traefik-helm-chart icon indicating copy to clipboard operation
traefik-helm-chart copied to clipboard

Published 20 hours ago verified publisher icon traefik

dashboard-hook-ingressroute.yaml has hardcoded values

Open gioppoluca opened this issue 2 years ago • 2 comments

Welcome!

  • [X] Yes, I've searched similar issues on GitHub and didn't find any.
  • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What version of the Traefik's Helm Chart are you using?

10.15.0

What version of Traefik are you using?

2.6.1

What did you do?

trying to use the helm chart to publish the dashboard, but I defined other endpointnames and the dashboard-hook-ingressroute.yaml has the endpoint hardcoded Also is not possible to define a host for the dashboard

What did you see instead?

no access to dashboard

What is your environment & configuration?

Rancher 2.6.3, kubernetes 1.21.7

Additional Information

No response

gioppoluca avatar May 12 '22 09:05 gioppoluca

same here, not sure how to access (or simply configurre the host) for the dashboard using this chart

bitsofinfo avatar Jun 13 '22 14:06 bitsofinfo

I deploy my chart the following way.

helm install traefik traefik/traefik -n traefik-system --create-namespace \
    --set providers.kubernetesCRD.allowExternalNameServices=true \
    --set providers.kubernetesIngress.publishedService.enabled=true \
    --set providers.kubernetesIngress.publishedService.pathOverride="traefik-system/traefik" \
    --set providers.kubernetesIngress.allowExternalNameServices=true \
    --set ports.websecure.tls.enabled=true \
    --set ports.traefik.expose=true \
    --set ports.metrics.expose=true \
    --set ingressRoute.dashboard.enabled=false

That exposes port 9000 (--set ports.traefik.expose=true) and I can access the dashboard via the external load balancer ip for example.

In situations where I do not want to expose port 9000, I do not set the parameter and I either patch the ingressRoute with kubectl patch ingressroute -n kube-system traefik-dashboard --type=merge -p '{"spec":{"entryPoints":["websecure"]}}' to make it reachable over 443 or I disable the dashboard during install with --set ingressRoute.dashboard.enabled=false and deploy my own ingressRoute.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
  labels:
    app.kubernetes.io/instance: traefik
    app.kubernetes.io/name: traefik
  name: traefik-dashboard
  namespace: traefik-system
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
    services:
    - kind: TraefikService
      name: api@internal

But I fully agree, if the entryPoint would be configurable via the values that would be much better, to avoid additional steps in the deployment workflow.

mschirrmeister avatar Jun 29 '22 18:06 mschirrmeister

Hello @gioppoluca

Thanks for your interest in Traefik !

As you have guessed, the IngressRoute provided by default is an easy-to-go access to dashboard, without security issues. This Helm Chart is designed to help when installing traefik, not managing IngressRoute. The dashboard is not an exception to this design.

mloiseleur avatar Sep 29 '22 08:09 mloiseleur