Applying Middleware to Traefik IngressRouteTCP on Controller Helm Chart

Support
1

Hello!

I recently bit the bullet and started migrating my old quickstart setup to my existing k3s cluster. As of now, after some trial and error, all basic functionality seems to be working, which is great!

The question is related to setting up some basic access control on the management API. I have it enabled and it is accessible and works, using Traefik. I want to limit it to local connections only, so I want to apply a traefik ipallowlist middleware.

A quick inspection of the helm chart shows that, while I can’t directly set middleware or other config in it, it appears to have a field for labels (managementApi.traefikTcpRoute.labels) but it appears to be an object ({}) instead of the expected list of strings ([]). Based on Traefik docs ( Traefik HTTP Middlewares IPAllowList - Traefik ), if I manage to get something like traefik.http.middlewares.ziti-ipallowlist.ipallowlist.sourcerange="127.0.0.1/32,192.168.42.0/24" into there, it may work.

It’s likely to just be my inexperience showing, but after messing around with it I’m still not sure how I should be putting this in. Everything I’m seeing implies that labels are generally just strings, so I’m probably missing something obvious.

Is there another way to do this? Any pointers or advice would be great!

EDIT: To elaborate, I also tried various key/value pairs in there but the key is limited to 63 chars and the value seems to have some sort of validation regex that rejects the commas, quotes, and some other stuff, so that doesn’t work too.

EDIT2: Now that I think about it, I could probably just not use the ingressroutetcp provided by the Helm chart and make my own. Even if I do that, though, I’d like to figure out what’s meant to go in the labels object anyways, for future reference!

2

Hi @Himekaidou, nice to see you around the forums again! Nice job migrating the quickstart as well!

Personally, for the longest time I have been splitting the management APIs and the client APIs, binding the management APIs to internal IPs only (since I generally run a controller AND router on the same machine, i use 127.0.0.1). There are numerous posts on discourse about how to accomplish that and I would wager any LLM can help you with doing that now-a-days. If you need help though let me know. I'll post my example at the end of this post and you'll probably be able to figure it out from there.... Once the API is split, I use OpenZiti itself to segment these APIs away using that colocated router and a service. (I wouldn't use traefik for this, myself) Then I just make myself an identity to access my ZAC/management API via that service and voila - done! :slight_smile:

Starting in the 1.8.x stream of OpenZiti you will can bind these services using the controller itself if you want to. Read the relevant release notes here if you want.

Hope that helps. My example split apis config follows:

web:
  - name: client-management
    bindPoints:
      - interface: 0.0.0.0:8441
        address: ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8441
    identity:
      ca:          "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-root-ca/certs/ip-172-31-47-200-edge-controller-root-ca.cert"
      key:         "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/keys/feb2026-02-22.key"
      server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/feb2026-02-22.chain.pem"
      cert:        "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-client.chain.pem"
      alt_server_certs:
      - server_cert: "/etc/letsencrypt/live/cdaws.clint.demo.openziti.org/fullchain.pem"
        server_key:  "/etc/letsencrypt/live/cdaws.clint.demo.openziti.org/privkey.pem"
    options:
      idleTimeout: 5000ms  #http timeouts, new
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-management
        options: { }
      - binding: edge-client
        options: { }
      - binding: fabric
        options: { }
      - binding: edge-oidc
        options: { }
      - binding: zac
        options:
          location: "/home/ubuntu/.ziti/quickstart/zac/ziti-console-v4.1.1"

  - name: zitified
    bindPoints:
      # - interface: 127.0.0.1:18441
      #   address: 127.0.0.1:18441
      - identity:
          file: /home/ubuntu/.ziti/quickstart/ip-172-31-47-200/cdaws-controller.json
          service: "cdaws-controller"
      - identity:
          file: /home/ubuntu/.ziti/quickstart/ip-172-31-47-200/cdaws-controller.json
          service: "cdaws-controller"
          listenOptions:
            bindUsingEdgeIdentity: true
    identity:
      ca:          "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-root-ca/certs/ip-172-31-47-200-edge-controller-root-ca.cert"
      key:         "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/keys/feb2026-02-22.key"
      server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/feb2026-02-22.chain.pem"
      cert:        "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-client.chain.pem"
      #key:         "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/keys/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-server.key"
      #server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-server.chain.pem"
      #cert:        "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-client.chain.pem"
      alt_server_certs:
      - server_cert: "/etc/letsencrypt/live/cdaws.clint.demo.openziti.org/fullchain.pem"
        server_key:  "/etc/letsencrypt/live/cdaws.clint.demo.openziti.org/privkey.pem"
    options:
      idleTimeout: 5000ms  #http timeouts, new
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-management
        options: { }
      - binding: fabric
        options: { }
      - binding: metrics
        options: {
          includeTimestamps: true
3

I didn’t even think of using ziti to present the management endpoint, I think maybe since I was too hung up on the idea that I’d need some alternate access in case I messed something up, haha. But after I tried it, it seems to work fine, so this is good!

Thank you for the pointer, it was super helpful!