Recently I deployed traefik helm chart, and in websecure I set tls false, and my application was giving 404, but adding these 2 annotation solved this issue.
traefik.ingress.kubernetes.io/router.entrypoints:`` websecure
traefik.ingress.kubernetes.io/router.tls:`` "true"
Now I am confused about why exactly did I need mention these, it should have automatically done, no? As I have also set entry point in my traefik to redirect web to websecure.
Traefik helm config
web:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
tls:
enabled: false
expose:
default: true
exposedPort: 443
The tls.enabled: false in your Helm config controls specifically whether Traefik automatically provisions certificates via ACME/Let's Encrypt, it doesn't disable TLS on the entrypoint itself. The websecure entrypoint still operates as an HTTPS port regardless.
What the annotation router.tls: "true" does is add a TLS block to the router configuration for that ingress. Without it, Traefik creates a plain HTTP router on the websecure entrypoint, which won't match HTTPS requests properly and returns 404. With it, Traefik knows to build a TLS-aware router that handles the HTTPS connection.
The web→websecure redirect is a separate layer: it handles HTTP-to-HTTPS for clients connecting on port 80. Once redirected, the client is making an HTTPS request on port 443, and there needs to be a TLS-aware router there to receive it.
So both pieces are required:
- The entrypoint redirect (web → websecure) pushes HTTP clients to HTTPS
- The
router.tls: "true" annotation makes the router on websecure actually terminate TLS
One thing to be aware of since you have tls.enabled set to false: you'll need to supply your own certificate. Options are a tls secret referenced in the Ingress spec, cert-manager with an Issuer annotation, or a default certificate configured on the websecure entrypoint. Without one of those, Traefik falls back to its built-in self-signed cert, which is why browsers will warn until you provide a real one.