Traefik dashboard

Traefik Dashboard

Expose traefik dashboard

You can use both Kubernetes standard Ingress or the Traefik CRD ingressroute for normal routes. To expose the dashboard you can use a traefik specific ingressroute CRD, or you can set up a service for it.

Create service

cat traefik-dashboard-service.yaml | envsubst | kubectl apply -f -

traefik-dashboard-service.yaml

apiVersion: v1
kind: Service
metadata:
  name: traefik-dashboard
  namespace: kube-system
  labels:
    app.kubernetes.io/instance: traefik
    app.kubernetes.io/name: traefik-dashboard
spec:
  type: ClusterIP
  ports:
  - name: traefik
    port: 9000
    targetPort: traefik
    protocol: TCP
  selector:
    app.kubernetes.io/instance: traefik-kube-system
    app.kubernetes.io/name: traefik

Create ingress

cat traefik-dashboard-ingress.yaml | envsubst | kubectl apply -f -

traefik-dashboard-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: traefik-ingress
  namespace: kube-system
  annotations:
    spec.ingressClassName: traefik
spec:
  rules:
    - host: traefik.${DOMAIN}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: traefik-dashboard
                port:
                  number: 9000

Now it should be available at http://traefik.example.com/dashboard/ (note the trailing slash!).

Create https certificate

Traefik does not support using cert-manager for tls. So when using ingressroute with https you need to first create a "fake" ingress to get a secret with the desired name. Then you use that secret like below.

Wildcard: Alternatively you could get a wildcard certificate, and just use that. The setup for that is slightly more complicated and might require using a third party nameserver like digitalocean or cloudflare to help with the challenges.

Create the temporary ingress so cert-manager gets the intial certificate

cat traefik-dashboard-tmp-ingress.yaml | envsubst | kubectl apply -f -

Wait until you are able to access https://traefik.example.com without errors or warnings about certificate.

Replace with ingressroute (OPTIONAL)

Even if traefik does not support using cert-bot to manage certificates, we can work around using a regular ingress that we delete. This is optional. See next page to add basic auth to the dashboard.

Delete the original imp ingress

cat traefik-dashboard-tmp-ingress.yaml | envsubst | kubectl delete -f -

Finally create the traefik native ingressroute

cat traefik-ingressroute-no-auth.yaml | envsubst | kubectl apply -f -

traefik-ingressroute-no-auth.yaml

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard
spec:
  entryPoints:
    - web 
    - websecure
  routes:
    - match: Host(`traefik.${DOMAIN}`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    secretName: traefik-tls

Done

Now you should have the traefik dashboard available on https://traefik.yourdomain.com