw route allow in on cni0 out on cni0 # Allow internal trafic from cni0 to cni0

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

Anywhere on eth0           ALLOW FWD   Anywhere on cni0
10.32.0.0/12 443 on cni0   ALLOW FWD   Anywhere on eth0
Anywhere on cni0           ALLOW FWD   Anywhere on cni0
10.32.0.0/12 80 on cni0    ALLOW FWD   Anywhere on eth0
Anywhere (v6) on eth0      ALLOW FWD   Anywhere (v6) on cni0
Anywhere (v6) on cni0      ALLOW FWD   Anywhere (v6) on cni0