Skip to content

Traefik dashboard

Traefik Dashboard

Expose traefik dashboard

You can use both Kubernetes standard Ingress or the Traefik CRD ingressroute for normal routes. To expose the dashboard you can use a traefik specific ingressroute CRD, or you can set up a service for it.

Create service

cat traefik-dashboard-service.yaml | envsubst | kubectl apply -f -
traefik-dashboard-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: traefik-dashboard
  namespace: kube-system
  labels:
    app.kubernetes.io/instance: traefik
    app.kubernetes.io/name: traefik-dashboard
spec:
  type: ClusterIP
  ports:
  - name: traefik
    port: 9000
    targetPort: traefik
    protocol: TCP
  selector:
    app.kubernetes.io/instance: traefik-kube-system
    app.kubernetes.io/name: traefik

Create ingress

cat traefik-dashboard-ingress.yaml | envsubst | kubectl apply -f -
traefik-dashboard-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: traefik-ingress
  namespace: kube-system
  annotations:
    spec.ingressClassName: traefik
spec:
  rules:
    - host: traefik.${DOMAIN}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: traefik-dashboard
                port:
                  number: 9000

Now it should be available at http://traefik.example.com/dashboard/ (note the trailing slash!).

Create https certificate

Traefik does not support using cert-manager for tls. So when using ingressroute with https you need to first create a "fake" ingress to get a secret with the desired name. Then you use that secret like below.

Wildcard: Alternatively you could get a wildcard certificate, and just use that. The setup for that is slightly more complicated and might require using a third party nameserver like digitalocean or cloudflare to help with the challenges.

  • Create the temporary ingress so cert-manager gets the intial certificate
cat traefik-dashboard-tmp-ingress.yaml | envsubst | kubectl apply -f -

Replace with ingressroute (OPTIONAL)

Even if traefik does not support using cert-bot to manage certificates, we can work around using a regular ingress that we delete. This is optional. See next page to add basic auth to the dashboard.

  • Delete the original imp ingress
cat traefik-dashboard-tmp-ingress.yaml | envsubst | kubectl delete -f -
  • Finally create the traefik native ingressroute
cat traefik-ingressroute-no-auth.yaml | envsubst | kubectl apply -f -
traefik-ingressroute-no-auth.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard
spec:
  entryPoints:
    - web 
    - websecure
  routes:
    - match: Host(`traefik.${DOMAIN}`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    secretName: traefik-tls

Done

Now you should have the traefik dashboard available on https://traefik.yourdomain.com