Deploying Traefik to AKS with Let’s Encrypt and Cloudflare Support

What’s an ingress controller and why use Traefik?

Traefik features as listed on

Setting up Traefik in AKS

  • Azure Subscription
  • Cloudflare account with your domain name configured

1. Spinning up an AKS instance

<### -------------------------------------------------------- ###
Create AKS Cluster
### --------------------------------------------------------- ###>

# Define variables
$location = "westeurope"
$aksClusterName = "akswalkthrough"
$aksResourceGroup = "aksgroup"
$nodeCount = 1 #development setup
$nodeSize = "Standard_D1_V2"

# Login to Azure
az login

# Create Azure resource group
az group create --name $aksResourceGroup --location $location

# Create AKS Cluster
az aks create --resource-group $aksResourceGroup --name $aksClusterName --node-count $nodeCount --node-vm-size $nodeSize --enable-addons monitoring --generate-ssh-keys

2. Setting up Traefik and Let’s Encrypt

Traefik Custom Resource Definition for Kubernetes
  • The container name image: traefik:v2.1 this defines the Traefik container we’ll be using. You’ll want to update this to the latest version as new releases are pushed to the their docker hub account .
  • The certificatesResolvers.le.* define the Let’s Encrypt configuration. You’ll want to update the email to get notifications and when you’re ready for production comment out the caserver argument.
  • The environment variable CF_API_EMAIL which you need to set to your CloudFlare login email. If you’d like to keep this out of source control you can set it as a docker secret as we did with the Global API Key.

3. Testing Traefik and Let’s Encrypt

Traefik external IP address
Traefik default dashboard

4. CloudFlare Setup

A Record setup in CloudFlare
SSL Mode configuration on CloudFlare
  • We use a special type of resource called IngressRoute which is only available thanks to the Traefik CRD we applied earlier.
  • The routes attribute defines when traffic should be routed to our container, you can learn more about routing here. We define a simple route that will respond to a path of /whoami
  • The tls attribute defines which certificate resolver we would like to use and the domains for which this request will be valid for. You will need to update this domain value to the one you own.
Sample response from whoami container




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store