Dashboard Helm Chart incompatible with Traefik ingress controller

[andeke07]

What happened?

I am using a k3s setup and was trying to use the Helm chart to get the Kubernetes Dashboard installed.

K3S uses Traefik as its ingress controller, which, by default, will give an internal server error if trying to pass traffic to a TLS endpoint where it cannot validate the SSL certificates (and kong is using a self-signed certificate).

To get around this, one option is to create a Traefik ServersTransport resource:

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: skipverify
  namespace: kubedb
spec:
  insecureSkipVerify: true

However you must apply annotations on the service for this to work:

traefik.ingress.kubernetes.io/service.serversscheme: https
traefik.ingress.kubernetes.io/service.serverstransport: <namespace>-skipverify@kubernetescrd

In the Helm chart there does not seem to be a method to apply annotations to services, so this must be manually applied. Would it be possible to expose service annotations for kong to allow this to be done automatically?

What did you expect to happen?

Traffic to flow to kong-proxy via an ingress without manual intervention

How can we reproduce it (as minimally and precisely as possible)?

• Set up a K3S cluster (by default it will install Traefik as your ingress controller)
• Install kubernetes-dashboard Helm chart with these values:

app:
    ingress:
      enabled: true
      hosts:
        - your.domain.tld
      ingressClassName: traefik
      issuer:
        name: letsencrypt-prod
        scope: cluster

Anything else we need to know?

No response

What browsers are you seeing the problem on?

No response

Kubernetes Dashboard version

7.4.0

Kubernetes version

v1.28.8+k3s1

Dev environment

No response

[floreks]

We do not have any control over kong chart. It is a dependency of our chart. Look into their chart and see what values can be overridden.

dashboard/charts/kubernetes-dashboard/Chart.yaml

Lines 46 to 49 in bac8c5f

	- name: kong
	version: 2.38.0
	repository: https://charts.konghq.com
	condition: kong.enabled

If it helps, you can enable the HTTP port to be exposed via the Kong service so you can try TLS termination.

dashboard/charts/kubernetes-dashboard/values.yaml

Lines 346 to 360 in bac8c5f

	kong:
	enabled: true
	## Configuration reference: https://docs.konghq.com/gateway/3.6.x/reference/configuration
	env:
	dns_order: LAST,A,CNAME,AAAA,SRV
	plugins: 'off'
	nginx_worker_processes: 1
	ingressController:
	enabled: false
	dblessConfig:
	configMap: kong-dbless-config
	proxy:
	type: ClusterIP
	http:
	enabled: false

[andeke07]

Thank you! That got me looking in the right direction. I found I could add:

kong:
    proxy:
      annotations:
        traefik.ingress.kubernetes.io/service.serversscheme: https
        traefik.ingress.kubernetes.io/service.serverstransport: kubedb-skipverify@kubernetescrd

to my values file which has added the correct annotations to the service.