Workflow: Traffic Management

Step-by-step guide for managing traffic through Traefik — from initial route creation through progressive canary shifts, TLS setup, and post-deployment cleanup.

---

When to Use

Use this workflow to:

• Deploy new versions using canary or weighted traffic splitting.
• Add middleware protections (rate limiting, circuit breakers) and rewrite paths.
• Setup TLS, Backend ServersTransports, and service affinity (sticky sessions).
• Monitor traffic distribution in real-time during a rollout.

---

Traefik Resource Architecture

---

Prerequisites & Environment Setup

Component	Status
Kubernetes cluster	Accessible via kubectl
Traefik	Installed and deployed as Ingress Controller
Application Services	Backends running (e.g. api-service-stable, api-service-canary)

Verify your backends before routing traffic:

kubectl get svc -n production | grep api-service

---

Lifecycle Scenarios (Tools & Resources)

Scenario A: Weighted Canary Deployment

Tests the traefik_manage_weighted_routing tool alongside traffic distribution and health resources.

Step	Action	Tool / Resource
1	Create initial route (100% stable)	Tool: traefik_manage_weighted_routing (action=create, route_name, hostname, stable_service (exact K8s Service name), stable_weight=100, canary_weight=0). Omit canary_service for single-backend.
2	Verify Creation	Resource: traefik://traffic/routes/list Lists TraefikServices to verify it exists.
3	Shift to 95/5	Tool: traefik_manage_weighted_routing (action=update, stable_weight=95, canary_weight=5)
4	Monitor Distribution	Resource: traefik://traffic/production/api-service-route/distribution Checks live distribution percentage.
5	Complete (0/100)	Tool: traefik_manage_weighted_routing (action=update, stable_weight=0, canary_weight=100)
6	Cleanup	Tool: traefik_manage_weighted_routing (action=delete)

Scenario B: Adding Middleware Protections

Tests the traefik_manage_middleware tool and cluster health resources.

Step	Action	Tool / Resource
1	Rate Limiting	Tool: traefik_manage_middleware (action=create, middleware_type=rate_limit, average=100, burst=200, period="1s")
2	Circuit Breaker	Tool: traefik_manage_middleware (action=create, middleware_type=circuit_breaker, trigger_type=error-rate, threshold=0.3, response_code=429) (Note: circuit breaker open returns 429 so proxy rejections can be distinguished from backend 503 errors.)
3	Monitor Health	Resource: traefik://traffic/production/api-service-route/distribution Check route health. Alternatively: traefik://metrics/production/api-service-stable/summary for service metrics.

Scenario C: Strip Prefix Middleware

Tests path rewriting, often used during NGINX migrations.

Step	Action	Tool / Resource
1	Strip Prefix	Tool: traefik_manage_middleware (action=create, middleware_type=strip_prefix, middleware_name=api-strip, namespace=production, prefixes=["/api"])
2	Attach to Route	Tool: traefik_manage_route_middlewares (action=attach, route_name=api-service-route, middleware_names=["api-strip"], namespace=production)

Scenario D: Simple IngressRoute (Non-Weighted)

Use traefik_manage_simple_route when you want an IngressRoute that points directly to K8s Services (no TraefikService/WRR). Supports multiple rules and in-place patches.

Step	Action	Tool / Resource
1	Create route	Tool: traefik_manage_simple_route (action=create, route_name=hello-preview, namespace=default, entry_points=["web"], routes=[{ "match": "Host(preview.example.com)", "service_name": "preview-v1", "service_port": 80 }])
2	Multiple rules	Tool: traefik_manage_simple_route (action=create) with routes=[rule1, rule2].
3	Update	Tool: traefik_manage_simple_route (action=create) using same route_name to patch seamlessly without traffic gaps.
4	Delete	Tool: traefik_manage_simple_route (action=delete, route_name=hello-preview)

Scenario E: Path-Based Routing and TLS

Combines traefik_manage_weighted_routing with path_prefix, tls_enabled, and middlewares.

Step	Action	Tool / Resource
1	Path-based route	Tool: traefik_manage_weighted_routing (action=create, path_prefix="/api", path_match_type="PathPrefix", ...)
2	TLS Route	Tool: traefik_manage_weighted_routing (action=create, tls_enabled=True, tls_secret_name=checkout-tls, ...)
3	With Middlewares	Tool: traefik_manage_weighted_routing (action=create, middlewares=["rate-limit", "auth"], ...)

Scenario F: Backend ServersTransport and Sticky Sessions

Step	Action	Tool / Resource
1	Create transport	Tool: traefik_manage_servers_transport (action=create, name=my-app-transport, dial_timeout=5s, response_header_timeout=60s). Attach via traefik.ingress.kubernetes.io/service.serverstransport on backend K8s Service.
2	HTTPS backend	Tool: traefik_manage_servers_transport (action=create, name=https-backend, insecure_skip_verify=true)
3	Delete transport	Tool: traefik_manage_servers_transport (action=delete, name=my-app-transport)
4	Enable sticky session	Tool: traefik_configure_service_affinity (action=enable, service_name=hello-world, cookie_name=SESSIONID, cookie_max_age=3600)
5	Disable sticky session	Tool: traefik_configure_service_affinity (action=disable, service_name=hello-world)

---

TLS Testing: Prerequisites and Conventions

Naming Conventions: MCP vs K8s

• Route / TraefikService (MCP convention): The server always names the weighted backend resource {route_name}-wrr (e.g. hello-world-wrr). You can assume this when managing routes.
• K8s Service Names: The tools use exactly what you pass for stable_service and canary_service. They do not automatically append -stable or -canary.

Entry Points

• Traefik uses web (HTTP) and websecure (HTTPS). There is no entry point named https.
• The tool auto-normalizes references to https into websecure.

TLS Prerequisites

Requirement	Description
websecure entrypoint	Traefik must expose HTTPS. When tls_enabled=True, the route uses websecure.
Kubernetes TLS Secret	A Secret of type kubernetes.io/tls in the same namespace as the IngressRoute.
Backend services	Stable/canary services in that same namespace.

Testing TLS Locally

For local testing, create a self-signed certificate:

# Create self-signed cert
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout tls.key -out tls.crt \
  -subj "/CN=hello-world.example.com"

# Create standard K8s TLS secret
kubectl create secret tls hello-world-tls --cert=tls.crt --key=tls.key -n default

Traefik will terminate TLS on the ingress and forward plain HTTP to the pod.

---

Natural Language Prompts

You can use these exact natural language prompts with the MCP Server to drive traffic workflows seamlessly:

Weighted Routing & Monitoring:

"Create a weighted route for 'hello-world-route' in 'default' at 'hello-world.example.com' with 100% stable and 0% canary, using services hello-world-stable and hello-world-canary."

"Update the weights for 'hello-world-route' in 'default' to 95% stable and 5% canary."

"What is the current traffic split and distribution for 'hello-world-route' in 'default'?"

"List all Traefik services across all namespaces."

"Delete the 'hello-world-route' in 'default'."

Middlewares & Path Updates:

"Create a rate_limit middleware named 'api-rate-limit' in 'production' with an average of 50, burst of 100, per 1s."

"Create a circuit_breaker middleware named 'api-cb' in 'production' with an error-rate trigger and a 0.3 threshold. Set response_code=429."

"Add a strip prefix middleware 'api-strip' in 'production' that strips '/api' from incoming request paths."

"Attach middleware 'api-strip' to IngressRoute 'api-service-route' in 'production'."

TLS & Path Prefix:

"Create route 'api-path-route' in 'production' at 'api.example.com' with path prefix '/api' — route only /api/* traffic, 100% stable."

"Create a TLS-enabled route 'checkout-route' at 'checkout.example.com' with secret 'checkout-tls' and attach 'rate-limit' middleware."

---

Next Steps

• Header-Based Canary — Route specific users via headers or cookies
• Shadow Launch — Test new versions with zero user impact
• NGINX Migration — Migrate from NGINX to Traefik