- Traefik's Dashboard is exposed by IngressRoute to URI
/dashboard/, this can be disabled if needed. - Access to the dashboard can be restricted to defined users via basic authentication.
- Once everything is deployed, the Traefik Dashboard IngressRoute, Let's Encrypt certificates and IngressRoutes for all other dashboards accessed via Traefik can be inspected in the ArgoCD Dashboard in application
Traefik-config.
If you plan on using the Traefik dashboard and wish to require authentication. Then define the users who can access in file vars/secrets/main.yml:
# Define encoded Traefik users allowed to use the Traefik Dashboard (if enabled)
# Multiple users can be listed below, one per line (indented by 2 spaces)
# Created with "htpasswd" utility and then base64 encode that output such as:
# $ htpasswd -nb [user] [password] | base64
TRAEFIK_DASHBOARD_USERS: |
dHJhZWZpa2FkbTokMnkkMTAkbHl3NWdYcXpvbFJCOUY4M0RHa2dMZW52YWJTcmpxUk9XbXNGUmZKa2ZQSlhBbzNDSmJHY08KBe sure to encrypt all the secrets above when completed:
ansible-vault encrypt vars/secrets/main.ymlThe Traefik Settings are in variable namespace install.traefik.
-
Enable or disable installation of Traefik. Disabled will prevent the installation prevent usage of IngressRoutes to application dashboards
install: traefik: enabled: true
-
Pin which version of Traefik to install. This value should be defined in the inventory file or group_vars file or can be updated directly here.
###[ Traefik Installation Settings ]############################################################# install: traefik: # Select release to use: https://github.com/traefik/traefik-helm-chart/tags install_version: "{{traefik_install_version|default('v20.3.0')}}"
-
The namespace Helm will use to install Traefik:
namespace: "traefik" # Add resources to this namespace
-
Define ArgoCD Project to associate Traefik with:
argocd_project: "ingress" # ArgoCD Project to associate this with
-
Define if Traefik dashboard will be used and how it will be accessed.
# Traefik Dashboard dashboard: create_route: true # Create Ingress Router to make accessible enable_https: true # Require HTTPS to access dashboard enable_basic_auth: true # Require Authentication to access dashboard
- The
create_routewill create a Traefik Ingress route to expose the dashboard on the URI defined inpath(see below)- Set
create_routetofalseto prevent the route from being created.
- Set
- The
enable_httpswill require HTTPS protocol for accessing the dashboard. This will use a Let's Encrypt generated certificate that is managed by Cert-manager. - By default basic authentication for the dashboard is enabled.
- The
Traefik and other dashboards are accessed via this DNS name.
-
The DNS name is specified in
k3s_cluster_ingress_namevariable and the IP address of this DNS name is specified intraefik_lb_ipvariable as stated in Inventory Variables for IP & Load Balancers# Fully Qualified Domain for ingress routes - Traefik Load Balancer address name # This is the DNS name you plan to point to the Traefik ingress Load Balancer IP address. ingress_name: '{{k3s_cluster_ingress_name|default("k3s.{{ansible_domain}}")}}' # Default Dashboard URL: https://k3s.{{ansible_domain}}/dashboard/ path: "/dashboard" # PathPrefix for dashboard # Encoded users and passwords for basic authentication stored in k3s_traefik_api_secrets.yml allowed_users: "{{TRAEFIK_DASHBOARD_USERS}}"
-
The
ingress_nameshould reference the DNS name which points to the Traefik Load Balancer IP address used for all Traefik ingress routes. If a name is not provided it will default to hostnamek3sand use the domain of the Kubernetes Linux host. -
The
"{{TRAEFIK_DASHBOARD_USERS}}"specifies the individual users allowed to access the dashboard.- This variable is defined in
vars/secrets/main.yml.
- This variable is defined in
The Traefik Dashboard URL path will resemble: https://k3s.example.com/dashboard/
