TazLab K8s: Traefik Detail
Level 3 (Detail) — Edge routing configuration, LoadBalancer, dashboard.
Concept
Traefik is the sole ingress controller for the cluster. It terminates all TLS, routes traffic to services, and integrates with the OAuth2 ForwardAuth middleware for protected endpoints.
HelmRelease
File: infrastructure/operators/traefik/helmrelease.yaml
| Field | Value |
|---|---|
| Chart | traefik |
| Version | 34.0.0 |
| Repository | traefik |
| Namespace | traefik |
| Install retries | 3 |
Values
deployment:
kind: Deployment
replicas: 1
additionalArguments:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--entrypoints.web.address=:8000"
- "--entrypoints.websecure.address=:8443"
ports:
web:
port: 8000
exposedPort: 80
websecure:
port: 8443
exposedPort: 443
service:
type: LoadBalancer
annotations:
metallb.universe.tf/loadBalancerIPs: "${traefik_lb_ip}"
metallb.universe.tf/allow-shared-ip: "tazlab-internal-dashboard"
persistence:
enabled: false
Key points:
- Traefik listens on ports 8000 (HTTP) and 8443 (HTTPS) inside the container
- These map to ports 80 and 443 via
exposedPort - LoadBalancer IP is injected via
cluster-varsConfigMap${traefik_lb_ip}=192.168.1.240 - Dashboard is enabled at
--api.insecure=true(relies on network-level protection)
LoadBalancer Service
File: infrastructure/instances/traefik/service.yaml
External service for the Traefik dashboard only:
| Field | Value |
|---|---|
| Name | traefik-dashboard |
| Namespace | traefik |
| Type | LoadBalancer |
| IP | 192.168.1.240 (shared pool) |
| Port | 8003 → 8080 |
IngressClass
File: infrastructure/bridge/ingress-class.yaml
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: traefik
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
spec:
controller: traefik.io/ingress-controller
Marked as default IngressClass. All Ingress resources in the cluster use ingressClassName: traefik.
Middlewares
Global OAuth2 ForwardAuth
File: infrastructure/auth/oauth2-proxy/middleware.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oauth2-proxy
namespace: auth
spec:
forwardAuth:
address: http://oauth2-proxy.auth.svc.cluster.local:4180
trustForwardHeader: true
authResponseHeaders:
- X-Auth-Request-User
- X-Auth-Request-Email
- Authorization
Referenced as auth-oauth2-proxy@kubernetescrd in ingress annotations.
Blog Redirect
File: apps/base/hugo-blog/middlewares.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: hugo-blog-redirect-to-blog
namespace: hugo-blog
spec:
redirectRegex:
regex: ^https?://(www\.)?tazlab\.net/(.*)
replacement: https://blog.tazlab.net/${2}
permanent: true
Redirects tazlab.net, www.tazlab.net, and lab.tazlab.net to blog.tazlab.net.
Service Exposure Map
| Service | Hostname | Traefik Port | Auth | Middleware |
|---|---|---|---|---|
| hugo-blog | blog.tazlab.net | 80 (web) | None | None |
| hugo-wiki | wiki.tazlab.net | 80 (web) | None | None |
| Grafana | grafana.tazlab.net | 3000 | OAuth2 | auth-oauth2-proxy@kubernetescrd |
| PGAdmin | pgadmin.tazlab.net | 80 | OAuth2 | auth-oauth2-proxy@kubernetescrd |
| Longhorn UI | longhorn.tazlab.net | 8000 | OAuth2 | auth-oauth2-proxy@kubernetescrd |
| Dex | dex.tazlab.net | 5556 | None | None |
| OAuth2 CB | auth.tazlab.net | 4180 | None | None |
DAG Position
operators-core → bridge → configs → instances
(traefik installed) (ingressClass) (traefik-dashboard Service)
See Also
- Parent topic: Ingress & Auth
- Sibling details: cert-manager Detail, Dex/OAuth2 Detail
- Reference: Kustomize Layering