Need Help - Docker to IngressRoute - Basic starting issues

Hi, I am converting my application that was running successfully on docker to Kubernetes and face some basic issues which I am struggling to fix.

  1. Traffic is redirected to https in config, so http://traefik.minikube/service/whoami is getting redirected to https://traefik.minikube/service/whoami. But dashboard is still served at http, https returns 404.

  2. Basic auth for dashboard is not working although the middleware is setup for username/password = admin/adminadmin.

  3. I want the whoami service to only be served at https. But if I remove entrypoint web from its config, then page returns 404 on https://traefik.minikube/service/whoami

Running on minikube, here is my config:

crd.yaml

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressrouteudps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteUDP
    plural: ingressrouteudps
    singular: ingressrouteudp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsstores.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSStore
    plural: tlsstores
    singular: tlsstore
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced

secret.yaml

---
apiVersion: v1
data:
  tls.crt: LS0tLS....
  tls.key: LS0t....
kind: Secret
metadata:
  name: certificates
  namespace: default
type: Opaque
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: basic-auth
  namespace: default
spec:
  basicAuth:
    secret: authsecret
  
---
apiVersion: v1
kind: Secret
metadata:
  name: authsecret
  namespace: default
# admin/adminadmin
data:
  users: |2
    YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl
    cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo=

traefik.yaml

kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik
  labels:
    app: traefik

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      volumes:
        - name: config
          configMap:
            name: traefik-config-map
        - name: certificates
          secret:
            secretName: certificates
      containers:
        - name: traefik
          image: traefik:v2.2.1
          args:
            - --providers.kubernetescrd=true
            - --providers.kubernetesingress=true
          ports:
            - name: web
              containerPort: 80
            - name: admin
              containerPort: 8080
            - name: websecure
              containerPort: 443
          volumeMounts:
            - mountPath: /etc/traefik/traefik.toml
              name: config
              subPath: traefik.toml
            - mountPath: "/var/ssl/certificates"
              name: certificates
              readOnly: true

---
apiVersion: v1
kind: Service
metadata:
  name: traefik
spec:
  type: LoadBalancer
  selector:
    app: traefik
  ports:
    - protocol: TCP
      port: 80
      name: web
      targetPort: 80
    - protocol: TCP
      port: 443
      name: websecure
      targetPort: 80
    - protocol: TCP
      port: 8080
      name: admin
      targetPort: 8080
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: traefik-config-map
data:
  traefik.toml: |-
    [global]
      checkNewVersion = false
      sendAnonymousUsage = false
    [retry]
      attempts = 3
      maxMem = 3
    [entryPoints]
      [entryPoints.web]
        address = ":80"
        [entryPoints.web.http]
          [entryPoints.web.http.redirections]
            [entryPoints.web.http.redirections.entryPoint]
              to = "websecure"
              scheme = "https"
              permanent = true
      [entryPoints.websecure]
        address = ":443"
    [log]
      level = "DEBUG"
    [accessLog]
    [api]
      insecure = true
      dashboard = true
      debug = true
    [providers]
      [providers.file]
        directory = "/etc/traefik"
        watch = true
      [providers.kubernetesCRD]


    [[tls.certificates]]
       keyFile = "/var/ssl/certificates/tls.key"
       certFile = "/var/ssl/certificates/tls.crt"

    [tls.options]
        [tls.options.default]
          minVersion = "VersionTLS12"
          preferServerCipherSuites = true
          cipherSuites = [
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
          ]

        [tls.options.mintls13]
          minVersion = "VersionTLS13"

    [tls.stores]
      [tls.stores.default]
        [tls.stores.default.defaultCertificate]
          keyFile = "/var/ssl/certificates/tls.key"
          certFile = "/var/ssl/certificates/tls.crt"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: default
spec:
  tls: {}
  entryPoints:
    - web
    - websecure  
  routes:
  - match: Host(`traefik.minikube`)
    kind: Rule
    services:
    - name: api@internal
      kind: TraefikService
    middlewares: 
      - name: basic-auth

whoami-app.yaml

kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: whoami
  labels:
    app: whoami

spec:
  replicas: 1
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: containous/whoami
          ports:
            - name: web
              containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: whoami

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
  namespace: default
spec:
  tls: {}
  entryPoints:
    - web
    - websecure
  routes:
  - match: PathPrefix(`/service/whoami`)
    kind: Rule
    services:
    - name: whoami
      port: 80

Some screenshots: