Exposing the Dashboard

    A sample ingress definition is:

    This exposes the dashboard at dashboard.example.com and protects it with basic auth using admin/admin. Take a look at the ingress-nginx documentation for details on how to change the username and password.

    A more secure alternative to basic auth is using an authentication proxy, such as .

    For reference on how to deploy and configure oauth2-proxy in kubernetes, see this blog post by Don Bowman.

    tl;dr: If you deploy oauth2-proxy via the , the following values are required:

    1. config:
    2.   existingSecret: oauth2-proxy
    3.   configFile: |-
    4.     email_domains = [ "example.com" ]
    5.     upstreams = [ "file:///dev/null" ]
    7. ingress:
    8.   enabled: true
    9.   annotations:
    10.     kubernetes.io/ingress.class: nginx
    11. ingress:
    12.   hosts:
    13.     - linkerd.example.com

    Once setup, a sample ingress would be:

    A sample ingress definition is:

    1. apiVersion: v1
    2. kind: Secret
    3. type: Opaque
    4. metadata:
    5.   name: web-ingress-auth
    7. data:
    8.   auth: YWRtaW46JGFwcjEkbjdDdTZnSGwkRTQ3b2dmN0NPOE5SWWpFakJPa1dNLgoK
    9. ---
    10. apiVersion: extensions/v1beta1
    11. kind: Ingress
    12. metadata:
    13.   name: web-ingress
    14.   namespace: linkerd
    15.   annotations:
    16.     kubernetes.io/ingress.class: 'traefik'
    17.     ingress.kubernetes.io/custom-request-headers: l5d-dst-override:linkerd-web.linkerd.svc.cluster.local:8084
    18.     traefik.ingress.kubernetes.io/auth-type: basic
    19. spec:
    20.   rules:
    21.     - host: dashboard.example.com
    22.       http:
    23.         paths:
    24.           - backend:
    25.               serviceName: linkerd-web
    26.               servicePort: 8084

    This exposes the dashboard at dashboard.example.com and protects it with basic auth using admin/admin. Take a look at the Traefik documentation for details on how to change the username and password.

    Ambassador works by defining a as an annotation on a service.

    The below annotation exposes the dashboard at dashboard.example.com.

    Note that this protection also covers the Grafana dashboard.

    The ingress-nginx config above uses the nginx.ingress.kubernetes.io/upstream-vhost annotation to properly set the upstream Host header. Traefik on the other hand doesn’t offer that option, so you’ll have to manually set the required Host as explained below.

    If your HTTP client (Ingress or otherwise) doesn’t allow to rewrite the Host header, you can change the validation regexp that the dashboard server uses, which is fed into the linkerd-web deployment via the enforced-host container argument.

    If you’re managing Linkerd with Helm, then you can set the host using the enforcedHostRegexp value.

    Another way of doing that is through Kustomize, as explained in , using an overlay like this one:

    1. apiVersion: apps/v1
    2. kind: Deployment
    3. metadata:
    4.   name: linkerd-web
    5. spec:
    6.   template:
    7.     spec:
    8.       containers:
    9.         - name: web
    10.           args:
    11.             - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085
    12.             - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000
    13.             - -controller-namespace=linkerd
    14.             - -enforced-host=^dashboard\.example\.com$