Traefik dashboard
Expose traefik dashboard
You can use both Kubernetes standard Ingress or the Traefik CRD ingressroute for normal routes. To expose the dashboard you can use a traefik specific ingressroute CRD, or you can set up a service for it.
Create service
cat traefik-dashboard-service.yaml | envsubst | kubectl apply -f -
traefik-dashboard-service.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard
namespace: kube-system
labels:
app.kubernetes.io/instance: traefik
app.kubernetes.io/name: traefik-dashboard
spec:
type: ClusterIP
ports:
- name: traefik
port: 9000
targetPort: traefik
protocol: TCP
selector:
app.kubernetes.io/instance: traefik-kube-system
app.kubernetes.io/name: traefik
Create ingress
cat traefik-dashboard-ingress.yaml | envsubst | kubectl apply -f -
traefik-dashboard-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik-ingress
namespace: kube-system
annotations:
spec.ingressClassName: traefik
spec:
rules:
- host: traefik.${DOMAIN}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: traefik-dashboard
port:
number: 9000
Now it should be available at http://traefik.example.com/dashboard/ (note the trailing slash!).
Create https certificate
Traefik does not support using cert-manager for tls. So when using ingressroute with https you need to first create a "fake" ingress to get a secret with the desired name. Then you use that secret like below.
Wildcard: Alternatively you could get a wildcard certificate, and just use that. The setup for that is slightly more complicated and might require using a third party nameserver like digitalocean or cloudflare to help with the challenges.
- Create the temporary ingress so cert-manager gets the intial certificate
cat traefik-dashboard-tmp-ingress.yaml | envsubst | kubectl apply -f -
- Wait until you are able to access https://traefik.example.com without errors or warnings about certificate.
Replace with ingressroute (OPTIONAL)
Even if traefik does not support using cert-bot to manage certificates, we can work around using a regular ingress that we delete. This is optional. See next page to add basic auth to the dashboard.
- Delete the original imp ingress
cat traefik-dashboard-tmp-ingress.yaml | envsubst | kubectl delete -f -
- Finally create the traefik native ingressroute
cat traefik-ingressroute-no-auth.yaml | envsubst | kubectl apply -f -
traefik-ingressroute-no-auth.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: dashboard
spec:
entryPoints:
- web
- websecure
routes:
- match: Host(`traefik.${DOMAIN}`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
tls:
secretName: traefik-tls
Done
Now you should have the traefik dashboard available on https://traefik.yourdomain.com