The Traefik Hub API Gateway doesn’t just route traffic; it actively shapes and secures your API landscape by acting as the single point of entry, allowing you to define how external requests interact with your internal services.
Let’s see Traefik Hub in action. Imagine you have a simple whoami service running on port 8080 within your Kubernetes cluster.
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami-deployment
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- containerPort: 8080
And a corresponding Service to expose it internally:
apiVersion: v1
kind: Service
metadata:
name: whoami-service
spec:
selector:
app: whoami
ports:
- protocol: TCP
port: 80
targetPort: 8080
Now, we’ll configure Traefik Hub to expose this whoami service. First, ensure Traefik Hub is deployed. You’ll typically have a TraefikEnterpriseConfiguration and an IngressRoute (or HTTPRoute if using Gateway API).
Here’s how an IngressRoute might look to expose whoami on /whoami with basic authentication:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-ingress
namespace: default # Or wherever your services are
spec:
entryPoints:
- websecure # Assuming you have a websecure entrypoint configured for HTTPS
routes:
- match: Host(`your-traefik-domain.com`) && PathPrefix(`/whoami`)
kind: Rule
services:
- name: whoami-service
port: 80
middlewares:
- name: basic-auth-middleware
namespace: default
And the Middleware for basic authentication:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basic-auth-middleware
namespace: default
spec:
basicAuth:
users:
- "test:$apr1$H6uskkkW$4S/Z.kY.pG3Bw2Qn.jU.n0" # Example user 'test' with hashed password
With this setup, any request to https://your-traefik-domain.com/whoami will first hit Traefik Hub. Traefik will check the Host and PathPrefix rules. If they match, it will then apply the basic-auth-middleware. If authentication succeeds, Traefik will forward the request to your whoami-service on port 80. The whoami service will respond, and Traefik will send that response back to the client.
This pattern allows you to centralize cross-cutting concerns like authentication, rate limiting, request transformation, and more, without modifying your backend services. Each IngressRoute acts as a policy document for a specific API or set of APIs.
The core problem Traefik Hub solves is the complexity of managing direct access to numerous microservices. Instead of each service needing its own TLS termination, authentication layer, and ingress logic, Traefik Hub becomes the singular, intelligent gateway. It decouples the concerns of network ingress and API management from the business logic of your services. You define your API’s public face – its routes, security policies, and transformations – in Traefik’s configuration, and Traefik ensures that traffic adheres to these definitions before reaching the intended service. This dramatically simplifies service development and deployment, as developers can focus solely on their application’s functionality.
Traefik Hub’s power lies in its declarative configuration and middleware chaining. You define a series of Middleware resources, and then attach them to your IngressRoute or HTTPRoute. Traefik executes these middlewares in the order they are defined in the route’s middlewares list. This sequential execution is key; for example, you might first apply a rate-limiting middleware, then an authentication middleware, and finally a request-transformation middleware. Each middleware has the opportunity to inspect, modify, or even terminate the request before it proceeds to the next step or the backend service. This allows for sophisticated traffic management and security policies to be built up piece by piece.
What many overlook is how Traefik Hub’s dynamic configuration reloads without downtime. When you update an IngressRoute or a Middleware resource, Traefik Hub watches for these changes. Instead of restarting or reloading its configuration files, it updates its internal routing tables and middleware pipelines on the fly. This means you can add new routes, modify security policies, or change load balancing strategies for existing APIs without interrupting any ongoing traffic. The transition is seamless, ensuring high availability for your API gateway.
The next step is exploring how Traefik Hub integrates with external API discovery and management platforms.