diff --git a/full-stack-asset-transfer-guide/applications/rest-api/deployment.yaml b/full-stack-asset-transfer-guide/applications/rest-api/deployment.yaml
index d18d9a0c..4f5ea769 100644
--- a/full-stack-asset-transfer-guide/applications/rest-api/deployment.yaml
+++ b/full-stack-asset-transfer-guide/applications/rest-api/deployment.yaml
@@ -54,8 +54,7 @@ kind: Ingress
 metadata:
   name: rest-api
   annotations:
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
-    # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    # proxy settings handled by Traefik
   # labels:
   #   app: rest-api
   #   app.kubernetes.io/instance: fabricpeer
@@ -64,7 +63,7 @@ metadata:
   #   creator: fabric
   #   orgname: Org1MSP
 spec:
-  ingressClassName: nginx
+  ingressClassName: traefik
   rules:
     - host: restapi.localho.st
       http:
diff --git a/full-stack-asset-transfer-guide/checks/check-kube.sh b/full-stack-asset-transfer-guide/checks/check-kube.sh
index 546ee822..0ab6409a 100755
--- a/full-stack-asset-transfer-guide/checks/check-kube.sh
+++ b/full-stack-asset-transfer-guide/checks/check-kube.sh
@@ -14,11 +14,10 @@ function cluster_info() {
   kubectl cluster-info &>/dev/null
 }
 
-function nginx() {
-  kubectl -n ingress-nginx get all  &>/dev/null
-  kubectl -n ingress-nginx get deployment.apps/ingress-nginx-controller  &>/dev/null
+function ingress() {
+  kubectl -n traefik get all  &>/dev/null
+  kubectl -n traefik get deployment.apps/traefik  &>/dev/null
   curl http://${WORKSHOP_INGRESS_DOMAIN} &>/dev/null
-  curl --insecure https://${WORKSHOP_INGRESS_DOMAIN}:443   &>/dev/null
 }
 
 function container_registry() {
@@ -30,7 +29,7 @@ must_declare WORKSHOP_INGRESS_DOMAIN
 must_declare WORKSHOP_NAMESPACE
 
 check cluster_info        "k8s API controller is running"
-check nginx               "Nginx ingress is running at https://${WORKSHOP_INGRESS_DOMAIN}"
+check ingress             "Traefik ingress is running at http://${WORKSHOP_INGRESS_DOMAIN}"
 
 if [ x"${WORKSHOP_CLUSTER_RUNTIME}" == x"kind" ]; then
   check container_registry  "Container registry is running at ${WORKSHOP_INGRESS_DOMAIN}:5000"
diff --git a/full-stack-asset-transfer-guide/contracts/asset-transfer-typescript/tsconfig.json b/full-stack-asset-transfer-guide/contracts/asset-transfer-typescript/tsconfig.json
index 3336d0aa..7e4acb39 100644
--- a/full-stack-asset-transfer-guide/contracts/asset-transfer-typescript/tsconfig.json
+++ b/full-stack-asset-transfer-guide/contracts/asset-transfer-typescript/tsconfig.json
@@ -15,3 +15,4 @@
     },
     "include": ["src/"]
 }
+
diff --git a/full-stack-asset-transfer-guide/docs/CloudReady/10-kube-zh.md b/full-stack-asset-transfer-guide/docs/CloudReady/10-kube-zh.md
index f9815463..99b959d4 100644
--- a/full-stack-asset-transfer-guide/docs/CloudReady/10-kube-zh.md
+++ b/full-stack-asset-transfer-guide/docs/CloudReady/10-kube-zh.md
@@ -7,7 +7,7 @@
 Fabric云原生部署，所有的组件直接在工作站上运行，在这个步骤中，您将会配置：
 - 一个本地[kind](https://kind.sigs.k8s.io) 集群，来运行k8s.
 
-- 一个本地[Ingress controller](https://github.com/kubernetes/ingress-nginx), 将k8s集群的路由设置到 `*.localho.st` 这个虚拟域名上.
+- 一个本地[Ingress controller](https://traefik.io/), 将k8s集群的路由设置到 `*.localho.st` 这个虚拟域名上.
 
 - 一个本地[Container Registry](https://docs.docker.com/registry/insecure/), 允许您上传智能合约的docker镜像。
 
diff --git a/full-stack-asset-transfer-guide/docs/CloudReady/10-kube.md b/full-stack-asset-transfer-guide/docs/CloudReady/10-kube.md
index d29d4b86..4664e337 100644
--- a/full-stack-asset-transfer-guide/docs/CloudReady/10-kube.md
+++ b/full-stack-asset-transfer-guide/docs/CloudReady/10-kube.md
@@ -8,7 +8,7 @@ With cloud-native Fabric, all the components can run directly on your developmen
 
 - A local [kind](https://kind.sigs.k8s.io) cluster, running Kubernetes in Docker.
 
-- A local [Ingress controller](https://github.com/kubernetes/ingress-nginx), routing traffic into the cluster at the `*.localho.st` virtual DNS domain.
+- A local [Ingress controller](https://traefik.io/), routing traffic into the cluster at the `*.localho.st` virtual DNS domain.
 
 - A local [Container Registry](https://docs.docker.com/registry/insecure/), allowing you to upload chaincode Docker images to the cluster.
 
diff --git a/full-stack-asset-transfer-guide/docs/CloudReady/13-kube-public-cloud.md b/full-stack-asset-transfer-guide/docs/CloudReady/13-kube-public-cloud.md
index 666adb7c..669d2d9b 100644
--- a/full-stack-asset-transfer-guide/docs/CloudReady/13-kube-public-cloud.md
+++ b/full-stack-asset-transfer-guide/docs/CloudReady/13-kube-public-cloud.md
@@ -87,7 +87,7 @@ just nginx
 ### IKS 
 ```shell
 
-export INGRESS_IPADDR=$(kubectl -n ingress-nginx get svc/ingress-nginx-controller -o json | jq -r '.status.loadBalancer.ingress[0].ip')
+export INGRESS_IPADDR=$(kubectl -n traefik get svc/traefik -o json | jq -r '.status.loadBalancer.ingress[0].ip')
 export WORKSHOP_INGRESS_DOMAIN=$(echo $INGRESS_IPADDR | tr -s '.' '-').nip.io
 
 ```
@@ -95,7 +95,7 @@ export WORKSHOP_INGRESS_DOMAIN=$(echo $INGRESS_IPADDR | tr -s '.' '-').nip.io
 ### EKS 
 ```shell
 
-export INGRESS_HOSTNAME=$(kubectl -n ingress-nginx get svc/ingress-nginx-controller -o json  | jq -r '.status.loadBalancer.ingress[0].hostname')
+export INGRESS_HOSTNAME=$(kubectl -n traefik get svc/traefik -o json  | jq -r '.status.loadBalancer.ingress[0].hostname')
 export INGRESS_IPADDR=$(dig $INGRESS_HOSTNAME +short)
 export WORKSHOP_INGRESS_DOMAIN=$(echo $INGRESS_IPADDR | tr -s '.' '-').nip.io
 
@@ -103,7 +103,7 @@ export WORKSHOP_INGRESS_DOMAIN=$(echo $INGRESS_IPADDR | tr -s '.' '-').nip.io
 ### Digital ocean 
 ```shell
 
-export INGRESS_HOSTNAME=$(kubectl -n ingress-nginx get svc/ingress-nginx-controller -o json  | jq -r '.status.loadBalancer.ingress[0].ip')
+export INGRESS_HOSTNAME=$(kubectl -n traefik get svc/traefik -o json  | jq -r '.status.loadBalancer.ingress[0].ip')
 export WORKSHOP_INGRESS_DOMAIN=$(echo $INGRESS_HOSTNAME | tr -s '.' '-').nip.io
 
 ```
diff --git a/full-stack-asset-transfer-guide/docs/CloudReady/22-fabric-ansible-collection.md b/full-stack-asset-transfer-guide/docs/CloudReady/22-fabric-ansible-collection.md
index 4dc4e6f2..bd2fe6c1 100644
--- a/full-stack-asset-transfer-guide/docs/CloudReady/22-fabric-ansible-collection.md
+++ b/full-stack-asset-transfer-guide/docs/CloudReady/22-fabric-ansible-collection.md
@@ -41,7 +41,7 @@ Check the Ingress controllers domain
 
 For IKS:
 ```shell
-export INGRESS_IPADDR=$(kubectl -n ingress-nginx get svc/ingress-nginx-controller -o json | jq -r '.status.loadBalancer.ingress[0].ip')
+export INGRESS_IPADDR=$(kubectl -n traefik get svc/traefik -o json | jq -r '.status.loadBalancer.ingress[0].ip')
 export WORKSHOP_INGRESS_DOMAIN=$(echo $INGRESS_IPADDR | tr -s '.' '-').nip.io
 ```
 
diff --git a/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/90-KIND-ingress.yml b/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/90-KIND-ingress.yml
index 257c742c..6d27482b 100644
--- a/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/90-KIND-ingress.yml
+++ b/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/90-KIND-ingress.yml
@@ -8,7 +8,7 @@
       register: resultingress
 
     - name: Wait for the ingress
-      command: kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=2m
+      command: kubectl wait --namespace traefik --for=condition=ready pod --selector=app=traefik --timeout=2m
       changed_when: false
 
     # Override the cluster DNS with a local override to refer pods to the HOST interface
@@ -17,8 +17,8 @@
       k8s_info:
         api_version: v1
         kind: service
-        namespace: ingress-nginx
-        name: "ingress-nginx-controller"
+        namespace: traefik
+        name: "traefik"
       register: ingress_info
 
     - name: Applying CoreDNS overrides for ingress domain
@@ -33,5 +33,5 @@
     - name: Rollout the CoreDNS
       shell: |
         kubectl -n kube-system rollout restart deployment/coredns
-        kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=2m
+        kubectl wait --namespace traefik --for=condition=ready pod --selector=app=traefik --timeout=2m
       changed_when: false
diff --git a/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/ingress-nginx-controller.yaml b/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/ingress-nginx-controller.yaml
deleted file mode 100644
index 72b7feed..00000000
--- a/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/ingress-nginx-controller.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-#
-# Copyright contributors to the Hyperledger Fabric Operator project
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-# 	  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  namespace: ingress-nginx
-  name: ingress-nginx-controller
-spec:
-  template:
-    spec:
-      containers:
-        - name: controller
-          args:
-            - /nginx-ingress-controller
-            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --election-id=ingress-controller-leader
-            - --controller-class=k8s.io/ingress-nginx
-            - --ingress-class=nginx
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --validating-webhook=:8443
-            - --validating-webhook-certificate=/usr/local/certificates/cert
-            - --validating-webhook-key=/usr/local/certificates/key
-            - --enable-ssl-passthrough
diff --git a/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/kustomization.yaml b/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/kustomization.yaml
index e1392885..8cb3eb99 100644
--- a/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/kustomization.yaml
+++ b/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/kustomization.yaml
@@ -19,18 +19,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- https://github.com/kubernetes/ingress-nginx.git/deploy/static/provider/cloud?ref=controller-v1.1.2
-
-
-# Remove the port `appProtocol` attribute as this is not accepted by all cloud providers
-patches:
-- patch: |-
-    - op: remove
-      path: "/spec/ports/0/appProtocol"
-    - op: remove
-      path: "/spec/ports/1/appProtocol"
-  target:
-    kind: Service
-    name: ingress-nginx-controller
-    version: v1
-- path: ingress-nginx-controller.yaml
+- traefik-controller.yaml
diff --git a/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/traefik-controller.yaml b/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/traefik-controller.yaml
new file mode 100644
index 00000000..0c4dc9e9
--- /dev/null
+++ b/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/traefik-controller.yaml
@@ -0,0 +1,96 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik
+  namespace: traefik
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: traefik
+rules:
+- apiGroups: [""]
+  resources: ["services", "endpoints", "pods", "secrets", "nodes"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses", "ingressclasses"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: traefik
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik
+subjects:
+- kind: ServiceAccount
+  name: traefik
+  namespace: traefik
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: traefik
+spec:
+  controller: traefik.io/ingress-controller
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  selector:
+    app: traefik
+  ports:
+    - name: web
+      protocol: TCP
+      port: 80
+      targetPort: 80
+    - name: websecure
+      protocol: TCP
+      port: 443
+      targetPort: 443
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  selector:
+    matchLabels:
+      app: traefik
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik
+      containers:
+        - name: traefik
+          image: traefik:v3.0.17
+          args:
+            - --entrypoints.web.address=:80
+            - --entrypoints.websecure.address=:443
+            - --providers.kubernetesingress
+            - --providers.kubernetesingress.ingressclass=traefik
+            - --providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik
+            - --log.level=INFO
+          ports:
+            - name: web
+              containerPort: 80
+              hostPort: 80
+              protocol: TCP
+            - name: websecure
+              containerPort: 443
+              hostPort: 443
+              protocol: TCP
diff --git a/full-stack-asset-transfer-guide/infrastructure/kind_with_nginx.sh b/full-stack-asset-transfer-guide/infrastructure/kind_with_nginx.sh
index 2a0e513e..855b0d9c 100755
--- a/full-stack-asset-transfer-guide/infrastructure/kind_with_nginx.sh
+++ b/full-stack-asset-transfer-guide/infrastructure/kind_with_nginx.sh
@@ -96,13 +96,14 @@ EOF
 # ssl_passthrough mode is enabled for TLS termination at the Fabric node enpdoints.
 #
 function start_nginx() {
-  kubectl apply -k https://github.com/hyperledger-labs/fabric-operator.git/config/ingress/kind
+  # apply local Traefik manifest
+  kubectl apply -f infrastructure/kind_console_ingress/templates/ingress/traefik-controller.yaml
 
   sleep 20
 
-  kubectl wait --namespace ingress-nginx \
+  kubectl wait --namespace traefik \
       --for=condition=ready pod \
-      --selector=app.kubernetes.io/component=controller \
+      --selector=app=traefik \
       --timeout=3m
 }
 
@@ -113,7 +114,7 @@ function start_nginx() {
 # than to the loopback interface at 127.0.0.1.
 #
 function apply_coredns_override() {
-  CLUSTER_IP=$(kubectl -n ingress-nginx get svc ingress-nginx-controller -o json | jq -r .spec.clusterIP)
+  CLUSTER_IP=$(kubectl -n traefik get svc traefik -o json | jq -r .spec.clusterIP)
 
   cat << EOF | kubectl apply -f -
 ---
diff --git a/full-stack-asset-transfer-guide/infrastructure/kind_with_traefik.sh b/full-stack-asset-transfer-guide/infrastructure/kind_with_traefik.sh
new file mode 100644
index 00000000..b88e2f88
--- /dev/null
+++ b/full-stack-asset-transfer-guide/infrastructure/kind_with_traefik.sh
@@ -0,0 +1,164 @@
+#!/usr/bin/env bash
+#
+# Copyright contributors to the Hyperledgendary Full Stack Asset Transfer project
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#	  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -eo pipefail
+set -x
+
+KIND_CLUSTER_NAME=kind
+KIND_CLUSTER_IMAGE=${KIND_CLUSTER_IMAGE:-kindest/node:v1.28.0}
+KIND_API_SERVER_ADDRESS=${KIND_API_SERVER_ADDRESS:-127.0.0.1}
+KIND_API_SERVER_PORT=${KIND_API_SERVER_PORT:-8888}
+CONTAINER_REGISTRY_NAME=${CONTAINER_REGISTRY_NAME:-kind-registry}
+CONTAINER_REGISTRY_ADDRESS=${CONTAINER_REGISTRY_ADDRESS:-127.0.0.1}
+CONTAINER_REGISTRY_PORT=${CONTAINER_REGISTRY_PORT:-5000}
+
+function kind_with_traefik() {
+
+  delete_cluster
+
+  create_cluster
+
+  start_traefik
+
+  apply_coredns_override
+
+  launch_docker_registry
+}
+
+function delete_cluster() {
+  kind delete cluster --name $KIND_CLUSTER_NAME
+}
+
+function create_cluster() {
+  cat << EOF | kind create cluster --name $KIND_CLUSTER_NAME --image $KIND_CLUSTER_IMAGE --config=-
+---
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+    kubeadmConfigPatches:
+      - |
+        kind: InitConfiguration
+        nodeRegistration:
+          kubeletExtraArgs:
+            node-labels: "ingress-ready=true"
+    extraPortMappings:
+      - containerPort: 80
+        hostPort: 80
+        protocol: TCP
+      - containerPort: 443
+        hostPort: 443
+        protocol: TCP
+networking:
+  apiServerAddress: ${KIND_API_SERVER_ADDRESS}
+  apiServerPort: ${KIND_API_SERVER_PORT}
+
+containerdConfigPatches:
+- |-
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:${CONTAINER_REGISTRY_PORT}"]
+    endpoint = ["http://${CONTAINER_REGISTRY_NAME}:${CONTAINER_REGISTRY_PORT}"]
+EOF
+
+  for node in $(kind get nodes);
+  do
+      docker exec "$node" sysctl net.ipv4.conf.all.route_localnet=1;
+  done
+}
+
+function start_traefik() {
+  kubectl apply -f infrastructure/kind_console_ingress/templates/ingress/traefik-controller.yaml
+
+  sleep 20
+
+  kubectl wait --namespace traefik \
+      --for=condition=ready pod \
+      --selector=app=traefik \
+      --timeout=3m
+}
+
+function apply_coredns_override() {
+  CLUSTER_IP=$(kubectl -n traefik get svc traefik -o json | jq -r .spec.clusterIP)
+
+  cat << EOF | kubectl apply -f -
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: coredns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health {
+           lameduck 5s
+        }
+        ready
+        rewrite name regex (.*)\.localho\.st host.ingress.internal
+        hosts {
+          ${CLUSTER_IP} host.ingress.internal
+          fallthrough
+        }
+        kubernetes cluster.local in-addr.arpa ip6.arpa {
+           pods insecure
+           fallthrough in-addr.arpa ip6.arpa
+           ttl 30
+        }
+        prometheus :9153
+        forward . /etc/resolv.conf {
+           max_concurrent 1000
+        }
+        cache 30
+        loop
+        reload
+        loadbalance
+    }
+EOF
+
+  kubectl -n kube-system rollout restart deployment/coredns
+}
+
+function launch_docker_registry() {
+  running="$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)"
+  if [ "${running}" != 'true' ]; then
+    docker run  \
+      --detach  \
+      --restart always \
+      --name    "${CONTAINER_REGISTRY_NAME}" \
+      --publish "${CONTAINER_REGISTRY_ADDRESS}:${CONTAINER_REGISTRY_PORT}:${CONTAINER_REGISTRY_PORT}" \
+      registry:2
+  fi
+
+  docker network connect "kind" "${CONTAINER_REGISTRY_NAME}" || true
+
+  cat <<EOF | kubectl apply -f -
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: local-registry-hosting
+  namespace: kube-public
+data:
+  localRegistryHosting.v1: |
+    host: "localhost:${CONTAINER_REGISTRY_PORT}"
+    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+EOF
+}
+
+kind_with_traefik
diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/gateway/org1-peer-gateway.yaml b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/gateway/org1-peer-gateway.yaml
index 528e9561..07ace8b4 100644
--- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/gateway/org1-peer-gateway.yaml
+++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/gateway/org1-peer-gateway.yaml
@@ -49,8 +49,7 @@ kind: Ingress
 metadata:
   name: org1-peer-gateway
   annotations:
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
-    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    # proxy settings handled by Traefik
   labels:
     app: org1-peer-gateway
     app.kubernetes.io/instance: fabricpeer
@@ -59,7 +58,7 @@ metadata:
     creator: fabric
     orgname: Org1MSP
 spec:
-  ingressClassName: nginx
+  ingressClassName: traefik
   rules:
     - host: test-network-org1-peer-gateway.${WORKSHOP_INGRESS_DOMAIN}
       http:
diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/gateway/org2-peer-gateway.yaml b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/gateway/org2-peer-gateway.yaml
index ca1a46c3..94194f40 100644
--- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/gateway/org2-peer-gateway.yaml
+++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/gateway/org2-peer-gateway.yaml
@@ -49,8 +49,7 @@ kind: Ingress
 metadata:
   name: org2-peer-gateway
   annotations:
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
-    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    # proxy settings handled by Traefik
   labels:
     app: org2-peer-gateway
     app.kubernetes.io/instance: fabricpeer
@@ -59,7 +58,7 @@ metadata:
     creator: fabric
     orgname: Org2MSP
 spec:
-  ingressClassName: nginx
+  ingressClassName: traefik
   rules:
     - host: test-network-org2-peer-gateway.${WORKSHOP_INGRESS_DOMAIN}
       http:
diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/frontend_deployment.yaml b/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/frontend_deployment.yaml
index 0c4be521..90d81111 100644
--- a/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/frontend_deployment.yaml
+++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/frontend_deployment.yaml
@@ -40,8 +40,7 @@ kind: Ingress
 metadata:
   name: frontend
   annotations:
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
-    # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    # proxy settings handled by Traefik
   # labels:
   #   app: frontend
   #   app.kubernetes.io/instance: fabricpeer
@@ -50,7 +49,7 @@ metadata:
   #   creator: fabric
   #   orgname: Org1MSP
 spec:
-  ingressClassName: nginx
+  ingressClassName: traefik
   rules:
     - host: frontend.localho.st
       http:
diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/rest_deployment.yaml b/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/rest_deployment.yaml
index bc523dd0..66c3f9e8 100644
--- a/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/rest_deployment.yaml
+++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/rest_deployment.yaml
@@ -45,8 +45,7 @@ kind: Ingress
 metadata:
   name: rest-api
   annotations:
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
-    # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    # proxy settings handled by Traefik
   # labels:
   #   app: rest-api
   #   app.kubernetes.io/instance: fabricpeer
@@ -55,7 +54,7 @@ metadata:
   #   creator: fabric
   #   orgname: Org1MSP
 spec:
-  ingressClassName: nginx
+  ingressClassName: traefik
   rules:
     - host: restapi.localho.st
       http:
diff --git a/full-stack-asset-transfer-guide/justfile b/full-stack-asset-transfer-guide/justfile
index 664c0546..083b64da 100644
--- a/full-stack-asset-transfer-guide/justfile
+++ b/full-stack-asset-transfer-guide/justfile
@@ -48,12 +48,12 @@ external_repo_endpoint  := env_var_or_default("WORKSHOP_EXTERNAL_REPO",     "loc
 cluster_type    := env_var_or_default("WORKSHOP_CLUSTER_TYPE",       "k8s")
 
 
-# Start a local KIND cluster with nginx, localhost:5000 registry, and *.localho.st alias in kube DNS
+# Start a local KIND cluster with Traefik, localhost:5000 registry, and *.localho.st alias in kube DNS
 kind: unkind
     #!/usr/bin/env bash
     set -e -o pipefail
 
-    infrastructure/kind_with_nginx.sh {{cluster_name}}
+    infrastructure/kind_with_traefik.sh {{cluster_name}}
     ls -lart ~/.kube/config
     chmod o+r ~/.kube/config
 
@@ -71,16 +71,16 @@ unkind:
         docker rm kind-registry
     fi
 
-# Bring up the nginx ingress controller on the target k8s cluster
-nginx:
+# Bring up the Traefik ingress controller on the target k8s cluster
+traefik:
     #!/usr/bin/env bash
-    kubectl apply -k https://github.com/hyperledger-labs/fabric-operator.git/config/ingress/{{ cluster_runtime }}
+    kubectl apply -f infrastructure/kind_console_ingress/templates/ingress/traefik-controller.yaml
 
     sleep 20
 
-    kubectl wait --namespace ingress-nginx \
+    kubectl wait --namespace traefik \
       --for=condition=ready pod \
-      --selector=app.kubernetes.io/component=controller \
+      --selector=app=traefik \
       --timeout=3m
 
 # Just start the operator
diff --git a/full-stack-asset-transfer-guide/tests/20-cloud-e2e.sh b/full-stack-asset-transfer-guide/tests/20-cloud-e2e.sh
index 896a1717..739c97d2 100755
--- a/full-stack-asset-transfer-guide/tests/20-cloud-e2e.sh
+++ b/full-stack-asset-transfer-guide/tests/20-cloud-e2e.sh
@@ -61,7 +61,7 @@ export WORKSHOP_INGRESS_DOMAIN=localho.st
 export WORKSHOP_NAMESPACE=test-network
 
 
-# Create a Kubernetes cluster in Docker, configure an Nginx ingress, and docker container registry
+# Create a Kubernetes cluster in Docker, configure a Traefik ingress, and docker container registry
 just kind
 
 # KIND will set the current kube client context in ~/.kube/config
@@ -86,12 +86,11 @@ just check-kube
 [[ ${WORKSHOP_INGRESS_DOMAIN+x} ]] || exit 1
 [[ ${WORKSHOP_NAMESPACE+x}      ]] || exit 1
 
-# check Nginx ingress
-kubectl -n ingress-nginx get all
-kubectl -n ingress-nginx get deployment.apps/ingress-nginx-controller
+# check Traefik ingress
+kubectl -n traefik get all
+kubectl -n traefik get deployment.apps/traefik
 
 curl http://${WORKSHOP_INGRESS_DOMAIN}
-curl --insecure https://${WORKSHOP_INGRESS_DOMAIN}:443
 
 # Install operator CRDs
 kubectl apply -k https://github.com/hyperledger-labs/fabric-operator.git/config/crd
diff --git a/full-stack-asset-transfer-guide/tests/30-ansible-e2e.sh b/full-stack-asset-transfer-guide/tests/30-ansible-e2e.sh
index 550b133b..2138c161 100755
--- a/full-stack-asset-transfer-guide/tests/30-ansible-e2e.sh
+++ b/full-stack-asset-transfer-guide/tests/30-ansible-e2e.sh
@@ -53,7 +53,7 @@ export WORKSHOP_INGRESS_DOMAIN=localho.st
 export WORKSHOP_NAMESPACE=fabricinfra
 
 
-# Create a Kubernetes cluster in Docker, configure an Nginx ingress, and docker container registry
+# Create a Kubernetes cluster in Docker, configure a Traefik ingress, and docker container registry
 just kind
 
 # KIND will set the current kube client context in ~/.kube/config
@@ -80,12 +80,11 @@ just check-kube
 [[ ${WORKSHOP_INGRESS_DOMAIN+x} ]] || exit 1
 [[ ${WORKSHOP_NAMESPACE+x}      ]] || exit 1
 
-# check Nginx ingress
-kubectl -n ingress-nginx get all
-kubectl -n ingress-nginx get deployment.apps/ingress-nginx-controller
+# check Traefik ingress
+kubectl -n traefik get all
+kubectl -n traefik get deployment.apps/traefik
 
 curl http://${WORKSHOP_INGRESS_DOMAIN}
-curl --insecure https://${WORKSHOP_INGRESS_DOMAIN}:443
 
 # Bring up the operator and console
 just ansible-review-config
diff --git a/full-stack-asset-transfer-guide/tests/40-console.sh b/full-stack-asset-transfer-guide/tests/40-console.sh
index 4b247e9c..06c5f49f 100755
--- a/full-stack-asset-transfer-guide/tests/40-console.sh
+++ b/full-stack-asset-transfer-guide/tests/40-console.sh
@@ -53,7 +53,7 @@ export WORKSHOP_INGRESS_DOMAIN=localho.st
 export WORKSHOP_NAMESPACE=fabricinfra
 
 
-# Create a Kubernetes cluster in Docker, configure an Nginx ingress, and docker container registry
+# Create a Kubernetes cluster in Docker, configure a Traefik ingress, and docker container registry
 just kind
 
 # KIND will set the current kube client context in ~/.kube/config
@@ -82,7 +82,7 @@ kubectl -n ${WORKSHOP_NAMESPACE} get deployment fabric-operator
 # Console running?
 kubectl -n ${WORKSHOP_NAMESPACE} get deployment hlf-console
 
-# Console listening at the Nginx ingress?
-curl --fail --insecure https://${WORKSHOP_NAMESPACE}-hlf-console-console.${WORKSHOP_INGRESS_DOMAIN}/
+# Console listening at the Traefik ingress?
+curl --fail http://${WORKSHOP_NAMESPACE}-hlf-console-console.${WORKSHOP_INGRESS_DOMAIN}/