Secure Traefik Hub Gateway Dashboard and API
The dashboard is the central place that shows you the current active routes handled by Traefik Hub.
Create a Basic Authentication Middleware
It's recommended to secure the dashboard with an Authentication middleware like the OIDC middleware. For the sake of simplicity, this example uses the Basic Authentication middleware. But the steps are the same with every other middleware.
To allow Traefik Hub API Gateway to secure dashboard access using the Basic Authentication Middleware, apply the following configuration:
- Middleware Basic Authentication
- Kubernetes Secrets
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: dashboard-auth
namespace: traefik
spec:
basicAuth:
secret: authsecret
# Secret that uses the basic-auth secret type.
# Note: the password is not hashed, and is merely base64 encoded.
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: traefik
type: kubernetes.io/basic-auth
data:
username: dXNlcg== # username: user
password: cGFzc3dvcmQ= # password: password
Install Traefik Hub API Gateway enabling the dashboard
If Hub API Gateway is already installed, save the default configuration. The following command will save it to a file with the name values.yaml in your working directory.
helm show values traefik/traefik-hub > values.yaml
Then, adjust the file, adding the following configuration.
ingressRoute:
dashboard:
# Enable the dashboard
enabled: true
# Expose the dashboard on the outside
entryPoints: ["websecure"]
# Attach the Basic Authentication middleware
middlewares: ["dashboard-auth"]
Once you have the configuration adjusted to your needs, use Helm to deploy the Traefik Hub API Gateway with the new values:
# Add the Helm repository
helm repo add --force-update traefik https://traefik.github.io/charts
# Install the Helm chart
helm upgrade --install traefik-hub -n traefik --wait \
--values values.yaml \
traefik/traefik
You can now access the dashboard of the Traefik Hub API Gateway instance,
at the following URLs: https://<Traefik Hub Cluster IP>/dashboard/ (the trailing slash is mandatory).
In the example above, there is no TLS certificate provided, by default Traefik Hub API Gateway serves a self-signed certificate.
You can provide TLS certificates to Hub API Gateway using Kubernetes Secrets. You can generate TLS certificates with Let's Encrypt.
Advanced options are described in the Helm reference page and the Static Configuration options page.
Related Content
- See the full options for the Helm Chart in the Helm reference page.
- See the full options the Static Configuration in the dedicated reference page.
- See more information about the dashboard in the dedicated section.
- See how to install Traefik Hub API Gateway.
- See how to secure your API access using Basic Authentication.
- See how to secure your API access using OIDC.