Master Traefik 2.5: From Basics to Advanced Routing, TLS, and Kubernetes Integration
This comprehensive guide introduces Traefik as an open‑source edge router, explains its core concepts such as providers, entrypoints, routers, services and middlewares, and walks through deploying Traefik with Helm on Kubernetes, configuring HTTP and HTTPS routes, using middlewares, handling TLS certificates, and leveraging advanced features like canary releases, traffic mirroring, TCP services, and the Kubernetes Gateway API.
What is Traefik
Traefik is an open‑source edge router that makes publishing services easy and feature‑rich. It natively supports many clusters such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and can handle multiple clusters simultaneously.
Traefik Core Concepts and Capabilities
Traefik intercepts external requests and, based on logical rules, decides how to process them. It provides automatic service discovery and updates routing rules in real time.
Key components include:
Providers
Entrypoints
Routers
Services
Middlewares
Providers
Providers are the foundation that enable Traefik to discover configuration from coordinators, container engines, cloud providers, or key‑value stores. Traefik queries the provider’s API to retrieve routing information and updates routes dynamically when changes are detected.
Entrypoints
Entrypoints define the network interfaces on which Traefik listens, specifying whether they handle TCP or UDP traffic.
Routers
Routers analyze incoming requests, match them against defined rules, and can apply middlewares before forwarding the request to the appropriate service.
Services
Services configure how requests reach the actual backend that processes them.
Middlewares
Middlewares modify requests or responses (e.g., authentication, rate limiting, header manipulation) and are attached to routers to customize request handling before reaching the service.
Deploying Traefik
Traefik can be deployed in many ways; this guide uses Helm.
Helm Deployment
<code>$ helm repo add traefik https://helm.traefik.io/traefik
$ helm repo update</code><code>$ helm search repo traefik
NAME CHART VERSION APP VERSION DESCRIPTION
traefik/traefik 10.6.0 2.5.3 A Traefik based Kubernetes ingress controller
$ helm pull traefik/traefik</code>3. Deploy Traefik
The default
values.yamlcontains many options; a custom configuration file
my-value.yamlis used in this guide.
<code>service:
type: NodePort
ingressRoute:
dashboard:
enabled: false
ports:
traefik:
port: 9000
expose: true
web:
port: 8000
hostPort: 80
expose: true
websecure:
port: 8443
hostPort: 443
expose: true
persistence:
enabled: true
name: data
accessMode: ReadWriteOnce
size: 5G
storageClass: "openebs-hostpath"
path: /data
additionalArguments:
- "--serversTransport.insecureSkipVerify=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "[email protected]"
- "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
- "--certificatesresolvers.coolops.acme.tlschallenge=true"
</code>Apply the configuration:
<code>helm upgrade traefik -n traefik-ingress -f my-value.yaml .</code>Using Traefik
Create the First Routing Rule
Example using a native Ingress rule:
<code>apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik-dashboard-ingress
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: traefik-web.coolops.cn
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: traefik
port:
number: 9000
</code>Apply with:
<code># kubectl apply -f traefik-ingress.yaml -n traefik-ingress</code>CRD IngressRoute
Using Traefik’s custom resource:
<code>apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
spec:
entryPoints:
- web
routes:
- match: Host(`traefik-web2.coolops.cn`)
kind: Rule
services:
- name: traefik
port: 9000
</code>HTTPS and TLS
Traefik supports both self‑signed certificates and automatic Let’s Encrypt certificates.
Self‑Signed Certificate
Create a TLS secret:
<code># kubectl create secret tls whoami-tls --cert=1_whoami.coolops.cn_bundle.crt --key=2_whoami.coolops.cn.key</code>Define an
IngressRoutethat uses the secret:
<code>apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-route-tls
spec:
entryPoints:
- websecure
routes:
- match: Host(`whoami.coolops.cn`)
kind: Rule
services:
- name: whoami
port: 80
tls:
secretName: whoami-tls
</code>Let’s Encrypt (ACME)
Configure a certificate resolver in
my-value.yaml:
<code>additionalArguments:
- "[email protected]"
- "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
- "--certificatesresolvers.coolops.acme.tlschallenge=true"
</code>Use the resolver in an
IngressRoute:
<code>apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-route-auto-tls
spec:
entryPoints:
- websecure
routes:
- match: Host(`whoami3.coolops.cn`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certResolver: coolops
</code>ACME Challenges
Traefik supports
tlsChallenge,
httpChallenge, and
dnsChallenge. The guide shows how to enable each by adding the corresponding flag to
my-value.yamland updating the deployment.
Middleware Usage
Middlewares are a Traefik 2.0 feature that allow request manipulation before reaching services.
Force HTTPS Redirect
<code>apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https-middleware
spec:
redirectScheme:
scheme: https
</code>Attach the middleware to an HTTP
IngressRoute:
<code>apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami3-route
spec:
entryPoints:
- web
routes:
- match: Host(`whoami3.coolops.cn`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: redirect-https-middleware
</code>Strip Path Prefix
<code>apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: prefix-coolops-url-middleware
spec:
stripPrefix:
prefixes:
- /coolops
</code>Apply to an
IngressRoutethat matches the prefix:
<code>apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami7-route
spec:
entryPoints:
- web
routes:
- match: Host(`whoami7.coolops.cn`) && PathPrefix('/coolops')
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: prefix-coolops-url-middleware
</code>IP Whitelist
<code>apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: ip-white-list-middleware
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.100.180
</code>TCP Services (e.g., Redis)
Add a TCP entrypoint in
my-value.yaml:
<code>additionalArguments:
- "--entryPoints.redis.address=:6379"
</code>Create an
IngressRouteTCPto expose Redis:
<code>apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: redis-traefik-tcp
spec:
entryPoints:
- redis
routes:
- match: HostSNI(`*`)
services:
- name: redis
port: 6379
</code>Canary (Weighted) Deployments
Deploy two versions of an app (v1 and v2) and create a
TraefikServicewith weighted routing:
<code>apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: app-wrr
spec:
weighted:
services:
- name: appv1
weight: 3
port: 80
kind: Service
- name: appv2
weight: 1
port: 80
kind: Service
</code>Reference the
TraefikServicein an
IngressRoute:
<code>apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-ingressroute-canary
spec:
entryPoints:
- web
routes:
- match: Host(`app.coolops.cn`)
kind: Rule
services:
- name: app-wrr
kind: TraefikService
</code>Traffic Mirroring
Define a
TraefikServicethat mirrors 50% of traffic to a second service:
<code>apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: app-mirror
spec:
mirroring:
name: appv1
port: 80
mirrors:
- name: appv2
percent: 50
port: 80
</code>Use it in an
IngressRoute:
<code>apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-ingressroute-mirror
spec:
entryPoints:
- web
routes:
- match: Host(`mirror.coolops.cn`)
kind: Rule
services:
- name: app-mirror
kind: TraefikService
</code>Kubernetes Gateway API
Install the Gateway API CRDs (v0.3.0):
<code>kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.3.0" | kubectl apply -f -</code>Create a
GatewayClassfor Traefik:
<code>apiVersion: networking.x-k8s.io/v1alpha1
kind: GatewayClass
metadata:
name: traefik
spec:
controller: traefik.io/gateway-controller
</code>Define a
Gatewaythat listens on port 8000:
<code>apiVersion: networking.x-k8s.io/v1alpha1
kind: Gateway
metadata:
name: http-gateway
namespace: traefik-ingress
spec:
gatewayClassName: traefik
listeners:
- protocol: HTTP
port: 8000
routes:
kind: HTTPRoute
namespaces:
from: All
selector:
matchLabels:
app: traefik
</code>Create an
HTTPRoutethat forwards traffic to the Traefik dashboard service:
<code>apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
name: whoami-gateway-api-route
namespace: traefik-ingress
labels:
app: traefik
spec:
hostnames:
- "traefik1.coolops.cn"
rules:
- matches:
- path:
type: Prefix
value: "/"
forwardTo:
- serviceName: traefik
port: 9000
weight: 1
</code>After enabling the experimental gateway support in
my-value.yamlwith the flags
--experimental.kubernetesgatewayand
--providers.kubernetesgateway, the dashboard becomes reachable via the defined host name.
Conclusion
Traefik is a powerful edge router that satisfies most routing scenarios, supports advanced features such as mesh integration, and works well in cloud‑native environments. For further learning, refer to the official documentation.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.