TazLab K8s Ingress and Auth

This page defines the traffic entry points and identity protection for the cluster.

External Traffic Flow

  1. MetalLB: Assigns IP 192.168.1.240 to the Traefik Service in infrastructure/instances/traefik/.
  2. Traefik: Intercepts all traffic on ports 80 and 443.
  3. Wildcard TLS (*.tazlab.net): Delivered via ExternalSecret from Vault (tazlab-secrets-vault) into multiple namespaces (hugo-blog, dex, auth, longhorn-system). The cert was originally obtained via lego with Cloudflare DNS-01 challenge and is not managed by a cert-manager Certificate resource — the ClusterIssuer tazlab-issuer supports only HTTP01 and cannot issue wildcards.

The wildcard TLS cert for *.tazlab.net expires on 2026-07-30. It is injected via ExternalSecret from Vault but has no automated renewal — there is no cert-manager Certificate CR with DNS01, no CronJob-based lego renewal, and no other auto-renewal mechanism. When the cert expired on 2026-05-01 after a power outage, all TLS-secured services (oauth2-proxy, blog, wiki, dex, Grafana) went offline until manual renewal with lego + Cloudflare DNS-01 was completed.

Required fix: implement automated wildcard cert renewal (add DNS01 solver to ClusterIssuer + Certificate CR, or deploy a scheduled CronJob-based lego renewal + Vault KV update).

Middlewares Inventory

Definitions live in apps/base/hugo-blog/middlewares.yaml and infrastructure/auth/oauth2-proxy/middleware.yaml.

  • auth@kubernetescrd: The global ForwardAuth middleware for Dex integration.
  • hugo-blog-redirect-to-blog: Normalizes traffic to blog.tazlab.net.

Auth Stack Stability (Fixed 2026-05-09)

To ensure reliable cluster bootstrap, the oauth2-proxy deployment in the auth namespace includes an initContainer (wait-for-dex). This container polls the Dex OIDC discovery endpoint (https://dex.tazlab.net/.well-known/openid-configuration) using curl before the main proxy starts. This resolves the startup race (TD-026) where the proxy would crash repeatedly if Dex wasn’t ready.

See Also