Skip to main content

Traefik

How to deploy CoreWeave's Helm Chart for Traefik

About Traefik

Traefik is an open source application proxy for Kubernetes Services. Traefik is compatible with native Kubernetes Ingress and Gateway API objects, as well as Custom Resource API objects that are specific to Traefik.

Usage

The CoreWeave Traefik Helm Chart is based on the upstream Traefik chart, however the CoreWeave Chart includes additional templating for configurations that are commonly used in CKS Clusters.

Additionally, CoreWeave Chart default values are set to what works best for the CoreWeave platform. All code examples provided in the repository assume the Chart default values are used. If the Chart is installed with different namespaces or resource names, the values must be updated to match.

Configuration

Ingress DNS

By default, a wildcard hostname is applied via a service.beta.kubernetes.io/external-hostname annotation:

Example
service.beta.kubernetes.io/external-hostname: '*'

This is so Traefik can appropriately route to Ingress hosts within the CKS Cluster. The wildcard hostname (*) is then automatically suffixed with the appropriate domain name for your Cluster. For Services that do not route via Traefik, specific DNS hostnames will still take precedence.

The applied value can be retrieved at any time using kubectl:

Example
$
kubectl get svc traefik -n traefik -o jsonpath='{.metadata.annotations..service\. beta\. kubernetes\. io\/external-hostname}'
Learn more

For more information on exposing Services, see How to: Expose a Service.

IngressRouteTCP and Kubernetes API Proxy

This Chart's default values include the creation of a Traefik IngressRouteTCP TCP router for your cluster's Kubernetes API server. This Service provides the means to proxy HTTP traffic to your Cluster over Direct Connect while also providing TLS passthrough.

The hostname of this Service may be located with kubectl get svc. For example:

Example
$
kubectl get svc traefik-k8s -n traefik -o jsonpath='{.metadata.annotations..networking\.coreweave\.com\/hostname}'

Creating Ingresses with TLS

Warning

In order to use an Ingress with TLS, cert-manager is required to create and manage the certificates. If you do not have an existing deployment, CoreWeave's cert-manager and its subchart, cert-issuer may be deployed for this purpose.

Once deployed, Traefik can be used as the IngressClass for a Kubernetes Ingress with TLS. To create the TLS certificate, cert-manager uses the specified ClusterIssuer set by the cert-manager.io/cluster-issuer annotation on the Ingress object.

Example Chart

In this example manifest, the Ingress uses the default Let's Encrypt ClusterIssuer from CoreWeave's cert-issuer Chart. It is also possible to configure your own TLS certificate solution.

ingress-example.yaml - An example using Traefik with TLS and DNS
apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

  annotations:

    # This value must match either the ClusterIssuer created by Traefik,

    # or another pre-existing ClusterIssuer

    cert-manager.io/cluster-issuer: letsencrypt-prod

  name: ingress1

  namespace: namespace1

spec:

  ingressClassName: traefik

  rules:

  # The FQDN used to access this Ingress via the Traefik Service

  - host: &host ingress1.myorg-mycluster.coreweave.app

    http:

    paths:

    - backend:

        service:

          name: my-service

            port:

              number: 80

      path: /

      pathType: Prefix

    tls:

    - hosts:

      - *host

      # This secret will be automatically created for you

      secretName: ingress1-tls

Learn more

For more information on Traefik as a Kubernetes Ingress provider, see:

Last updated on