Question 1

How do I install Traefik as a Kubernetes Ingress Controller with Helm?

Accepted Answer

I add the Traefik Helm repo, run a repo update, then pull the chart so I can work off the defaults. After that I create a traefik namespace and run helm install into it. Once the pod is up, Traefik is basically ready—most of the work after that is just IngressRoutes.

Question 2

How do I set a specific MetalLB external IP for the Traefik service?

Accepted Answer

Because I’m using MetalLB, I set the loadBalancerIP inside Traefik’s values.yaml. That IP has to be one that exists in your MetalLB pool. If Traefik comes up with a different external IP than what you expected, you’re going to have problems with routing and DNS.

Question 3

How do I create a Traefik IngressRoute for a service like Uptime Kuma?

Accepted Answer

I create an IngressRoute that matches the hostname (like uptime.dragon.local) and forwards to the service name and port. In my example it routes to the uptime-kuma service on port 31. I use the websecure entrypoint so it’s HTTPS from the start.

Question 4

How do I enable TLS in Traefik using a self-signed certificate?

Accepted Answer

I generate a wildcard cert on my step-ca server (like *.dragon.local) and then create a Kubernetes TLS secret from the cert and key. In the IngressRoute, I reference that secret under tls.secretName. After that, Traefik terminates TLS and serves the app securely.

Question 5

Where should the TLS secret be created for Traefik IngressRoutes?

Accepted Answer

This one got me at first: the TLS secret must be created in the same namespace as the service you’re exposing. Even if it’s the same wildcard cert, you still need to create a secret copy per namespace. Otherwise Traefik won’t be able to find it when the IngressRoute references it.

Question 6

Why am I still seeing a browser warning with my self-signed TLS cert?

Accepted Answer

In my setup I trust the step-ca root certificate on my machine, so I don’t get the warning. If you don’t trust your CA root, your browser will still complain even though TLS is technically working. The fix is to install/trust that root CA on the client devices.

Question 7

Do I need DNS for Traefik host-based routing in a homelab?

Accepted Answer

Yeah—if you want host matching like uptime.dragon.local, DNS needs to resolve that name to the Traefik external IP from MetalLB. In my lab, everything points to that single IP and Traefik routes based on the hostname rule. Without DNS, you’re going to have a bad time.

Kubernetes Ingress with Traefik & TLS – Secure Your Cluster!

🛍️ Products Mentioned (1)

Install Instructions

About This Video

Frequently Asked Questions

🎬 More from sass drew