http3 + internal port cause error deploying

[jalberto]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What version of the Traefik's Helm Chart are you using?

32.1.1

What version of Traefik are you using?

3.1.6

What did you do?

When I combine http3 + port + internal service to access dashboard, I get this error:

Error: INSTALLATION FAILED: failed to create resource: Service "traefik-internal-udp" is invalid: spec.ports: Required value

If I remove the http3 it installs as expected, but the dashboard is not accessible from inside the k8s network:

% curl traefik-internal.infra.svc.cluster.local:9000/dashboard/ -v
* Host traefik-internal.infra.svc.cluster.local:9000 was resolved.
* IPv6: (none)
* IPv4: 10.33.168.7
*   Trying 10.33.168.7:9000...
* Connected to traefik-internal.infra.svc.cluster.local (10.33.168.7) port 9000
> GET /dashboard/ HTTP/1.1
> Host: traefik-internal.infra.svc.cluster.local:9000
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Thu, 24 Oct 2024 10:23:04 GMT
< Content-Length: 19
<
404 page not found
* Connection #0 to host traefik-internal.infra.svc.cluster.local left intact

What did you see instead?

Error: INSTALLATION FAILED: failed to create resource: Service "traefik-internal-udp" is invalid: spec.ports: Required value

What is your environment & configuration?

service:
  additionalServices:
    internal:
      type: ClusterIP
      labels:
        traefik-service-label: internal


ports:
  web:
    redirectTo:
      port: websecure
    forwardedHeaders:
      trustedIPs: *TrustedIPs
    proxyProtocol:
      trustedIPs: *TrustedIPs
  websecure:
    forwardedHeaders:
      trustedIPs: *TrustedIPs
    proxyProtocol:
      trustedIPs: *TrustedIPs
    http3:
      enabled: true
    tls:
      # default SSL provider
      certResolver: "traefik-lestag"
  # required for the dashboard
  traefik:
    expose:
      # Sensitive data should not be exposed on the internet
      # => Keep this disabled !
      default: false
      internal: true

Additional Information

No response

[mloiseleur]

Am I wrong to think this is a duplicate of #982 ?
Or did I missed something ?

Nevermind, I'm able to reproduce this issue.

Thanks for this detailed report.

[mloiseleur]

It should work with this workaround:

--- failing.yaml
+++ working.yaml
@@ -1,6 +1,7 @@
 service:
   additionalServices:
     internal:
+      single: true
       type: ClusterIP
       labels:
         traefik-service-label: internal

[jalberto]

thanks @mloiseleur that did the trick, now it installs without error, still I cannot access the dashboard through the new created service

[mloiseleur]

For the dashboard, there are examples on how it can be done.

Feel free to contribute and improve them, if something is missing 🙏

[jalberto]

Thanks, this is the example I am following, and it doesn't work: https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#add-custom-internal-services

[mloiseleur]

Adding an (internal) Service does not mean that the dashboard is exposed.

[jalberto]

You are right, but then something is odd with the docs, as you can see here:

• it says that is true by default (you say it is not)
• using the IngressRoute method seems to enable it somehow, but I cannot see in the default values.yaml how it does it
• there is no option in the helm to enable the dashboard, so I need to use additionalArguments but even using it, I still get 404

[jalberto]

So I double-checked the Args in the pod and api.dashboard=true is there by default, so it should be enabled, and the service should work or there is something I am not catching.

[jalberto]

If I enabled the IngressRoute as in the example the service magically works, still I am a bit confused

[mloiseleur]

it says that is true by default (you say it is not)

The documentation is correct and what I'm saying also.

It's a tree, not a single standalone parameter. It says that api dot dashboard is enabled by default.
It does not says that api is enabled by default. API is disabled by default, it's explained here why.

It means that when it's running with --api=true, it will do the same as with --api.dashboard=true.

[jalberto]

Thanks for the clarifications, then it means both need to be enabled for the dashboard to be exposed?

[mloiseleur]

For convenience, when one set --x.y.z=true, it enables --x and --x.y.

[jalberto]

Thanks for your time :)