TazLab K8s Ingress and Auth
This page defines the traffic entry points and identity protection for the cluster.
External Traffic Flow
- MetalLB: Assigns IP
192.168.1.240to the Traefik Service ininfrastructure/instances/traefik/. - Traefik: Intercepts all traffic on ports 80 and 443.
- cert-manager: Provides the
wildcard-tlscertificate (*.tazlab.net) from Let’s Encrypt.
Protected Dashboards (IAM)
Critical UIs are behind a ForwardAuth gate managed by Dex + OAuth2 Proxy.
| Service | Hostname | Authentication |
|---|---|---|
| Grafana | grafana.tazlab.net | Dex (Google OAuth) |
| PGAdmin | pgadmin.tazlab.net | Dex (Google OAuth) |
| Longhorn | longhorn.tazlab.net | Internal (VPN) / Auth (Planned) |
| Traefik UI | traefik.tazlab.net | Auth (Planned) |
Middlewares Inventory
Definitions live in apps/base/hugo-blog/middlewares.yaml and infrastructure/auth/oauth2-proxy/middleware.yaml.
auth@kubernetescrd: The global ForwardAuth middleware for Dex integration.hugo-blog-redirect-to-blog: Normalizes traffic toblog.tazlab.net.
See Also
- Inventory: Operators Inventory - Traefik controller details.
- Hub: TazLab K8s Hub