Access Traefik dashboard using a Nginx Ingress Clss

Hello.

This is my situation:

  • external AWS application load balancer and a DNS record to it (subdomain .mydomain.com - can be accessed externally)
  • AWS load balancer controller installed in the EKS cluster
  • Traefik helm chart (20.2) with Traefik 2.9.4 installed in the EKS cluster - the traefik service is the ClusterIP type
  • a TargetGroupBinding resource that binds the traefik service to a Target Group
  • a lot of ingresses of traefik class type that go to some applications (exposed externally) - ex.: subdomain .mydomain.com/app1, subdomain .mydomain.com/app2, etc.
  • an IngressRoute which allows me to access the Traefik dashboard on the URL (exposed externally) https://subdomain .mydomain.com/dashboard/
  • ingress-nginx installed in the EKS cluster for internal URLs (the nginx service is the LoadBalancer type) - prometheus .myinternaldomain.net, grafana .myinternaldomain.net

My question is: can the Traefik dashboard be accessed using a NginxClass ingress on the URL like traefik-dashboard .myinternaldomain.net? I want that the Traefik dashboard to be accessed only internally and not to be exposed externally through the ALB. Middleware auth is not an acceptable solution.

I tried to create an ingress, but with no success:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations: 
    cert-manager.io/cluster-issuer: ca-issuer
    external-dns.alpha.kubernetes.io/hostname: traefik-dashboard .myinternaldomain.net
    cert-manager.io/common-name: traefik-dashboard .myinternaldomain.net
  name: traefik-dashboard
spec:
  ingressClassName: nginx
  rules:
  - host: traefik-dashboard .myinternaldomain.net
    http:
      paths:
      - backend:
          service:
            name: traefik
            port:
              number: 9000
        path: /dashboard
        pathType: Prefix
  tls: 
    - hosts:
        - traefik-dashboard .myinternaldomain.net
      secretName: traefik-dashboard-tls

My current ingressRoute for the dashboard:

spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
    services:
    - kind: TraefikService
      name: api@internal

Thanks.

I found a solution without Nginx - I installed the Traefik helm chart 2 times:

  • the first installation creates a ClusterIP service and a traefik ingress class; this service is bound through the targetGroupBinding resource to the ALB's target group
  • the second installation creates a LoadBalancer service (it creates a NLB) and a traefik-internal ingress class.

Everything works almost fine:

  • the internal ingresses belong to the traefik-internal ingress class and they have attached the NLB ( prometheus .myinternaldomain .net, grafana .myinternaldomain .net)
  • the ingresses that belong to the traefik class (subdomain .mydomain .com/app1, subdomain .mydomain .com/app2) work well (the requests are through ALB, as I intended), BUT... the NLB is also attached to the ingress. Why does this happen if they are of the traefik ingress class, which corresponds to a ClusterIP type service?