bluejay-infra/apps/traefik-dashboard/traefik-dashboard.yaml

# Traefik Dashboard - BasicAuth protected
# ArgoCD managed - BlueJay Lab
---
# BasicAuth credentials secret (admin:zenith-turret-falcon-umber)
apiVersion: v1
kind: Secret
metadata:
  name: traefik-dashboard-auth
  namespace: traefik-system
type: Opaque
stringData:
  users: "admin:$apr1$0URvzxzA$V6rOAD80XRUFeN7NR88VR."
---
# BasicAuth middleware
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: traefik-dashboard-auth
  namespace: traefik-system
spec:
  basicAuth:
    secret: traefik-dashboard-auth
---
# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
# Dashboard IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik-system
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`traefik.iamworkin.lan`)
      services:
        - name: api@internal
          kind: TraefikService
      middlewares:
        - name: traefik-dashboard-auth
  tls:
    secretName: traefik-tls
---
# TLS certificate for traefik.iamworkin.lan
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: traefik-tls
  namespace: traefik-system
spec:
  secretName: traefik-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - traefik.iamworkin.lan
  duration: 720h
  renewBefore: 168h