Master Traefik 2.5: From Basics to Advanced Routing, TLS, and Kubernetes Integration

What is Traefik

Traefik is an open‑source edge router that makes publishing your services a fun and easy experience. It natively supports multiple clusters such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and can handle many clusters simultaneously.

Core Concepts and Capabilities

Traefik intercepts external requests, matches them against defined rules, processes them through middlewares, and forwards them to the appropriate services. It provides automatic service discovery and dynamic routing updates.

Providers

Entrypoints

Routers

Services

Middlewares

Providers

Providers are the foundational components that allow Traefik to discover configuration from coordinators, container engines, cloud providers, or key‑value stores via their APIs.

Entrypoints

Entrypoints define the network entry points for Traefik, specifying which interfaces receive requests and whether they listen on TCP or UDP.

Routers

Routers analyze incoming requests, match them to rules, and can apply middlewares before forwarding to services.

Services

Services configure how requests reach the actual backend that processes them.

Middlewares

Middlewares modify requests or responses (e.g., authentication, rate limiting, header manipulation) and are attached to routers before the request reaches the service.

Deploying Traefik

Traefik can be deployed using Helm. First, add the Traefik Helm repository and update it:

$ helm repo add traefik https://helm.traefik.io/traefik
$ helm repo update

Search for the chart and pull it:

$ helm search repo traefik
NAME               CHART VERSION   APP VERSION   DESCRIPTION
traefik/traefik   10.6.0          2.5.3         A Traefik based Kubernetes ingress controller
$ helm pull traefik/traefik

Create a custom my-value.yaml configuration file (example excerpt):

service:
  type: NodePort
ingressRoute:
  dashboard:
    enabled: false
ports:
  traefik:
    port: 9000
    expose: true
  web:
    port: 8000
    hostPort: 80
    expose: true
  websecure:
    port: 8443
    hostPort: 443
    expose: true
persistence:
  enabled: true
  name: data
  accessMode: ReadWriteOnce
  size: 5G
  storageClass: "openebs-hostpath"
additionalArguments:
  - "--serversTransport.insecureSkipVerify=true"
  - "--api.insecure=true"
  - "--api.dashboard=true"
  - "[email protected]"
  - "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
  - "--certificatesresolvers.coolops.acme.tlschallenge=true"

Install Traefik with the custom values:

$ helm install traefik -n traefik-ingress -f my-value.yaml .

After deployment, you can access the Traefik dashboard via the exposed NodePort.

Using Traefik

Creating the First Routing Rule

Two common methods are native Ingress and CRD IngressRoute.

Native Ingress

# cat traefik-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: traefik-dashboard-ingress
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  rules:
  - host: traefik-web.coolops.cn
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: traefik
            port:
              number: 9000

# kubectl apply -f traefik-ingress.yaml -n traefik-ingress

Access the dashboard at http://traefik-web.coolops.cn:31728/dashboard/.

CRD IngressRoute

# cat traefik-ingressRoute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard-route
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`traefik-web2.coolops.cn`)
    kind: Rule
    services:
    - name: traefik
      port: 9000

# kubectl apply -f traefik-ingressRoute.yaml -n traefik-ingress

Dashboard is reachable at http://traefik-web2.coolops.cn:31728/dashboard/.

Exposing HTTP Services

Deploy a simple whoami application:

# cat whoami-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: whoami
  labels:
    app: whoami
spec:
  containers:
  - name: whoami
    image: traefik/whoami:latest
    ports:
    - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: whoami
  type: ClusterIP

Create a routing rule to expose it:

# cat whoami-ingressRoute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-route
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`whoami.coolops.cn`)
    kind: Rule
    services:
    - name: whoami
      port: 80

Visit http://whoami.coolops.cn:31728/ to see the service.

Exposing HTTPS Services

Two options: use your own certificate or Let’s Encrypt.

Self‑Signed Certificate

Create a TLS secret:

# kubectl create secret tls whoami-tls --cert=whoami.crt --key=whoami.key

Define an IngressRoute with TLS:

# cat whoami-ingressRoute-tls.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-route-tls
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`whoami.coolops.cn`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    secretName: whoami-tls

Access via https://whoami.coolops.cn:30358/.

Let’s Encrypt

Configure an ACME resolver in my-value.yaml:

additionalArguments:
  - "[email protected]"
  - "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
  - "--certificatesresolvers.coolops.acme.tlschallenge=true"

Then create an IngressRoute that references the resolver:

# cat whoami-ingressRoute-auto-tls.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-route-auto-tls
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`whoami3.coolops.cn`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    certResolver: coolops

Traefik will obtain a certificate automatically.

ACME Challenge Types

tlsChallenge – requires port 443 reachable.

httpChallenge – requires port 80 reachable.

dnsChallenge – requires provider configuration (e.g., Alibaba Cloud DNS).

DNS Challenge Example (Alibaba Cloud)

# Create secret with Alibaba credentials
kubectl create secret generic traefik-alidns \
  --from-literal=ALICLOUD_ACCESS_KEY=<access_key> \
  --from-literal=ALICLOUD_SECRET_KEY=<secret_key> \
  --from-literal=ALICLOUD_REGION_ID=cn-beijing -n traefik-ingress

# Update my-value.yaml
additionalArguments:
  - "--certificatesresolvers.coolops.acme.dnschallenge=true"
  - "--certificatesresolvers.coolops.acme.dnschallenge.provider=alidns"
envFrom:
  - secretRef:
      name: traefik-alidns

After applying, Traefik can issue wildcard certificates.

Middleware Usage

Force HTTPS Redirect

# RedirectScheme middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https-middleware
spec:
  redirectScheme:
    scheme: https

# HTTP IngressRoute using the middleware
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-http
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`whoami3.coolops.cn`)
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
    - name: redirect-https-middleware

Strip Path Prefix

# Middleware to strip "/coolops" prefix
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prefix-coolops-url-middleware
spec:
  stripPrefix:
    prefixes:
    - /coolops

# IngressRoute applying the middleware
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-prefix
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`whoami7.coolops.cn`) && PathPrefix('/coolops')
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
    - name: prefix-coolops-url-middleware

IP Whitelist

# IP whitelist middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: ip-white-list-middleware
spec:
  ipWhiteList:
    sourceRange:
    - 127.0.0.1/32
    - 192.168.100.180

Attach this middleware to any route to restrict access.

Exposing TCP Services

Deploy a Redis instance and expose it via a custom entrypoint:

# Redis deployment and service (omitted for brevity)

# Extend my-value.yaml with a Redis entrypoint
ports:
  redis:
    port: 6379
    hostPort: 6379
additionalArguments:
  - "--entryPoints.redis.address=:6379"

# IngressRouteTCP to expose Redis
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: redis-traefik-tcp
spec:
  entryPoints:
  - redis
  routes:
  - match: HostSNI(`*`)
    services:
    - name: redis
      port: 6379

Connect with redis-cli -h redis.coolops.cn.

Canary (Weighted) Deployment

Deploy two versions of an app (appv1 and appv2) and define a TraefikService with weighted routing:

# TraefikService with weighted backends
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: app-wrr
spec:
  weighted:
    services:
    - name: appv1
      weight: 3
      port: 80
      kind: Service
    - name: appv2
      weight: 1
      port: 80
      kind: Service

# IngressRoute using the weighted service
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-ingressroute-canary
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`app.coolops.cn`)
    kind: Rule
    services:
    - name: app-wrr
      kind: TraefikService

Traffic will be split 75% to v1 and 25% to v2.

Traffic Mirroring

Define a TraefikService that mirrors 50% of traffic to a second service:

# Mirroring service definition
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: app-mirror
spec:
  mirroring:
    name: appv1
    port: 80
    mirrors:
    - name: appv2
      percent: 50
      port: 80

# IngressRoute using the mirroring service
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-ingressroute-mirror
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`mirror.coolops.cn`)
    kind: Rule
    services:
    - name: app-mirror
      kind: TraefikService

Requests reach appv1 while a copy is sent to appv2 (responses from the mirror are ignored).

Kubernetes Gateway API

Install the Gateway API CRDs (v0.3.0) and grant Traefik the necessary RBAC permissions.

# Install CRDs
kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.3.0" | kubectl apply -f -

# RBAC for Traefik (ClusterRole and ClusterRoleBinding omitted for brevity)

Enable Gateway support in Traefik via Helm values:

# Add to my-value.yaml
additionalArguments:
  - "--experimental.kubernetesgateway"
  - "--providers.kubernetesgateway"

Create a GatewayClass, a Gateway, and an HTTPRoute to expose services:

# GatewayClass
apiVersion: networking.x-k8s.io/v1alpha1
kind: GatewayClass
metadata:
  name: traefik
spec:
  controller: traefik.io/gateway-controller

# Gateway listening on port 8000
apiVersion: networking.x-k8s.io/v1alpha1
kind: Gateway
metadata:
  name: http-gateway
  namespace: traefik-ingress
spec:
  gatewayClassName: traefik
  listeners:
  - protocol: HTTP
    port: 8000
    routes:
      kind: HTTPRoute
      namespaces:
        from: All
      selector:
        matchLabels:
          app: traefik

# HTTPRoute for a whoami service
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
  name: whoami-gateway-api-route
  namespace: traefik-ingress
  labels:
    app: traefik
spec:
  hostnames:
  - "whoami8.coolops.cn"
  rules:
  - matches:
    - path:
        type: Prefix
        value: "/"
    forwardTo:
    - serviceName: whoami
      port: 80
      weight: 1

Now the service is reachable at http://whoami8.coolops.cn:8000/ via the Gateway API.

Conclusion

Traefik is a powerful edge router that covers HTTP, TCP, TLS, middleware, canary releases, traffic mirroring, and the modern Kubernetes Gateway API, making it suitable for a wide range of cloud‑native scenarios.