Traefik - Mind Palace

**Traefik** is a modern, cloud-native reverse proxy and [[Kubernetes]] ingress controller that auto-discovers services and routes through dynamic configuration — no manual config file updates needed when a new service is deployed. It is designed for Kubernetes-first environments where services appear and disappear constantly. --- ### First Principle: Routing config that requires manual updates is config that will be wrong. Traditional ingress controllers require you to update configuration every time a new service is deployed. Traefik watches the Kubernetes API, reads IngressRoutes and Kubernetes Ingress resources, and automatically configures routes for new services — routing just works. --- ### Key Considerations - **Auto-Discovery**: Traefik watches Kubernetes Ingress, IngressRoute (CRD), Service, and Middleware resources. When a new Ingress is created, Traefik configures the route immediately — no restart or reload needed. - **IngressRoute CRD**: Traefik's own CRD for routing, more expressive than the standard Kubernetes Ingress spec. Supports L7 routing by header, path, method, and source IP; plus middlewares (rate limiting, auth, redirect, compression). - **Middlewares**: Traefik middlewares are composable request/response transformers — strip path prefix, add headers, enforce rate limits, redirect HTTP to HTTPS, authenticate via [[Keycloak]] (OAuth2 Forward Auth). - **[[cert-manager]] Integration**: In Kubernetes environments, [[cert-manager]] is typically preferred for TLS — Traefik reads `cert-manager`-managed Secrets for TLS. - **Dashboard**: Traefik includes a real-time dashboard showing all current routes, middlewares, and service health. - **vs [[HAProxy]]**: HAProxy is more performant and stable for high-traffic L4/L7 load balancing. Traefik is more developer-friendly and dynamic for Kubernetes ingress. Many deployments use both — HAProxy at the edge, Traefik as the cluster ingress. --- ### How It Fits ``` External traffic → [[HAProxy]] / [[MetalLB]] (edge LB) → Traefik (K8s ingress, routes to services) → [[cert-manager]] (TLS certificates) → Backend pods via Kubernetes Services ``` [[HAProxy]] | [[MetalLB]] | [[cert-manager]] | [[Kubernetes]] | [[Keycloak]] | [[Open Source Hyperscaler MoC]]