Traefik Ingress Operator for Kubernetes

  • By Canonical Observability
Channel Revision Published Runs on
latest/stable 191 05 Jun 2024
Ubuntu 20.04
latest/candidate 191 04 Jun 2024
Ubuntu 20.04
latest/beta 194 04 Jun 2024
Ubuntu 20.04
latest/edge 196 06 Jun 2024
Ubuntu 20.04
1.0/stable 164 16 Feb 2024
Ubuntu 20.04
1.0/candidate 164 22 Nov 2023
Ubuntu 20.04
1.0/beta 164 22 Nov 2023
Ubuntu 20.04
1.0/edge 164 22 Nov 2023
Ubuntu 20.04
juju deploy traefik-k8s
Show information


Key Value
Summary TLS termination using a local root-ca.
Categories deploy-applications
Difficulty 2
Author Leon Mintz


By the end of this tutorial you will have several apps deployed, that you could curl via an ingress https url. For simplicity, in this tutorial we will rely on a self-signed certificate issued by a stand-in local CA.

(Edit a copy of this diagram)

This tutorial assumes you have a Juju controller bootstrapped on a MicroK8s cloud that is ready to use. A typical setup using snaps can be found in the Juju docs. Follow the instructions there to install Juju and MicroK8s.

Configure MicroK8s

Follow the instructions under the “Configure MicroK8s” section to setup MicroK8s with metallb.

Deploy the apps

Now, we will deploy traefik, self-signed-certificates (to function as a root CA), and alertmanager, prometheus, and grafana (apps that take an ingress relation).

First, create a new model:

juju add-model tls-demo

Next, save the following bundle as tls-demo.yaml:

bundle: kubernetes
name: traefik-tls-demo

    charm: 'traefik-k8s'
    scale: 1
    trust: true
    channel: 'edge'
      external_hostname: 'demo.local'
    charm: 'alertmanager-k8s'
    scale: 1
    trust: true
    channel: 'edge'
    charm: 'prometheus-k8s'
    scale: 1
    trust: true
    channel: 'edge'
    charm: 'grafana-k8s'
    scale: 1
    trust: true
    channel: 'edge'
    charm: 'self-signed-certificates'
    scale: 1
    channel: 'edge'

- [traefik:ingress-per-unit, prometheus:ingress]
- [traefik:traefik-route, grafana:ingress]
- [traefik:ingress, alertmanager:ingress]
- [traefik:certificates, ca:certificates]

Finally, deploy the local bundle:

juju deploy --trust ./tls-demo.yaml

Reach an application’s endpoint via ingress

By default, the traefik charm sets up traefik in a way that allows both HTTP and HTTPS access. To force HTTPS redirect, see “Force HTTPS redirect”.


First, obtain the ingress url by using a traefik action:

$ juju run traefik/0 show-proxied-endpoints
Running operation 5 with 1 task
  - task 6 on unit-traefik-0

Waiting for task 6...
proxied-endpoints: '{
  "prometheus/0": {"url": "http://demo.local:80/tls-demo-prometheus-0"},
  "alertmanager": {"url": "http://demo.local:80/tls-demo-alertmanager"}

and Traefik’s IP:

  juju status --format json traefik \
  | jq -r ".applications.traefik.address"\

Now, use the ingress URL with the application’s API HTTP endpoint:

$ curl --resolve "demo.local:80:$TRAEFIK_IP" \
$ curl --resolve "demo.local:80:$TRAEFIK_IP" \
Prometheus Server is Ready.


Save the certificate locally:

# TODO avoid literal indexing
juju show-unit --format json traefik/0 \
  | jq -r '."traefik/0"."relation-info"[3]."application-data".certificates' \
  | jq -r '.[1].certificate' \
  > /tmp/local.cert

and save Traefik’s IP if you haven’t done so already:

  juju status --format json traefik \
  | jq -r ".applications.traefik.address"\

Curl the endpoint:

curl --resolve demo.local:443:$TRAEFIK_IP \
     --fail-with-body \
     --capath /tmp \
     --cacert /tmp/local.cert \

This should return


Help improve this document in the forum (guidelines). Last updated 1 year, 14 days ago.