> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Traefik

> Deploy CoreWeave's Traefik Helm chart on CKS for ingress routing and Kubernetes API proxying

| Chart reference     | Description                                                  |
| ------------------- | ------------------------------------------------------------ |
| `coreweave/traefik` | CoreWeave's Helm chart for deploying Traefik on CKS clusters |

## About Traefik

The CoreWeave Traefik Helm Chart is based on [the upstream Traefik chart](https://github.com/traefik/traefik-helm-chart), however the CoreWeave Chart includes additional templating for configurations that are commonly used in CKS Clusters.

Additionally, CoreWeave Chart default values are set to what works best for the CoreWeave platform. All code examples provided in the repository assume the Chart default values are used. If the Chart is installed with different namespaces or resource names, the values must be updated to match.

## Configuration

### Ingress DNS

By default, a wildcard hostname is applied via a `service.beta.kubernetes.io/external-hostname` annotation:

```text theme={"system"}
service.beta.kubernetes.io/external-hostname: '*'
```

This is so Traefik can appropriately route to Ingress hosts within the CKS Cluster. The wildcard hostname (`*`) is then automatically suffixed with the appropriate domain name for your Cluster. For Services that do not route via Traefik, specific DNS hostnames will still take precedence.

The applied value can be retrieved at any time using `kubectl`:

```bash theme={"system"}
kubectl get svc traefik -n traefik -o=jsonpath='{.status.conditions[?(@.type=="ExternalRecords")].message}'
```

<Info>
  For more information on exposing Services, see [How to: Expose a Service](/products/networking/ingress-service/expose-service-dns).
</Info>

### IngressRouteTCP and Kubernetes API Proxy

This Chart's default values include the creation of a [Traefik IngressRouteTCP](https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-ingressroutetcp) TCP router for your cluster's Kubernetes API server. This Service provides the means to proxy HTTP traffic to your Cluster over [Direct Connect](/products/networking/direct-connect/about-direct-connect) while also providing TLS passthrough.

The hostname of this Service may be located with `kubectl get svc`. For example:

```bash theme={"system"}
kubectl get svc traefik-k8s -n traefik -o=jsonpath='{.status.conditions[?(@.type=="ExternalRecords")].message}'
```

### Creating Ingresses with TLS

<Warning>
  In order to use an Ingress with TLS, `cert-manager` is required to create and manage the certificates. If you do not have an existing deployment, CoreWeave's [cert-manager and its subchart, cert-issuer](/products/cks/clusters/coreweave-charts/cert-manager) may be deployed for this purpose.
</Warning>

Once deployed, Traefik can be used as the `IngressClass` for a Kubernetes Ingress with TLS. To create the TLS certificate, `cert-manager` uses the specified `ClusterIssuer` set by the `cert-manager.io/cluster-issuer` annotation on the `Ingress` object.

## Example chart

In this example manifest, the Ingress uses the default Let's Encrypt `ClusterIssuer` from CoreWeave's [cert-issuer](/products/cks/clusters/coreweave-charts/cert-manager) Chart. It is also possible to configure your own TLS certificate solution.

```yaml title="ingress-example.yaml - An example using Traefik with TLS and DNS" highlight={5-7,13-14,27-28} theme={"system"}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # This value must match either the ClusterIssuer created by Traefik,
    # or another pre-existing ClusterIssuer
        cert-manager.io/cluster-issuer: letsencrypt-prod
  name: ingress1
  namespace: namespace1
spec:
  ingressClassName: traefik
  rules:
  # The FQDN used to access this Ingress via the Traefik Service
  - host: &host ingress1.myorg-mycluster.coreweave.app
    http:
      paths:
      - backend:
          service:
            name: my-service
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - *host
    # This secret will be automatically created for you
    secretName: ingress1-tls
```

<Info>
  For more information on Traefik as a Kubernetes Ingress provider, see [the official Traefik documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/).
</Info>