Master Traefik 2.5: From Basics to Advanced Routing, TLS, and Kubernetes Integration
This comprehensive guide introduces Traefik as an open‑source edge router, explains its core concepts and components, walks through Helm deployment, demonstrates HTTP and HTTPS routing with native Ingress, CRD IngressRoute, TLS (self‑signed and Let’s Encrypt), middleware usage, IP whitelisting, TCP services, canary releases, traffic mirroring, and the new Kubernetes Gateway API, providing step‑by‑step YAML examples and screenshots for each feature.
What is Traefik
Traefik is an open‑source edge router that makes publishing your services a fun and easy experience. It natively supports multiple clusters such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and can handle many clusters simultaneously.
Core Concepts and Capabilities
Traefik intercepts external requests, matches them against defined rules, processes them through middlewares, and forwards them to the appropriate services. It provides automatic service discovery and dynamic routing updates.
Providers
Entrypoints
Routers
Services
Middlewares
Providers
Providers are the foundational components that allow Traefik to discover configuration from coordinators, container engines, cloud providers, or key‑value stores via their APIs.
Entrypoints
Entrypoints define the network entry points for Traefik, specifying which interfaces receive requests and whether they listen on TCP or UDP.
Routers
Routers analyze incoming requests, match them to rules, and can apply middlewares before forwarding to services.
Services
Services configure how requests reach the actual backend that processes them.
Middlewares
Middlewares modify requests or responses (e.g., authentication, rate limiting, header manipulation) and are attached to routers before the request reaches the service.
Deploying Traefik
Traefik can be deployed using Helm. First, add the Traefik Helm repository and update it:
<code>$ helm repo add traefik https://helm.traefik.io/traefik
$ helm repo update</code>Search for the chart and pull it:
<code>$ helm search repo traefik
NAME CHART VERSION APP VERSION DESCRIPTION
traefik/traefik 10.6.0 2.5.3 A Traefik based Kubernetes ingress controller
$ helm pull traefik/traefik</code>Create a custom
my-value.yamlconfiguration file (example excerpt):
<code>service:
type: NodePort
ingressRoute:
dashboard:
enabled: false
ports:
traefik:
port: 9000
expose: true
web:
port: 8000
hostPort: 80
expose: true
websecure:
port: 8443
hostPort: 443
expose: true
persistence:
enabled: true
name: data
accessMode: ReadWriteOnce
size: 5G
storageClass: "openebs-hostpath"
additionalArguments:
- "--serversTransport.insecureSkipVerify=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "[email protected]"
- "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
- "--certificatesresolvers.coolops.acme.tlschallenge=true"
</code>Install Traefik with the custom values:
<code>$ helm install traefik -n traefik-ingress -f my-value.yaml .</code>After deployment, you can access the Traefik dashboard via the exposed NodePort.
Using Traefik
Creating the First Routing Rule
Two common methods are native Ingress and CRD IngressRoute.
Native Ingress
<code># cat traefik-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik-dashboard-ingress
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: traefik-web.coolops.cn
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: traefik
port:
number: 9000
</code><code># kubectl apply -f traefik-ingress.yaml -n traefik-ingress</code>Access the dashboard at
http://traefik-web.coolops.cn:31728/dashboard/.
CRD IngressRoute
<code># cat traefik-ingressRoute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
spec:
entryPoints:
- web
routes:
- match: Host(`traefik-web2.coolops.cn`)
kind: Rule
services:
- name: traefik
port: 9000
</code><code># kubectl apply -f traefik-ingressRoute.yaml -n traefik-ingress</code>Dashboard is reachable at
http://traefik-web2.coolops.cn:31728/dashboard/.
Exposing HTTP Services
Deploy a simple
whoamiapplication:
<code># cat whoami-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: whoami
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami:latest
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: whoami
type: ClusterIP
</code>Create a routing rule to expose it:
<code># cat whoami-ingressRoute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-route
spec:
entryPoints:
- web
routes:
- match: Host(`whoami.coolops.cn`)
kind: Rule
services:
- name: whoami
port: 80
</code>Visit
http://whoami.coolops.cn:31728/to see the service.
Exposing HTTPS Services
Two options: use your own certificate or Let’s Encrypt.
Self‑Signed Certificate
Create a TLS secret:
<code># kubectl create secret tls whoami-tls --cert=whoami.crt --key=whoami.key</code>Define an
IngressRoutewith TLS:
<code># cat whoami-ingressRoute-tls.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-route-tls
spec:
entryPoints:
- websecure
routes:
- match: Host(`whoami.coolops.cn`)
kind: Rule
services:
- name: whoami
port: 80
tls:
secretName: whoami-tls
</code>Access via
https://whoami.coolops.cn:30358/.
Let’s Encrypt
Configure an ACME resolver in
my-value.yaml:
<code>additionalArguments:
- "[email protected]"
- "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
- "--certificatesresolvers.coolops.acme.tlschallenge=true"
</code>Then create an
IngressRoutethat references the resolver:
<code># cat whoami-ingressRoute-auto-tls.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-route-auto-tls
spec:
entryPoints:
- websecure
routes:
- match: Host(`whoami3.coolops.cn`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certResolver: coolops
</code>Traefik will obtain a certificate automatically.
ACME Challenge Types
tlsChallenge – requires port 443 reachable.
httpChallenge – requires port 80 reachable.
dnsChallenge – requires provider configuration (e.g., Alibaba Cloud DNS).
DNS Challenge Example (Alibaba Cloud)
<code># Create secret with Alibaba credentials
kubectl create secret generic traefik-alidns \
--from-literal=ALICLOUD_ACCESS_KEY=<access_key> \
--from-literal=ALICLOUD_SECRET_KEY=<secret_key> \
--from-literal=ALICLOUD_REGION_ID=cn-beijing -n traefik-ingress
</code><code># Update my-value.yaml
additionalArguments:
- "--certificatesresolvers.coolops.acme.dnschallenge=true"
- "--certificatesresolvers.coolops.acme.dnschallenge.provider=alidns"
envFrom:
- secretRef:
name: traefik-alidns
</code>After applying, Traefik can issue wildcard certificates.
Middleware Usage
Force HTTPS Redirect
<code># RedirectScheme middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https-middleware
spec:
redirectScheme:
scheme: https
</code><code># HTTP IngressRoute using the middleware
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-http
spec:
entryPoints:
- web
routes:
- match: Host(`whoami3.coolops.cn`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: redirect-https-middleware
</code>Strip Path Prefix
<code># Middleware to strip "/coolops" prefix
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: prefix-coolops-url-middleware
spec:
stripPrefix:
prefixes:
- /coolops
</code><code># IngressRoute applying the middleware
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-prefix
spec:
entryPoints:
- web
routes:
- match: Host(`whoami7.coolops.cn`) && PathPrefix('/coolops')
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: prefix-coolops-url-middleware
</code>IP Whitelist
<code># IP whitelist middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: ip-white-list-middleware
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.100.180
</code>Attach this middleware to any route to restrict access.
Exposing TCP Services
Deploy a Redis instance and expose it via a custom entrypoint:
<code># Redis deployment and service (omitted for brevity)</code><code># Extend my-value.yaml with a Redis entrypoint
ports:
redis:
port: 6379
hostPort: 6379
additionalArguments:
- "--entryPoints.redis.address=:6379"
</code><code># IngressRouteTCP to expose Redis
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: redis-traefik-tcp
spec:
entryPoints:
- redis
routes:
- match: HostSNI(`*`)
services:
- name: redis
port: 6379
</code>Connect with
redis-cli -h redis.coolops.cn.
Canary (Weighted) Deployment
Deploy two versions of an app (appv1 and appv2) and define a
TraefikServicewith weighted routing:
<code># TraefikService with weighted backends
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: app-wrr
spec:
weighted:
services:
- name: appv1
weight: 3
port: 80
kind: Service
- name: appv2
weight: 1
port: 80
kind: Service
</code><code># IngressRoute using the weighted service
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-ingressroute-canary
spec:
entryPoints:
- web
routes:
- match: Host(`app.coolops.cn`)
kind: Rule
services:
- name: app-wrr
kind: TraefikService
</code>Traffic will be split 75% to v1 and 25% to v2.
Traffic Mirroring
Define a
TraefikServicethat mirrors 50% of traffic to a second service:
<code># Mirroring service definition
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: app-mirror
spec:
mirroring:
name: appv1
port: 80
mirrors:
- name: appv2
percent: 50
port: 80
</code><code># IngressRoute using the mirroring service
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-ingressroute-mirror
spec:
entryPoints:
- web
routes:
- match: Host(`mirror.coolops.cn`)
kind: Rule
services:
- name: app-mirror
kind: TraefikService
</code>Requests reach
appv1while a copy is sent to
appv2(responses from the mirror are ignored).
Kubernetes Gateway API
Install the Gateway API CRDs (v0.3.0) and grant Traefik the necessary RBAC permissions.
<code># Install CRDs
kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.3.0" | kubectl apply -f -
</code><code># RBAC for Traefik (ClusterRole and ClusterRoleBinding omitted for brevity)
</code>Enable Gateway support in Traefik via Helm values:
<code># Add to my-value.yaml
additionalArguments:
- "--experimental.kubernetesgateway"
- "--providers.kubernetesgateway"
</code>Create a
GatewayClass, a
Gateway, and an
HTTPRouteto expose services:
<code># GatewayClass
apiVersion: networking.x-k8s.io/v1alpha1
kind: GatewayClass
metadata:
name: traefik
spec:
controller: traefik.io/gateway-controller
</code><code># Gateway listening on port 8000
apiVersion: networking.x-k8s.io/v1alpha1
kind: Gateway
metadata:
name: http-gateway
namespace: traefik-ingress
spec:
gatewayClassName: traefik
listeners:
- protocol: HTTP
port: 8000
routes:
kind: HTTPRoute
namespaces:
from: All
selector:
matchLabels:
app: traefik
</code><code># HTTPRoute for a whoami service
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
name: whoami-gateway-api-route
namespace: traefik-ingress
labels:
app: traefik
spec:
hostnames:
- "whoami8.coolops.cn"
rules:
- matches:
- path:
type: Prefix
value: "/"
forwardTo:
- serviceName: whoami
port: 80
weight: 1
</code>Now the service is reachable at
http://whoami8.coolops.cn:8000/via the Gateway API.
Conclusion
Traefik is a powerful edge router that covers HTTP, TCP, TLS, middleware, canary releases, traffic mirroring, and the modern Kubernetes Gateway API, making it suitable for a wide range of cloud‑native scenarios.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.