How To Install Traefik Ingress Controller In Kubernetes

Photo by Growtika Developer Marketing Agency / Unsplash

How To Install Traefik Ingress Controller In Kubernetes

Use Traefik Ingress Controller as Proxy in Kubernetes (k8s) to provide load balancing, name-based virtual hosting, and SSL termination

Paul Knulst  in  Kubernetes Dec 16, 2022 5 min read


This tutorial will show how to use Traefik as an Ingress Controller in Kubernetes (or k8s) to provide load balancing, name-based virtual hosting, and SSL termination.

To follow this tutorial you need:

  • A running Kubernetes cluster or a Managed Kubernetes
  • A Load Balancer that dynamically distributes your traffic to any Kubernetes resource that is marked as LoadBalancer
Note: The domain that I use in this post is PRIMARY_DOMAIN, please change accordingly. If your desired domain is, replace PRIMARY_DOMAIN with

What is an Ingress Controller?

An Ingress Controller is an API object that will manage external access to any deployed service in a Kubernetes cluster. Typically HTTP or HTTPS is used. Furthermore, it provides load balancing, name-based virtual hosting, and SSL termination.

Why do you need an Ingress Controller?

This list will show the most important benefits of using an Ingress Controller in a Kubernetes cluster:

  • Load balance any traffic between every service that is deployed outside of the Kubernetes cluster
  • Allow HTTP traffic between services within the cluster but enforce HTTPS traffic from outside the Kubernetes cluster while terminating encryption.
  • Simplify interaction between internal services and re-route when required by changing the Ingress Routing Rule.

Prepare Kubernetes Environment

Installing Helm, Kubernetes Package Manager

To install Helm on your Kubernetes cluster you can use the official Helm installer script that will automatically install the latest version.

Before installing Helm, you can get a deeper understanding of Helm if you read about it in the official Helm documentation. Afterward, download the script and execute it locally.

curl -fsSL -o
chmod 700

Configure kubectl To Access The Kubernetes Cluster

If kubectl is used you can use three different techniques to work with the cluster:

1. Use --kubeconfig flag for every command:

kubectl get pods --kubeconfig=config1
kubectl get pods --kubeconfig=config2

2. Use KUBECONFIG environment variable:

export KUBECONFIG=config1 
kubectl get pods
kubectl get all

export KUBECONFIG=config2
kubectl get pods
kubectl get all

3. Copy the config file to $HOME/.kube/config

Prepare Helm Chart

To install Traefik you have to add the official Traefik Helm repository to your Helm client. This could be done by executing:

helm repo add traefik
helm repo update

Afterward, you have to configure the Helm chart by creating a values.yaml. All possible values can be found in the GitHub of the Traefik Helm chart and will be used to set the static configuration of the Traefik proxy.

Now, you should create a values.yaml and paste the following into it:

  - --entrypoints.websecure.http.tls.certresolver=ionos
  - --certificatesresolvers.ionos.acme.dnschallenge.provider=ionos
  - --certificatesresolvers.ionos.acme.dnschallenge.resolvers=

    - name: volume-permissions
      image: busybox:1.31.1
      command: ["sh", "-c", "chmod -Rv 600 /data/*"]
        - name: data
          mountPath: /data

  - name: IONOS_API_KEY
        key: IONOS_API_KEY
        name: ionos-api-credentials

    enabled: false

  enabled: true
  path: /data
  size: 128Mi

This values.yaml is used to configure the Traefik proxy and will:

  • use IONOS as the certificate resolver. To find your provider consult the traefik documention
  • set the certificates main domain to PRIMARY_DOMAIN
  • set the certificates sans to *.PRIMARY_DOMAIN
  • store every generated certificate in /data/acme.json
  • run a busybox init container to fix a common permission problem that is explained here:
  • load the IONOS_API_KEY from a secret. If using some other provider add every needed environment variable
  • deactivate the Traefik dashboard
  • enable persistence for the Traefik proxy

Install Traefik Proxy As Ingress Controller

To install Traefik Proxy in your Kubernetes cluster follow the next 4 simple steps

1. Begin with creating a Kubernetes namespace:

kubectl create namespace traefik

2. Create a treafik-secret.yaml that will contain the secret used within the Helm chart for SSL certificate creation:

apiVersion: v1
kind: Secret
  name: ionos-api-credentials
  namespace: traefik

type: Opaque
  IONOS_API_KEY: asdkjalshdasdlasdasd.asdahsdhasdkjahsdkasgdkasdg;aksda;d

3. Apply the secret in your Kubernetes cluster:

kubectl apply -f traefik-secret.yaml

4. Install Traefik using Helm and apply values.yaml

helm install traefik traefik/traefik --namespace=traefik --values=values.yaml

If you change anything within the values.yaml and want to update the Traefik proxy this can be done by executing:

helm upgrade traefik traefik/traefik --namespace=traefik --values=values.yaml

Some minutes later your Traefik is deployed correctly and you can map your PRIMARY_DOMAIN A record to the IP of the Traefik Load Balancer. You can find the external IP by executing:

kubectl get all -n traefik

Β It should output the following:

Output of kubectl get all within traefik namespace
Output of kubectl get all within traefik namespace

If the external IP is not set wait some time and retry it. If you did not receive an external IP you probably did not have an external load balancer installed/bought.

Enable Traefik Dashboard

To enable the Traefik Dashboard within the Kubernetes cluster you will have to create an Ingress route and a middleware to enable Basic authentication.

Create a new folder called traefik-dashboard which will contain every file to set up the Traefik dashboard.

Now, create a base64 encoded user and password that will be used within the Kubernetes secret:

htpasswd -nb superTraefikUser unbelievableSafePassword | openssl base64

Afterward, copy the htpasswd string and create the Kubernetes secret 001-auth-secret

apiVersion: v1
kind: Secret
  name: traefik-dashboard-auth
  namespace: traefik


Then create a Kubernetes middleware 002-middleware that will use the basic auth secret:

kind: Middleware
  name: traefik-dashboard-basicauth
  namespace: traefik

    secret: traefik-dashboard-auth

Now you can create the Ingress route 003-ingressroute for the Traefik dashboard:

kind: IngressRoute
  name: traefik-dashboard
  namespace: traefik

    - websecure

    - match: Host(`traefik.PRIMARY_DOMAIN`)
      kind: Rule
        - name: traefik-dashboard-basicauth
          namespace: traefik
        - name: api@internal
          kind: TraefikService

If you named the files as described you should have the following file structure:


Switch to the upper folder and use the following command to apply all files in the correct order:

kubectl apply -f traefik-dashboard

Closing Notes

I hope this article gave you a quick and neat overview of how to set up Traefik Proxy as an Ingress Controller within your Kubernetes cluster.

Using Helm to set up a Traefik Ingress controller makes it really easy to install, reconfigure, and update the Traefik Proxy.

I would love to hear your feedback about this tutorial. Furthermore, if you already run a Traefik installation and use a different approach please comment here and explain what you have done differently. Also, if you have any questions, please ask them in the comments. I try to answer them if possible.

Feel free to connect with me on Medium, LinkedIn, Twitter, and GitHub.


πŸ™Œ Support this content

If you like this content, please consider supporting me. You can share it on social media, buy me a coffee, or become a paid member. Any support helps.

See the contribute page for all (free or paid) ways to say thank you!

Thanks! πŸ₯°

By Paul Knulst

I'm a husband, dad, lifelong learner, tech lover, and Senior Engineer working as a Tech Lead. I write about projects and challenges in IT.