Skip to main content

Workflow: Traffic Management

Step-by-step guide for managing traffic through Traefik — from initial route creation through progressive canary shifts, TLS setup, and post-deployment cleanup.

When to Use​

Use this workflow to:

  • Deploy new versions using canary or weighted traffic splitting.
  • Add middleware protections (rate limiting, circuit breakers) and rewrite paths.
  • Setup TLS, Backend ServersTransports, and service affinity (sticky sessions).
  • Monitor traffic distribution in real-time during a rollout.

Traefik Resource Architecture​

Prerequisites & Environment Setup​

ComponentStatus
Kubernetes clusterAccessible via kubectl
TraefikInstalled and deployed as Ingress Controller
Application ServicesBackends running (e.g. api-service-stable, api-service-canary)

Verify your backends before routing traffic:

kubectl get svc -n production | grep api-service

Lifecycle Scenarios (Tools & Resources)​

Scenario A: Weighted Canary Deployment​

Tests the traefik_manage_weighted_routing tool alongside traffic distribution and health resources.

StepActionTool / Resource
1Create initial route (100% stable)Tool: traefik_manage_weighted_routing (action=create, route_name, hostname, stable_service (exact K8s Service name), stable_weight=100, canary_weight=0). Omit canary_service for single-backend.
2Verify CreationResource: traefik://traffic/routes/list
Lists TraefikServices to verify it exists.
3Shift to 95/5Tool: traefik_manage_weighted_routing (action=update, stable_weight=95, canary_weight=5)
4Monitor DistributionResource: traefik://traffic/production/api-service-route/distribution
Checks live distribution percentage.
5Complete (0/100)Tool: traefik_manage_weighted_routing (action=update, stable_weight=0, canary_weight=100)
6CleanupTool: traefik_manage_weighted_routing (action=delete)

Scenario B: Adding Middleware Protections​

Tests the traefik_manage_middleware tool and cluster health resources.

StepActionTool / Resource
1Rate LimitingTool: traefik_manage_middleware (action=create, middleware_type=rate_limit, average=100, burst=200, period="1s")
2Circuit BreakerTool: traefik_manage_middleware (action=create, middleware_type=circuit_breaker, trigger_type=error-rate, threshold=0.3, response_code=429)
(Note: circuit breaker open returns 429 so proxy rejections can be distinguished from backend 503 errors.)
3Monitor HealthResource: traefik://traffic/production/api-service-route/distribution
Check route health. Alternatively: traefik://metrics/production/api-service-stable/summary for service metrics.

Scenario C: Strip Prefix Middleware​

Tests path rewriting, often used during NGINX migrations.

StepActionTool / Resource
1Strip PrefixTool: traefik_manage_middleware (action=create, middleware_type=strip_prefix, middleware_name=api-strip, namespace=production, prefixes=["/api"])
2Attach to RouteTool: traefik_manage_route_middlewares (action=attach, route_name=api-service-route, middleware_names=["api-strip"], namespace=production)

Scenario D: Simple IngressRoute (Non-Weighted)​

Use traefik_manage_simple_route when you want an IngressRoute that points directly to K8s Services (no TraefikService/WRR). Supports multiple rules and in-place patches.

StepActionTool / Resource
1Create routeTool: traefik_manage_simple_route (action=create, route_name=hello-preview, namespace=default, entry_points=["web"], routes=[{ "match": "Host(preview.example.com)", "service_name": "preview-v1", "service_port": 80 }])
2Multiple rulesTool: traefik_manage_simple_route (action=create) with routes=[rule1, rule2].
3UpdateTool: traefik_manage_simple_route (action=create) using same route_name to patch seamlessly without traffic gaps.
4DeleteTool: traefik_manage_simple_route (action=delete, route_name=hello-preview)

Scenario E: Path-Based Routing and TLS​

Combines traefik_manage_weighted_routing with path_prefix, tls_enabled, and middlewares.

StepActionTool / Resource
1Path-based routeTool: traefik_manage_weighted_routing (action=create, path_prefix="/api", path_match_type="PathPrefix", ...)
2TLS RouteTool: traefik_manage_weighted_routing (action=create, tls_enabled=True, tls_secret_name=checkout-tls, ...)
3With MiddlewaresTool: traefik_manage_weighted_routing (action=create, middlewares=["rate-limit", "auth"], ...)

Scenario F: Backend ServersTransport and Sticky Sessions​

StepActionTool / Resource
1Create transportTool: traefik_manage_servers_transport (action=create, name=my-app-transport, dial_timeout=5s, response_header_timeout=60s). Attach via traefik.ingress.kubernetes.io/service.serverstransport on backend K8s Service.
2HTTPS backendTool: traefik_manage_servers_transport (action=create, name=https-backend, insecure_skip_verify=true)
3Delete transportTool: traefik_manage_servers_transport (action=delete, name=my-app-transport)
4Enable sticky sessionTool: traefik_configure_service_affinity (action=enable, service_name=hello-world, cookie_name=SESSIONID, cookie_max_age=3600)
5Disable sticky sessionTool: traefik_configure_service_affinity (action=disable, service_name=hello-world)

TLS Testing: Prerequisites and Conventions​

Naming Conventions: MCP vs K8s​

  • Route / TraefikService (MCP convention): The server always names the weighted backend resource {route_name}-wrr (e.g. hello-world-wrr). You can assume this when managing routes.
  • K8s Service Names: The tools use exactly what you pass for stable_service and canary_service. They do not automatically append -stable or -canary.

Entry Points​

  • Traefik uses web (HTTP) and websecure (HTTPS). There is no entry point named https.
  • The tool auto-normalizes references to https into websecure.

TLS Prerequisites​

RequirementDescription
websecure entrypointTraefik must expose HTTPS. When tls_enabled=True, the route uses websecure.
Kubernetes TLS SecretA Secret of type kubernetes.io/tls in the same namespace as the IngressRoute.
Backend servicesStable/canary services in that same namespace.

Testing TLS Locally​

For local testing, create a self-signed certificate:

# Create self-signed cert
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout tls.key -out tls.crt \
  -subj "/CN=hello-world.example.com"

# Create standard K8s TLS secret
kubectl create secret tls hello-world-tls --cert=tls.crt --key=tls.key -n default

Traefik will terminate TLS on the ingress and forward plain HTTP to the pod.

Natural Language Prompts​

You can use these exact natural language prompts with the MCP Server to drive traffic workflows seamlessly:

Weighted Routing & Monitoring:

"Create a weighted route for 'hello-world-route' in 'default' at 'hello-world.example.com' with 100% stable and 0% canary, using services hello-world-stable and hello-world-canary."

"Update the weights for 'hello-world-route' in 'default' to 95% stable and 5% canary."

"What is the current traffic split and distribution for 'hello-world-route' in 'default'?"

"List all Traefik services across all namespaces."

"Delete the 'hello-world-route' in 'default'."

Middlewares & Path Updates:

"Create a rate_limit middleware named 'api-rate-limit' in 'production' with an average of 50, burst of 100, per 1s."

"Create a circuit_breaker middleware named 'api-cb' in 'production' with an error-rate trigger and a 0.3 threshold. Set response_code=429."

"Add a strip prefix middleware 'api-strip' in 'production' that strips '/api' from incoming request paths."

"Attach middleware 'api-strip' to IngressRoute 'api-service-route' in 'production'."

TLS & Path Prefix:

"Create route 'api-path-route' in 'production' at 'api.example.com' with path prefix '/api' — route only /api/* traffic, 100% stable."

"Create a TLS-enabled route 'checkout-route' at 'checkout.example.com' with secret 'checkout-tls' and attach 'rate-limit' middleware."

Next Steps​