Access Traefik dashboard using a Nginx Ingress Clss


This is my situation:

  • external AWS application load balancer and a DNS record to it (subdomain - can be accessed externally)
  • AWS load balancer controller installed in the EKS cluster
  • Traefik helm chart (20.2) with Traefik 2.9.4 installed in the EKS cluster - the traefik service is the ClusterIP type
  • a TargetGroupBinding resource that binds the traefik service to a Target Group
  • a lot of ingresses of traefik class type that go to some applications (exposed externally) - ex.: subdomain, subdomain, etc.
  • an IngressRoute which allows me to access the Traefik dashboard on the URL (exposed externally) https://subdomain
  • ingress-nginx installed in the EKS cluster for internal URLs (the nginx service is the LoadBalancer type) - prometheus, grafana

My question is: can the Traefik dashboard be accessed using a NginxClass ingress on the URL like traefik-dashboard I want that the Traefik dashboard to be accessed only internally and not to be exposed externally through the ALB. Middleware auth is not an acceptable solution.

I tried to create an ingress, but with no success:

kind: Ingress
  annotations: ca-issuer traefik-dashboard traefik-dashboard
  name: traefik-dashboard
  ingressClassName: nginx
  - host: traefik-dashboard
      - backend:
            name: traefik
              number: 9000
        path: /dashboard
        pathType: Prefix
    - hosts:
        - traefik-dashboard
      secretName: traefik-dashboard-tls

My current ingressRoute for the dashboard:

  - websecure
  - kind: Rule
    match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
    - kind: TraefikService
      name: api@internal


I found a solution without Nginx - I installed the Traefik helm chart 2 times:

  • the first installation creates a ClusterIP service and a traefik ingress class; this service is bound through the targetGroupBinding resource to the ALB's target group
  • the second installation creates a LoadBalancer service (it creates a NLB) and a traefik-internal ingress class.

Everything works almost fine:

  • the internal ingresses belong to the traefik-internal ingress class and they have attached the NLB ( prometheus .myinternaldomain .net, grafana .myinternaldomain .net)
  • the ingresses that belong to the traefik class (subdomain .mydomain .com/app1, subdomain .mydomain .com/app2) work well (the requests are through ALB, as I intended), BUT... the NLB is also attached to the ingress. Why does this happen if they are of the traefik ingress class, which corresponds to a ClusterIP type service?