TazLab K8s: Traefik Detail

Level 3 (Detail) — Edge routing configuration, LoadBalancer, dashboard.

Concept

Traefik is the sole ingress controller for the cluster. It terminates all TLS, routes traffic to services, and integrates with the OAuth2 ForwardAuth middleware for protected endpoints.

HelmRelease

File: infrastructure/operators/traefik/helmrelease.yaml

FieldValue
Charttraefik
Version34.0.0
Repositorytraefik
Namespacetraefik
Install retries3

Values

deployment:
  kind: Deployment
  replicas: 1
additionalArguments:
  - "--api.insecure=true"
  - "--api.dashboard=true"
  - "--entrypoints.web.address=:8000"
  - "--entrypoints.websecure.address=:8443"
ports:
  web:
    port: 8000
    exposedPort: 80
  websecure:
    port: 8443
    exposedPort: 443
service:
  type: LoadBalancer
  annotations:
    metallb.universe.tf/loadBalancerIPs: "${traefik_lb_ip}"
    metallb.universe.tf/allow-shared-ip: "tazlab-internal-dashboard"
persistence:
  enabled: false

Key points:

  • Traefik listens on ports 8000 (HTTP) and 8443 (HTTPS) inside the container
  • These map to ports 80 and 443 via exposedPort
  • LoadBalancer IP is injected via cluster-vars ConfigMap ${traefik_lb_ip} = 192.168.1.240
  • Dashboard is enabled at --api.insecure=true (relies on network-level protection)

LoadBalancer Service

File: infrastructure/instances/traefik/service.yaml

External service for the Traefik dashboard only:

FieldValue
Nametraefik-dashboard
Namespacetraefik
TypeLoadBalancer
IP192.168.1.240 (shared pool)
Port8003 → 8080

IngressClass

File: infrastructure/bridge/ingress-class.yaml

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: traefik
  annotations:
    ingressclass.kubernetes.io/is-default-class: "true"
spec:
  controller: traefik.io/ingress-controller

Marked as default IngressClass. All Ingress resources in the cluster use ingressClassName: traefik.

Middlewares

Global OAuth2 ForwardAuth

File: infrastructure/auth/oauth2-proxy/middleware.yaml

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: oauth2-proxy
  namespace: auth
spec:
  forwardAuth:
    address: http://oauth2-proxy.auth.svc.cluster.local:4180
    trustForwardHeader: true
    authResponseHeaders:
      - X-Auth-Request-User
      - X-Auth-Request-Email
      - Authorization

Referenced as auth-oauth2-proxy@kubernetescrd in ingress annotations.

Blog Redirect

File: apps/base/hugo-blog/middlewares.yaml

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: hugo-blog-redirect-to-blog
  namespace: hugo-blog
spec:
  redirectRegex:
    regex: ^https?://(www\.)?tazlab\.net/(.*)
    replacement: https://blog.tazlab.net/${2}
    permanent: true

Redirects tazlab.net, www.tazlab.net, and lab.tazlab.net to blog.tazlab.net.

Service Exposure Map

ServiceHostnameTraefik PortAuthMiddleware
hugo-blogblog.tazlab.net80 (web)NoneNone
hugo-wikiwiki.tazlab.net80 (web)NoneNone
Grafanagrafana.tazlab.net3000OAuth2auth-oauth2-proxy@kubernetescrd
PGAdminpgadmin.tazlab.net80OAuth2auth-oauth2-proxy@kubernetescrd
Longhorn UIlonghorn.tazlab.net8000OAuth2auth-oauth2-proxy@kubernetescrd
Dexdex.tazlab.net5556NoneNone
OAuth2 CBauth.tazlab.net4180NoneNone

DAG Position

operators-core → bridge → configs → instances
  (traefik installed)   (ingressClass)        (traefik-dashboard Service)

See Also