Master Traefik 2.5: From Basics to Advanced Routing, TLS, and Kubernetes Integration
This comprehensive guide introduces Traefik as an open‑source edge router, explains its core concepts such as providers, entrypoints, routers, services and middlewares, and walks through deploying Traefik with Helm on Kubernetes, configuring HTTP and HTTPS routes, using middlewares, handling TLS certificates, and leveraging advanced features like canary releases, traffic mirroring, TCP services, and the Kubernetes Gateway API.
What is Traefik
Traefik is an open‑source edge router that makes publishing services easy and feature‑rich. It natively supports many clusters such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and can handle multiple clusters simultaneously.
Traefik Core Concepts and Capabilities
Traefik intercepts external requests and, based on logical rules, decides how to process them. It provides automatic service discovery and updates routing rules in real time.
Key components include:
Providers
Entrypoints
Routers
Services
Middlewares
Providers
Providers are the foundation that enable Traefik to discover configuration from coordinators, container engines, cloud providers, or key‑value stores. Traefik queries the provider’s API to retrieve routing information and updates routes dynamically when changes are detected.
Entrypoints
Entrypoints define the network interfaces on which Traefik listens, specifying whether they handle TCP or UDP traffic.
Routers
Routers analyze incoming requests, match them against defined rules, and can apply middlewares before forwarding the request to the appropriate service.
Services
Services configure how requests reach the actual backend that processes them.
Middlewares
Middlewares modify requests or responses (e.g., authentication, rate limiting, header manipulation) and are attached to routers to customize request handling before reaching the service.
Deploying Traefik
Traefik can be deployed in many ways; this guide uses Helm.
Helm Deployment
$ helm repo add traefik https://helm.traefik.io/traefik
$ helm repo update$ helm search repo traefik
NAME CHART VERSION APP VERSION DESCRIPTION
traefik/traefik 10.6.0 2.5.3 A Traefik based Kubernetes ingress controller
$ helm pull traefik/traefik3. Deploy Traefik
The default values.yaml contains many options; a custom configuration file my-value.yaml is used in this guide.
service:
type: NodePort
ingressRoute:
dashboard:
enabled: false
ports:
traefik:
port: 9000
expose: true
web:
port: 8000
hostPort: 80
expose: true
websecure:
port: 8443
hostPort: 443
expose: true
persistence:
enabled: true
name: data
accessMode: ReadWriteOnce
size: 5G
storageClass: "openebs-hostpath"
path: /data
additionalArguments:
- "--serversTransport.insecureSkipVerify=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "[email protected]"
- "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
- "--certificatesresolvers.coolops.acme.tlschallenge=true"Apply the configuration:
helm upgrade traefik -n traefik-ingress -f my-value.yaml .Using Traefik
Create the First Routing Rule
Example using a native Ingress rule:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik-dashboard-ingress
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: traefik-web.coolops.cn
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: traefik
port:
number: 9000Apply with:
# kubectl apply -f traefik-ingress.yaml -n traefik-ingressCRD IngressRoute
Using Traefik’s custom resource:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
spec:
entryPoints:
- web
routes:
- match: Host(`traefik-web2.coolops.cn`)
kind: Rule
services:
- name: traefik
port: 9000HTTPS and TLS
Traefik supports both self‑signed certificates and automatic Let’s Encrypt certificates.
Self‑Signed Certificate
Create a TLS secret:
# kubectl create secret tls whoami-tls --cert=1_whoami.coolops.cn_bundle.crt --key=2_whoami.coolops.cn.keyDefine an IngressRoute that uses the secret:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-route-tls
spec:
entryPoints:
- websecure
routes:
- match: Host(`whoami.coolops.cn`)
kind: Rule
services:
- name: whoami
port: 80
tls:
secretName: whoami-tlsLet’s Encrypt (ACME)
Configure a certificate resolver in my-value.yaml:
additionalArguments:
- "[email protected]"
- "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
- "--certificatesresolvers.coolops.acme.tlschallenge=true"Use the resolver in an IngressRoute:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-route-auto-tls
spec:
entryPoints:
- websecure
routes:
- match: Host(`whoami3.coolops.cn`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certResolver: coolopsACME Challenges
Traefik supports tlsChallenge, httpChallenge, and dnsChallenge. The guide shows how to enable each by adding the corresponding flag to my-value.yaml and updating the deployment.
Middleware Usage
Middlewares are a Traefik 2.0 feature that allow request manipulation before reaching services.
Force HTTPS Redirect
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https-middleware
spec:
redirectScheme:
scheme: httpsAttach the middleware to an HTTP IngressRoute:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami3-route
spec:
entryPoints:
- web
routes:
- match: Host(`whoami3.coolops.cn`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: redirect-https-middlewareStrip Path Prefix
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: prefix-coolops-url-middleware
spec:
stripPrefix:
prefixes:
- /coolopsApply to an IngressRoute that matches the prefix:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami7-route
spec:
entryPoints:
- web
routes:
- match: Host(`whoami7.coolops.cn`) && PathPrefix('/coolops')
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: prefix-coolops-url-middlewareIP Whitelist
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: ip-white-list-middleware
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.100.180TCP Services (e.g., Redis)
Add a TCP entrypoint in my-value.yaml:
additionalArguments:
- "--entryPoints.redis.address=:6379"Create an IngressRouteTCP to expose Redis:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: redis-traefik-tcp
spec:
entryPoints:
- redis
routes:
- match: HostSNI(`*`)
services:
- name: redis
port: 6379Canary (Weighted) Deployments
Deploy two versions of an app (v1 and v2) and create a TraefikService with weighted routing:
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: app-wrr
spec:
weighted:
services:
- name: appv1
weight: 3
port: 80
kind: Service
- name: appv2
weight: 1
port: 80
kind: ServiceReference the TraefikService in an IngressRoute:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-ingressroute-canary
spec:
entryPoints:
- web
routes:
- match: Host(`app.coolops.cn`)
kind: Rule
services:
- name: app-wrr
kind: TraefikServiceTraffic Mirroring
Define a TraefikService that mirrors 50% of traffic to a second service:
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: app-mirror
spec:
mirroring:
name: appv1
port: 80
mirrors:
- name: appv2
percent: 50
port: 80Use it in an IngressRoute:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-ingressroute-mirror
spec:
entryPoints:
- web
routes:
- match: Host(`mirror.coolops.cn`)
kind: Rule
services:
- name: app-mirror
kind: TraefikServiceKubernetes Gateway API
Install the Gateway API CRDs (v0.3.0):
kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.3.0" | kubectl apply -f -Create a GatewayClass for Traefik:
apiVersion: networking.x-k8s.io/v1alpha1
kind: GatewayClass
metadata:
name: traefik
spec:
controller: traefik.io/gateway-controllerDefine a Gateway that listens on port 8000:
apiVersion: networking.x-k8s.io/v1alpha1
kind: Gateway
metadata:
name: http-gateway
namespace: traefik-ingress
spec:
gatewayClassName: traefik
listeners:
- protocol: HTTP
port: 8000
routes:
kind: HTTPRoute
namespaces:
from: All
selector:
matchLabels:
app: traefikCreate an HTTPRoute that forwards traffic to the Traefik dashboard service:
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
name: whoami-gateway-api-route
namespace: traefik-ingress
labels:
app: traefik
spec:
hostnames:
- "traefik1.coolops.cn"
rules:
- matches:
- path:
type: Prefix
value: "/"
forwardTo:
- serviceName: traefik
port: 9000
weight: 1After enabling the experimental gateway support in my-value.yaml with the flags --experimental.kubernetesgateway and --providers.kubernetesgateway, the dashboard becomes reachable via the defined host name.
Conclusion
Traefik is a powerful edge router that satisfies most routing scenarios, supports advanced features such as mesh integration, and works well in cloud‑native environments. For further learning, refer to the official documentation.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.