Issue with rewrite in immich ingress about home-ops HOT 8 CLOSED

I find traefik more effort than it is worth to use it and do not like using it in Kubernetes.

Here's my thoughts on Traefik, and sorry to go off into a tangent:

• They want people to pay for the HA TLS implementation which they considered to be not great (using Consul) instead of using cert-manager.
• They do not want to support native cert-manager integration in their CRs but are willing to support external-dns in the future.
• Their CRs like ingressroute are painful and not needed 99% of the time over plain ingress annotations
• You should be using cert-manager so the built in acme support in Traefik is useless and does not scale
• The grafana dashboard for ingress-nginx is prettier than anything I've found for Traefik.
• I can't name a single popular helm chart that supports the use of Traefik CRs.
• They continuously release breaking updates to their helm chart as patch or minor instead of a major release.
• ingress-nginx is a kubernetes-sigs project, which means support is much better and there is no ill-intentions that might be created by investors.

With that out of the way, you might want to use the immich-proxy container which is just nginx pre-configured to handle routing the requests. I used to use it before I was shown the way to do it without that pod.

See my deployments of immich at this commit

https://github.com/onedr0p/home-ops/blob/8df6908d8360bfe43e491f1d426592ebe275c864/kubernetes/apps/default/immich/app/proxy/helmrelease.yaml

from home-ops.

I know this doesn't answer your question but I find more and more people migrating to ingress-nginx so it's hard to keep up with examples I've come across in the past on how to do XYZ using Traefik. You might want to try asking in the k8s@home or immich discord if you want to continue to try with what you are doing.

from home-ops.

I'm not using IngressRoute other than the dashboard

In that case migrating to ingress-nginx might be painless since all you need to do is swap annotations. I've done the migration in the past and it wasn't too hard, maybe took me 30 minutes overall. However it might be harder if you are using OIDC/oauth2-proxy etc..

from home-ops.

Thanks for tip wrt immich-proxy, works ootb, issue can be closed.

from home-ops.

I noticed you closed this out. You attempted Immich with Traefik just before I was able to try myself. I got it working without using the immich-proxy. I'll put some notes here for future references. An IngressRoute is not needed, just a middleware is needed.

1. An immich-server middleware is needed to strip the /api to just /:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  namespace: immich
  name: immich-server-stripprefix
spec:
  stripPrefix:
    prefixes:
      - /api
    forceSlash: true

2. Add a reference to this middleware file in the main kustomization file:

  - ./traefik-middleware.yaml

3. Unlike what @onedr0p provides, I separated the two ingress to their respective values.yaml. The immich-web and immich-server now each have a single ingress.

Ingress for immich-server (api):

ingress:
  main:
    enabled: true
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
      traefik.ingress.kubernetes.io/router.middlewares: "immich-immich-server-stripprefix@kubernetescrd"
    hosts:
      - host: photos.<redacted-domain>
        paths:
          - path: /api
            pathType: Prefix
            service:
              name: immich-server
              port: 3001

• The annotation for entrypoints resolves to my secure HTTPS port (443 to 8443).
• The annotation for middlewares is the path to the stripprefix middleware created above. It uses <namespace>-<middleware_name>@kubernetescrd". If you want to include additional middlewares, just use a comma separated list within that string.

And then the immich-web gets its respective ingress:

  main:
    enabled: true
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
    hosts:
      - host: photos.<redacted-domain>
        paths:
          - path: /
            pathType: Prefix
            service:
              name: immich-web
              port: 3000

Now within Traefik, you will have the two ingress:

When viewing the details of the immich-server path, the middleware is reflected:

And Immich fires right up:

from home-ops.

BTW - I use a default TLS provider issued by cert-manager, that is a wildcard certificate. So I don't have to bother using any TLS references within any ingress. It will just automatically use TLS.

from home-ops.

Thanks @reefland for sharing the deep-dive learnings.

I've already engaged in the challenge outlined by @onedr0p as painless 😂😂😂. So far it's day 3 out of those 30 mins estimation 😂.

What i also used to do with Traefik is allow LE certs per subdomain, via cloudflare and haproxy load balancer on a pi (multiple domains routed that's why). Also strict TLS setup
from CF. (So i can easily take CF out if down and still have a valid cert).

Also domains in CF were unable to be LE DNS01 challenged because they are not supported by CF api for that (.tk
like domain)

So separating the ingresses would have meant for me what i was initially thinking, have an api-photos.example.com

from home-ops.

You're right on all points wrt Traefik :)

Right now i cannot give you a reason for using it, other than - it's legacy and at the root of everything.
I have to do a major overhaul to take it out.
I'm not using IngressRoute other than the dashboard, and yes, right now coasting with Ingress generated with annotations. I was maybe impressed at some point with TCP capabilities but never used them.

from home-ops.