search

s3gw-tech / s3gw

Container able to run on a Kubernetes cluster, providing S3-compatible endpoints to applications.
https://s3gw.tech
Apache License 2.0
116 stars 20 forks source link

traefik ingressroute supported ? #601

Open JSN-1 opened 1 year ago

JSN-1 commented 1 year ago

Is there anyway to use traefik ingressroutes instead of standard ingress ?

I have tried to get it to work, but i keep getting this error when i try to login.

1 req 0 0.002000000s op->ERRORHANDLER: err_no=-2027 new_err_no=-2027 "GET / HTTP/1.1" 403 104

giubacc commented 1 year ago

Hi @JSN-1, Thanks for using s3gw; in order to properly understand the context, could you please describe in details the problem and what are you doing in terms of helm installation configuration?

JSN-1 commented 1 year ago

Hi

Thanks for a great product, it's more like a question, i like to use ingressroute instead of ingress.

I install it like this with ingress as false (removed keys)

helm upgrade --install s3gw s3gw/s3gw --namespace s3gw-system --create-namespace --set ingress.enabled=false,publicDomain=k8s.tux,ui.publicDomain=k8s.tux,serviceName=s3gw,ui.serviceName=s3gw-ui,accessKey=<access_key>,secretKey=<secret_key>,storageClass.name=longhorn

(urls have been changed to example.com in the below)

apply middleware

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  labels:
    app.kubernetes.io/instance: s3gw
    app.kubernetes.io/name: s3gw
    app.kubernetes.io/version: latest
  name: cors-header
  namespace: s3gw-system
spec:
  headers:
    accessControlAllowHeaders:
    - '*'
    accessControlAllowMethods:
    - DELETE
    - GET
    - HEAD
    - POST
    - PUT
    - OPTIONS
    accessControlAllowOriginList:
    - '*'
    accessControlExposeHeaders:
    - '*'
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: x-forwarded-header-https
  namespace: s3gw-system
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"

apply certificates

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: s3gw-ingress-tls
  namespace: s3gw-system
spec:
  isCA: false
  duration: 2160h
  renewBefore: 360h
  dnsNames: 
    - "s3gw.example.com"
    - "*.s3gw.example.com"
    - "s3gw-ui.example.com"
  secretName: s3gw-ingress-cert
  privateKey:
    algorithm: RSA
    encoding: PKCS8
    size: 4096
  usages:
    - server auth
    - client auth
  issuerRef:
    name: s3gw-s3gw-system-issuer
    kind: ClusterIssuer
    group: cert-manager.io

apply ingressroutes

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    cert-manager.io/cluster-issuer: s3gw-issuer
  name: s3gw-no-tls
  namespace: s3gw-system
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - kind: Rule
      match: Host(`s3gw.example.com`)
      middlewares:
      - name: cors-header
      services:
        - kind: Service
          name: s3gw
          passHostHeader: true
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    cert-manager.io/cluster-issuer: s3gw-issuer
  name: s3gw-tls
  namespace: s3gw-system
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`s3gw.example.com`) && PathPrefix(`/`)
      middlewares:
      - name: cors-header
      - name: x-forwarded-header-https
      services:
        - kind: Service
          name: s3gw
          passHostHeader: true
          port: 80
  tls:
   secretName: s3gw-ingress-cert
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    cert-manager.io/cluster-issuer: s3gw-issuer
  name: s3gw-any-no-tls
  namespace: s3gw-system
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - kind: Rule
      match: HostRegexp(`{subdomain:[a-zA-Z0-9-]+}.s3gw.example.com`)
      middlewares:
      - name: cors-header
      services:
        - kind: Service
          name: s3gw
          passHostHeader: true
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    cert-manager.io/cluster-issuer: s3gw-issuer
  name: s3gw-any-tls
  namespace: s3gw-system
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: HostRegexp(`{subdomain:[a-zA-Z0-9-]+}.s3gw.example.com`)
      middlewares:
      - name: cors-header
      - name: x-forwarded-header-https
      services:
        - kind: Service
          name: s3gw
          passHostHeader: true
          port: 443
  tls:
   secretName: s3gw-ingress-cert
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    cert-manager.io/cluster-issuer: s3gw-issuer
  name: s3gw-ui-tls
  namespace: s3gw-system
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`s3gw-ui.example.com`)
      middlewares:
      - name: x-forwarded-header-https
      - name: cors-header
      services:
        - kind: Service
          name: s3gw-ui
          passHostHeader: true
          port: 80
  tls:
    secretName: s3gw-ingress-cert
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    cert-manager.io/cluster-issuer: s3gw-issuer
  name: s3gw-ui-no-tls
  namespace: s3gw-system
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - kind: Rule
      match: Host(`s3gw-ui.example.com`) 
      middlewares:
      - name: cors-header
      services:
        - kind: Service
          name: s3gw-ui
          passHostHeader: true
          port: 80

i am unsure about why this does not work, but when i visit s3gw.example.com i get NoSuchBucket.

<Error>
<Code>NoSuchBucket</Code>
<BucketName>s3gw.example.com</BucketName>
<HostId/>
</Error>

it works fine if i use ingress, but i want to use ingressroute so i can add my own certificate.

jhmarina commented 10 months ago

@JSN-1 Hi, at this stage, using custom ingresses isn't possible. The team is evaluating this, and may be possible in the future. We'll let you know when this happens.