3

I'm moving my project to Kubernetes using Traefik for routing and MetalLB as my load balancer.

I've deployed several apps and I'd like to make use of official Kubernetes-Dashboard. So I deployed the Kubernetes-Dashboard using recommended config and created IngressRoute:

# dashboard.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`k8s.example.com`, `www.k8s.example.com`)
      kind: Rule
      middlewares:
        # - name: https-redirectscheme
        # - name: nginx-basic-auth
      services:
        - kind: Service
          name: kubernetes-dashboard
          # namespace: kubernetes-dashboard
          port: 443
  tls:
    secretName: k8s.example.com-tls

It shows up in the Traefik Dashboard, but when I try to access k8s.example.com I get Internal Server Error.

Thank you

Michal Půlpán
  • 123
  • 1
  • 7
  • Have you tried Nodeport instead? IngressRoute would be nicer, but I'll dive into that later. I'll describe it in the answer - although it is not really the answer; but at least you can start working with it – Danielson Jun 05 '22 at 07:20
  • 1
    You should definitely set some `spec.routes[].services[].scheme`, as dashboard would expect for https. We have no idea how you deployed traefik: are you sure there is some websecure entrypoint? any logs in traefik / did you try to raise log level? – SYN Jun 05 '22 at 07:50
  • Looks like there are a few issues regarding this problem on the traefik github page: https://github.com/traefik/traefik/issues/4197 and https://github.com/traefik/traefik/issues/3906 – ThirteenthWolf Jul 17 '22 at 09:59

2 Answers2

1

I had the same problem - which is why I ended on this question. When I find out how to use the IngressRoute I'll update this answer.

This answer describes how to use NodePort instead.

kubectl patch svc kubernetes-dashboard -p '{"spec": {"type": "NodePort"}}'
# Confirm
kubectl get svc -n kubernetes-dashboard kubernetes-dashboard -o yaml

# patch the dashboard
tee ~/nodeport_dashboard_patch.yaml<<EOF
spec:
  ports:
  - nodePort: 32000
    port: 443
    protocol: TCP
    targetPort: 8443
EOF

kubectl patch svc kubernetes-dashboard --patch "$(cat ~/nodeport_dashboard_patch.yaml)"

Now the dashboard can be reached on the external IP Traefik gave you - in collaboration with MetalLB - with port :32000.
If you have a website routed to your cluster, you can use:

https://yourwebsite.com:32000

As described in the link you shared, fetch the token by using:

export SA_NAME= # admin user from the ServiceAccount
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep ${SA_NAME} | awk '{print $1}')

(I could change this answer for a complete script to do this; If you'd like)

Danielson
  • 2,605
  • 2
  • 28
  • 51
1

Found the answer here: https://stackoverflow.com/a/69999245/3883694

You can disable SSL certificate verification.

https://doc.traefik.io/traefik/routing/overview/#transport-configuration

---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: traefik-dashboard-transport
  namespace: traefik
spec:
  serverName: traefik-dashboard
  insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard
spec:
  entryPoints:
    - web
  routes:
    - match: (PathPrefix(`/dashboard`) || Host(`traefik.example.com`))
      kind: Rule
      services:
      - name: api@internal
        kind: TraefikService
      serversTransport: traefik-dashboard-transport
user3883694
  • 11
  • 1