How to host and access dashboards from multiple traefiks in one namespace ?

[den-is]

Not sure if I have had to post that issue in original traefik repo or here in chart repo.

TLDR: How to serve dashboards from multiple ingress-controllers (traefiks) using single Ingress-controller dedicated for serving these dashboards?

With traefik 1.7 I have multiple ingress controllers deployed in the kube-system namespace. Each is for different purposes - mainly monitoring its own subset of namespaces.
There is one main Traefik in the kube-system namespace, which is serving only "internal" cluster, administrative ingress objects. dashboards, grafanas, etc.
Every other traefik-dashboard is exposed by own Ingress object which is then intercepted by that administrative-traefik. So each dashboard has own URL: traefik-x.example.com traefik-y.example.com.

How to achieve same with traefik v2?

What are the best or "all possible" ways to access dashboard in traefik v2?

1. Port forwarding suggested here How to start traefik dashboard? #85 (comment) doesn't work without IngressRoute. Is that intentional and how that works?
2. I was trying to expose using NodePort only and it didn't work without IngressRoute definition. kubectl-proxy didn't work too.
3. I was able to expose Dashboard using default web entrypoint and it did work.
   But "service" points to some api@internal TraefikService. here is my IngressRouter

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: admin-ing-dashboard
  labels:
    app: traefik
    release: admin-ing
spec:
  entryPoints:
  - web
  # - traefik
  routes:
  - match: Host(`admin-ing.test`)
    kind: Rule
    services:
    # - name: admin-ing-dashboard
    #   port: 9000
    - name: api@internal
      kind: TraefikService

But some other traefik will be pointing to the same api@internal. How to make traefik understand that I'm requesting dashboard of some other traefik deployment?
For example next I want to setup default-ing traefik which will be serving public apps in default namespace.
Again. I have tried to create individual service admin-ing-dashboard for exposing dashboard only. But it didn't work.

Is that possible at all? How to view the other traefik dashboard on the same cluster?

[mmatur]

Hi @den-is ,

Thanks for your question.

This is not a common use case.

Today with the helm chart you have multiple possibilities to expose a Traefik dashboard.

1. Port forwarding, the IngressRoute is required. https://docs.traefik.io/operations/dashboard/#dashboard-router-rule
2. Expose using a NodePort and --api.insecure=true flag (not recommended in production) https://docs.traefik.io/operations/dashboard/#dashboard-router-rule

To achieve your needs, that is not a common use case, one possibility is to:

• Deploy all your Traefik instances with the values.yaml:

additionalArguments: 
  - "--api.insecure=true"

• For each Traefik instances create manually a Kubernetes service like that:

---
apiVersion: v1
kind: Service
metadata:
  name: traefik-a-dashboard
  namespace: traefik-a
  labels:
    app.kubernetes.io/name: name
    app.kubernetes.io/instance: ReleaseName
spec:
  type: ClusterIP
  ports:
  - port: 9000
    name: traefik
  selector:
     app.kubernetes.io/name: name
     app.kubernetes.io/instance: ReleaseName

• And for each Traefik instances create the associated IngressRoute

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-a-dashboard
spec:
  entryPoints:
    - traefik
  routes:
    - match: Host(`traefik-a-dashboard.example.com`)
      kind: Rule
      services:
        - name: traefik-a-dashboard
           port: 9000

I will close this issue because I think that your question is answered.

Please join our Community Forum on the Traefik section if you are further questions.

[den-is]

Thanks @mmatur . I have actually duplicated that question in the Community forum.
So please duplicate your answer there https://community.containo.us/t/how-to-serve-multiple-dashboard-from-multiple-traefik-using-one-administrative-traefik/5352

I will ask couple additional questions there.

[den-is]

Initially, I've exposed the dashboard using NodePort + secure + IngressRoute.
Yesterday, I've enabled --api.insecure=true too (it can bee seen in a community thread edit history).

How is that not a common case? what if a namespace has multiple traefiks per namespace, per app, per TLS settings? How to check what specific traefik has caught or especially what it has not caught?

Is it common to have traefik in the namespace with application and not separately in a secure namespace (kube-system)?

I want to elaborate on PortForward + Secure.API + IngressRoute dashboard access.
So couple Traefiks monitor single namespace. Each is monitors and waits for its own subset of labels.

traefik1 in kube-system
monitors: 
namespace: default
label lb=traefik1

traefik2 in kube-system
monitors: 
namespace: default
label lb=traefik2

So PortForward means that Traefik should have own IngressRoute for own dashboard.
Dashboard IngressRoute should have monitored labels applied.
Labels on IngressRoutes should help Traefiks to have an individual IngressRoute for the dashboard.
Since user-apps and traefik are in different namespaces, IngressRoutes are in different namespaces.

That chart is not giving ability to set custom labels on dashboard IngressRoute.
There is no OR || operator in labels selector so adding labels from specific traefik release won't help - user will have to manually add labels for now.

And it didn't work while there was Traefik which was monitoring whole namespace. Worked after removing such lb or applying label filter. Intersting why is that? Traefik and IngressRoute have one-to-one relations?

[123BLiN]

I would say that it is pretty common usecase at least we have same requirements.

[k3daevin]

We also run into the same problem.
There are 2 ingress controllers, one for internet and one for intranet.
Exposing the ports on the intranet and using the immutable api@internal for the internet might seem probable, but we would like to specifty the name of the Traefik Service, say api@internal is the default but anybody can change it to their needs.
@mmatur this is a common use case. What should we do?

[christianvw]

Is there perhaps an update on this? Maybe something has been added by the updates since mid-2020, which makes it easier.

I would say that it is a pretty standard use case. Many have two Traefik instances, one for the internal domain (.localdomain) and one for the external domain (.example.com). Both Traefik dashboards - even if there is authentication in front of them - you would want to have internally only, of course.

But @mmatur, your 3rd solution works! Not as easy as first thought, but it works 💯

[ajschmidt8]

Chiming in to say that I faced this issue as well. Might be a common use case.

[Avolynsk]

We have this kind of issue as well: two traefik deployments running in the same namespace - internal and external one, and I'm looking for a way to reach the external traefik dashboard via internal one (instead of exposing ext traefik dashboard to the Internet)

[Elegant996]

We have this kind of issue as well: two traefik deployments running in the same namespace - internal and external one, and I'm looking for a way to reach the external traefik dashboard via internal one (instead of exposing ext traefik dashboard to the Internet)

Expose port 9000 of the external deployment with a label such as traffic: internal which your internal deployment picks up via labelSelector. You could then use traffic: external for anything to be accessed over the internet.

It should be good practice to use a labelSelector for both internal and external deployments. That way if an IngressRoute is deployed without a label, it is not advertised by either deployments by accident. This may require you to add labels to all of your existing IngressRoutes but this ensures proper segregation.