Ingress ControllerGateway APITLS

Traefik

18 min readUpdated May 2026
TL;DR

Traefik is an ingress controller/reverse proxy. You will usually troubleshoot its Deployment/DaemonSet, LoadBalancer Service, Ingress or IngressRoute objects, middleware, TLS secrets, and backend Service endpoints.

Request Path

ClientTraefik LBentryPointsIngressRouteHost + pathServicePodTraefik matches IngressRoute rules on entryPoints; middleware runs before backend forwarding.

Traefik request path from external client to backend Pod.

LayerObjectWhat to verify
EntryLoadBalancer or NodePort ServiceExternal IP, firewall, security group.
ControllerTraefik PodReady replicas and logs.
RouteIngress, IngressRoute, or HTTPRouteHost, path, entrypoint, TLS.
BackendService and EndpointSliceHealthy endpoints and target ports.

IngressRoute Example

yamlingressroute.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: web-api
  namespace: app
spec:
  entryPoints:
    - websecure # Must match Traefik static config entrypoint.
  routes:
    - match: Host(`api.example.com`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: web-api # Kubernetes Service name in this namespace.
          port: 80 # Service port, not necessarily container port.
  tls:
    secretName: web-api-tls # TLS Secret in same namespace.

Middleware Example

yamlmiddleware.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: security-headers
  namespace: app
spec:
  headers:
    frameDeny: true
    contentTypeNosniff: true
    browserXssFilter: true
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: web-api-with-middleware
  namespace: app
spec:
  entryPoints: [websecure]
  routes:
    - match: Host(`api.example.com`)
      kind: Rule
      middlewares:
        - name: security-headers # Middleware must exist in this namespace unless cross-namespace is enabled.
      services:
        - name: web-api
          port: 80

Debugging

bashtraefik-debug.sh
kubectl get pods,svc -n traefik -o wide # Namespace may be kube-system, ingress, or traefik.
kubectl logs -n traefik deploy/traefik --tail=200
kubectl get ingress,ingressroute,middleware -A
kubectl describe ingressroute web-api -n app

# Backend checks.
kubectl get svc web-api -n app -o wide
kubectl get endpointslice -n app -l kubernetes.io/service-name=web-api -o wide

# Test routing while bypassing public DNS.
curl -sv -H 'Host: api.example.com' https://<load-balancer-ip>/health --resolve api.example.com:443:<load-balancer-ip>

Helm Values Shape

yamltraefik-values.yaml
service:
  type: LoadBalancer # Cloud provider creates external LB.
ports:
  web:
    port: 80
  websecure:
    port: 443
    tls:
      enabled: true
providers:
  kubernetesCRD:
    enabled: true # Enables IngressRoute/Middleware CRDs.
  kubernetesIngress:
    enabled: true # Enables standard Kubernetes Ingress support.

Gotchas

  • !Wrong entrypoint names cause routes to exist but never receive traffic.
  • !IngressRoute CRDs must be installed before applying IngressRoute resources.
  • !Backend 404 can be routing rule mismatch; backend 502/504 often means Service endpoints or app port issues.
  • !TLS Secret namespace and certificate SAN must match the route hostname.
Ingress & Gateway APICertificatesServicesHelm Values