When web application security is a top concern then SSL passthrough should be opted at load balancer so that an incoming security sockets layer (SSL) request is not decrypted at the load balancer rather passed along to the server for decryption as is.

CRD implementation of Traefik TCP Router as IngressRouteTCP allows to set SSL passthrough. The yaml with all the required objects for Traefik to allow SSL passthrough is given here-

apiVersion: v1
data:
  traefik.toml: >-
    defaultEntryPoints = ["https"]
    
    [entryPoints]
      [entryPoints.http]
        address = ":80"
      [entryPoints.https]
        address = ":443"

    [api]
    
    [providers]
      [providers.kubernetesCRD]
        namespaces = ["test"]
      [providers.file]
        filename= "/etc/traefik/traefik.toml"
        watch = true

    [global]
      sendAnonymousUsage = false

    [log]
      level = "DEBUG"

kind: ConfigMap
metadata:
  creationTimestamp: null
  name: traefik-ingresscontroller-configmap
  namespace: test
  
---

kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-ingresscontroller
  namespace: test
  labels:
    k8s-app: traefik-ingresslb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingresslb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingresslb
        name: traefik-ingresslb
    spec:
      serviceAccountName: traefik-ingresscontroller
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik:v2.0.2
        name: traefik-ingresslb
        ports:
          - name: http
            containerPort: 80
          - name: https
            containerPort: 443
        volumeMounts:
        - name: traefik-conf-vol
          mountPath: /etc/traefik
        - name: traefik-cert-vol
          mountPath: /etc/traefik/certs
        - mountPath: /tmp
          name: tmp-vol
      volumes:
      - name: traefik-conf-vol
        configMap:
          name: traefik-ingresscontroller-configmap
      - name: traefik-cert-vol
        secret:
          secretName: traefik-cert
      - emptyDir:
          medium: Memory
        name: tmp-vol

---

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: test-tlsoption
  namespace: test
spec:
  minVersion: VersionTLS12
  
---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: replacetest
  namespace: test
spec:
  replacePathRegex:
    regex: \/test-([a-zA-Z]+-[a-zA-Z0-9]+|[a-zA-Z0-9]+)\/(.*)
    replacement: /$2

---

kind: Service
apiVersion: v1
metadata:
  name: traefik-svc
  namespace: test
spec:
  selector:
    k8s-app: traefik-ingresslb
  ports:
    - protocol: TCP
      name: http
      port: 80
      nodePort: 30220
    - protocol: TCP
      name: https
      port: 443
      nodePort: 30222
  type: NodePort

---

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: test
  name: traefik-ingresscontroller

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingresscontroller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - tlsoptions
      - ingressroutes
      - ingressroutetcps
    verbs:
      - get
      - list
      - watch


---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingresscontroller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingresscontroller
subjects:
  - kind: ServiceAccount
    name: traefik-ingresscontroller
    namespace: test

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  namespace: test
  name: test-app-ir
spec:
  entryPoints:
    - http
    - https
  routes:
  - match: HostSNI(`myapp.mydomain.com`)
    kind: Rule
    priority: 1
    services:
      - name: myapp-service
        port: 8080
        weight: 1
  tls:
    passthrough: true

---

 

References:

https://doc.traefik.io/traefik/v2.1/routing/providers/kubernetes-crd/#kind-ingressroutetcp

https://doc.traefik.io/traefik/v1.7/user-guide/kubernetes/

https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/