Skip to main content
Chart referenceDescription
coreweave/traefikCoreWeave’s Helm chart for deploying Traefik on CKS clusters

About Traefik

The CoreWeave Traefik Helm chart is based on the upstream Traefik chart. The CoreWeave chart includes additional templating for configurations commonly used in CKS clusters. The chart’s default values are set to work best on the CoreWeave platform. All code examples in this repository assume the default values. If you install the chart with different namespaces or resource names, update the values to match.

Configuration

The following sections describe the chart’s default Ingress behavior and how to enable TLS on Ingresses.

Ingress DNS

By default, the chart applies a wildcard hostname through a service.beta.kubernetes.io/external-hostname annotation: 
service.beta.kubernetes.io/external-hostname: '*'
This lets Traefik route to Ingress hosts within the CKS cluster. CKS automatically suffixes the wildcard hostname (*) with the appropriate domain name for your cluster. For Services that don’t route through Traefik, specific DNS hostnames still take precedence. To retrieve the applied value at any time, use kubectl: 
kubectl get svc traefik -n traefik -o=jsonpath='{.status.conditions[?(@.type=="ExternalRecords")].message}'
For more information on exposing Services, see How to: Expose a Service.

IngressRouteTCP and Kubernetes API proxy

The chart’s default values include a Traefik IngressRouteTCP TCP router for your cluster’s Kubernetes API server. This Service proxies HTTP traffic to your cluster over Direct Connect and provides TLS passthrough. To locate the hostname of this Service, run kubectl get svc. For example: 
kubectl get svc traefik-k8s -n traefik -o=jsonpath='{.status.conditions[?(@.type=="ExternalRecords")].message}'

Create Ingresses with TLS

An Ingress with TLS requires cert-manager to create and manage the certificates. If you don’t have an existing deployment, you can deploy CoreWeave’s cert-manager and its subchart, cert-issuer for this purpose.
After you deploy the chart, you can use Traefik as the IngressClass for a Kubernetes Ingress with TLS. To create the TLS certificate, cert-manager uses the ClusterIssuer specified by the cert-manager.io/cluster-issuer annotation on the Ingress object.

Example chart

In this example manifest, the Ingress uses the default Let’s Encrypt ClusterIssuer from CoreWeave’s cert-issuer chart. You can also configure your own TLS certificate solution.
ingress-example.yaml - An example using Traefik with TLS and DNS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # This value must match either the ClusterIssuer created by Traefik,
    # or another pre-existing ClusterIssuer
        cert-manager.io/cluster-issuer: letsencrypt-prod
  name: ingress1
  namespace: namespace1
spec:
  ingressClassName: traefik
  rules:
  # The FQDN used to access this Ingress via the Traefik Service
  - host: &host ingress1.myorg-mycluster.coreweave.app
    http:
      paths:
      - backend:
          service:
            name: my-service
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - *host
    # This secret will be automatically created for you
    secretName: ingress1-tls
For more information on Traefik as a Kubernetes Ingress provider, see the official Traefik documentation.
Last modified on June 10, 2026