The forwardedHeaders didn't work in TLS route

Traefik Traefik v3 (latest)
1

I deploy traefik in AWS EKS by helm via Terraform, like this:

resource "helm_release" "traefik" {
  ## Only install Traefik in non-prod environment
  count = var.product_environment == "prod" ? 0 : 1
  depends_on = [
    helm_release.alb-controller,
    kubectl_manifest.kubernetes_gateway_api_crd
  ]

  name             = "traefik"
  repository       = "https://traefik.github.io/charts"
  chart            = "traefik"
  version          = "33.2.1"
  namespace        = "traefik"
  create_namespace = true

  values = [
    yamlencode({
      logs = {
        general = {
          level = "INFO"
        }
        access = {
          enabled = true
        }
        # addInternals = true
      }
      service = {
        annotations = {
          "service.beta.kubernetes.io/aws-load-balancer-scheme"                            = "internet-facing"
          "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled" = "true"
        }
        spec = {
          externalTrafficPolicy = "Local"
        }
      }
      providers = {
        kubernetesIngress = {
          enabled = false
        }
        kubernetesGateway = {
          enabled             = true
          experimentalChannel = true
        }
      }
      ports = {
        traefik = {
          ## Default port is 8080, conflict with web port
          port = 8000
          expose = {
            default = false
          }
        }
        web = {
          port = 8080
          expose = {
            default = true
          }
          exposedPort = 80
          forwardedHeaders = {
            insecure = true
          }
        }
        websecure = {
          port = 8443
          expose = {
            default = true
          }
          exposedPort = 443
          tls = {
            enabled = true
          }
          forwardedHeaders = {
            insecure = true
          }
        }
      }
      additionalArguments = [
        ## https://github.com/traefik/traefik-helm-chart/blob/914037321318d2dd50114df35455c9bc4de7a416/traefik/values.yaml#L157
        "--providers.kubernetesGateway.experimentalChannel=true"
      ]
      gateway = {
        enabled = false
      }
    })
  ]
}

and I create Gateway and TLSRoute like this:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
  name: teleport-gateway
spec:
  gatewayClassName: traefik
  listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      name: https
      port: 8443
      protocol: TLS
      tls:
        mode: Passthrough
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: teleport
spec:
  hostnames:
    -  "teleport.dev.en.ompassets.myhost.com"
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: teleport-gateway
      sectionName: https
  rules:
    - backendRefs:
        - kind: Service
          name: teleport-nginx
          port: 443

The TLS route will forward my request from my local to nginx pod through AWS LB and traefik, and when I check the nginx log, I found the "$http_x_forwarded_for" is "-".

So looks forwardedHeaders.insecure = true didn't work? or what did I do wrong ?

What did you see instead?

And I check the log in the traefik pod, I didn't found anything about TLS route

What version of Traefik are you using?

Helm version is 33.2.1
Traefik image is docker.io/traefik:v3.2.2

What is your environment & configuration?

K8s Server Version: v1.29.11-eks-56e63d8