TazLab K8s Ingress and Auth
This page defines the traffic entry points and identity protection for the cluster.
External Traffic Flow
- MetalLB: Assigns IP
192.168.1.240to the Traefik Service ininfrastructure/instances/traefik/. - Traefik: Intercepts all traffic on ports 80 and 443.
- Wildcard TLS (
*.tazlab.net): Delivered via ExternalSecret from Vault (tazlab-secrets-vault) into multiple namespaces (hugo-blog, dex, auth, longhorn-system). The cert was originally obtained vialegowith Cloudflare DNS-01 challenge and is not managed by a cert-manager Certificate resource — the ClusterIssuertazlab-issuersupports only HTTP01 and cannot issue wildcards.
The wildcard TLS cert for *.tazlab.net expires on 2026-07-30. It is injected via ExternalSecret from Vault but has no automated renewal — there is no cert-manager Certificate CR with DNS01, no CronJob-based lego renewal, and no other auto-renewal mechanism. When the cert expired on 2026-05-01 after a power outage, all TLS-secured services (oauth2-proxy, blog, wiki, dex, Grafana) went offline until manual renewal with lego + Cloudflare DNS-01 was completed.
Required fix: implement automated wildcard cert renewal (add DNS01 solver to ClusterIssuer + Certificate CR, or deploy a scheduled CronJob-based lego renewal + Vault KV update).
Middlewares Inventory
Definitions live in apps/base/hugo-blog/middlewares.yaml and infrastructure/auth/oauth2-proxy/middleware.yaml.
auth@kubernetescrd: The global ForwardAuth middleware for Dex integration.hugo-blog-redirect-to-blog: Normalizes traffic toblog.tazlab.net.
Auth Stack Stability (Fixed 2026-05-09)
To ensure reliable cluster bootstrap, the oauth2-proxy deployment in the auth namespace includes an initContainer (wait-for-dex). This container polls the Dex OIDC discovery endpoint (https://dex.tazlab.net/.well-known/openid-configuration) using curl before the main proxy starts. This resolves the startup race (TD-026) where the proxy would crash repeatedly if Dex wasn’t ready.
See Also
- Inventory: Operators Inventory - Traefik controller details.
- Hub: TazLab K8s Hub