Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

Chart referenceDescription
coreweave/traefikCoreWeave’s Helm chart for deploying Traefik on CKS clusters

About Traefik

The CoreWeave Traefik Helm Chart is based on the upstream Traefik chart, however the CoreWeave Chart includes additional templating for configurations that are commonly used in CKS Clusters. Additionally, CoreWeave Chart default values are set to what works best for the CoreWeave platform. All code examples provided in the repository assume the Chart default values are used. If the Chart is installed with different namespaces or resource names, the values must be updated to match.

Configuration

Ingress DNS

By default, a wildcard hostname is applied via a service.beta.kubernetes.io/external-hostname annotation: 
service.beta.kubernetes.io/external-hostname: '*'
This is so Traefik can appropriately route to Ingress hosts within the CKS Cluster. The wildcard hostname (*) is then automatically suffixed with the appropriate domain name for your Cluster. For Services that do not route via Traefik, specific DNS hostnames will still take precedence. The applied value can be retrieved at any time using kubectl: 
kubectl get svc traefik -n traefik -o=jsonpath='{.status.conditions[?(@.type=="ExternalRecords")].message}'
For more information on exposing Services, see How to: Expose a Service.

IngressRouteTCP and Kubernetes API Proxy

This Chart’s default values include the creation of a Traefik IngressRouteTCP TCP router for your cluster’s Kubernetes API server. This Service provides the means to proxy HTTP traffic to your Cluster over Direct Connect while also providing TLS passthrough. The hostname of this Service may be located with kubectl get svc. For example: 
kubectl get svc traefik-k8s -n traefik -o=jsonpath='{.status.conditions[?(@.type=="ExternalRecords")].message}'

Creating Ingresses with TLS

In order to use an Ingress with TLS, cert-manager is required to create and manage the certificates. If you do not have an existing deployment, CoreWeave’s cert-manager and its subchart, cert-issuer may be deployed for this purpose.
Once deployed, Traefik can be used as the IngressClass for a Kubernetes Ingress with TLS. To create the TLS certificate, cert-manager uses the specified ClusterIssuer set by the cert-manager.io/cluster-issuer annotation on the Ingress object.

Example chart

In this example manifest, the Ingress uses the default Let’s Encrypt ClusterIssuer from CoreWeave’s cert-issuer Chart. It is also possible to configure your own TLS certificate solution.
ingress-example.yaml - An example using Traefik with TLS and DNS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # This value must match either the ClusterIssuer created by Traefik,
    # or another pre-existing ClusterIssuer
        cert-manager.io/cluster-issuer: letsencrypt-prod
  name: ingress1
  namespace: namespace1
spec:
  ingressClassName: traefik
  rules:
  # The FQDN used to access this Ingress via the Traefik Service
  - host: &host ingress1.myorg-mycluster.coreweave.app
    http:
      paths:
      - backend:
          service:
            name: my-service
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - *host
    # This secret will be automatically created for you
    secretName: ingress1-tls
For more information on Traefik as a Kubernetes Ingress provider, see the official Traefik documentation.
Last modified on April 20, 2026