Traefik 1.4: Canary Releases and gRPC Support for Kubernetes Ingress

Introduction

September 25, 2017 brought the release of Traefik 1.4, delivering advanced traffic-control features that Kubernetes teams craved—weighted canaries, gRPC passthrough and better wildcard certificate automation. The release reinforced Traefik’s position as a flexible ingress controller for cloud-native workloads.

New in 1.4

Weighted Canary Deployments: traefik.ingress.kubernetes.io/service-weights annotation enables gradual rollouts between services.
gRPC Support: Traefik can now proxy HTTP/2 gRPC traffic end-to-end, including health checks and reflection.
Let’s Encrypt Wildcard: DNS-01 challenge integration allows wildcard certificates via providers like Route53 and Cloudflare.
Access Control Lists: Middleware supports IP whitelists and rate limiting per ingress, useful for admin dashboards.
Improved Metrics: Native Prometheus metrics with per-router and per-service labels for traffic observability.

Example Canary Ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: checkout
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/service-weights: |
      checkout-v1: 80%
      checkout-v2: 20%
spec:
  rules:
  - host: shop.example.com
    http:
      paths:
      - backend:
          serviceName: checkout-v1
          servicePort: http
      - backend:
          serviceName: checkout-v2
          servicePort: http

Traefik gradually shifts traffic toward checkout-v2 without requiring additional services or CRDs.

Practical Notes on Canaries

The manifest above reflects the Kubernetes API conventions of 2017; keep an eye on Ingress API version changes when applying this pattern on newer clusters.
Make canaries observable: pair weight shifts with Prometheus graphs (error rate/latency) so “20%” doesn’t turn into “20% of users are broken” unnoticed.
If you run multiple ingress controllers, double-check the ingress.class and any default class behavior so traffic doesn’t split across the wrong controller.

Let’s Encrypt DNS-01 Setup

[acme]
email = "[email protected]"
storage = "/acme.json"
acmeLogging = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 0

With DNS provider credentials stored as Kubernetes Secrets, Traefik 1.4 can issue wildcard certs for *.example.com, simplifying multi-domain ingress setups.

Operational Tips

Run Traefik with the new --api.insecure=false default; expose the dashboard through authenticated ingress instead.
Combine Prometheus metrics with Grafana dashboards to monitor request rates and canary weights.
Use Traefik’s retry middleware to absorb transient backend failures during rollouts.
For gRPC services, ensure HTTP/2 is enabled (traefik.http.services.<name>.loadbalancer.server.scheme=https if TLS upstream).

Summary

Aspect	Details
Release Date	September 25, 2017
Key Innovations	Weighted canaries, gRPC routing, Let’s Encrypt DNS-01, Prometheus metrics
Significance	Empowered Kubernetes teams to execute modern deployment strategies with an easy-to-operate ingress controller

Table of Contents