diff --git a/.github/workflows/k8s_traefik_init_setup.yml b/.github/workflows/k8s_traefik_init_setup.yml
index 6883b66..eb0fc0e 100644
--- a/.github/workflows/k8s_traefik_init_setup.yml
+++ b/.github/workflows/k8s_traefik_init_setup.yml
@@ -84,10 +84,8 @@ jobs:
       # Install Traefik CRDs (idempotent)
       - name: Install Traefik CRDs
         run: |
-          if ! kubectl get crd ingressroutes.traefik.io >/dev/null 2>&1; then
-            kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-            kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
-          fi
+          kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+          kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 
       # Deploy Traefik
       - name: Deploy Traefik
diff --git a/traefik/edge-router/traefik-deployment.yml b/traefik/edge-router/traefik-deployment.yml
index accd617..6b1f3db 100644
--- a/traefik/edge-router/traefik-deployment.yml
+++ b/traefik/edge-router/traefik-deployment.yml
@@ -1,19 +1,8 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: default
-  name: traefik-ingress-controller
-
----
-
-kind: Deployment
 apiVersion: apps/v1
+kind: Deployment
 metadata:
+  name: traefik
   namespace: default
-  name: traefik-deployment
-  labels:
-    app: traefik
-
 spec:
   replicas: 1
   selector:
@@ -25,35 +14,51 @@ spec:
         app: traefik
     spec:
       serviceAccountName: traefik-ingress-controller
+      volumes:
+        - name: acme
+          persistentVolumeClaim:
+            claimName: traefik-acme
       containers:
         - name: traefik
           image: traefik:v2.11
+          ports:
+            - name: web
+              containerPort: 80
+            - name: websecure
+              containerPort: 443
+            - name: admin
+              containerPort: 8080
+          volumeMounts:
+            - name: acme
+              mountPath: /acme
           args:
-            - --api.insecure
-            - --accesslog=True
-            - --entrypoints.web.Address=:80
-            - --entrypoints.websecure.Address=:443
-            - --providers.kubernetescrd
-            - --api.dashboard
-            - --serverstransport.insecureskipverify=true
-            # TLS (HTTPS)
-            - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
-            - "--certificatesresolvers.myresolver.acme.httpChallenge=false"
-            - "--certificatesresolvers.myresolver.acme.tlsChallenge=false"
-            - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=route53"
-            - "--certificatesresolvers.myresolver.acme.email=junte.kim@mealcraft.com"
-            - "--certificatesresolvers.myresolver.acme.storage=/certs/acme.json"
-            - "--certificatesresolvers.myresolver.acme.httpChallenge.entryPoint=web"
+            - "--api.dashboard=true"
+            - "--api.insecure=false"
+            - "--entrypoints.web.address=:80"
+            - "--entrypoints.websecure.address=:443"
+
+            # Redirect HTTP → HTTPS
             - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
             - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
-            - "--providers.kubernetescrd.allowexternalnameservices=true"
-            - "--providers.kubernetescrd.allowcrossnamespace=false"
-            - "--providers.kubernetescrd.legacyCRDDisabled=true"
-            # 🔥 USE STAGING CERTIFICATES
+
+            # Providers
+            - "--providers.kubernetescrd=true"
+
+            # TLS + ACME
+            - "--certificatesresolvers.myresolver.acme.email=junte.kim@mealcraft.com"
+            - "--certificatesresolvers.myresolver.acme.storage=/acme/acme.json"
+            - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
+            - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=route53"
+
+            # STAGING (uncomment for first-time)  
             - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
 
-
           env:
+            - name: AWS_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: aws-secrets
+                  key: AWS_REGION
             - name: AWS_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef:
@@ -64,24 +69,3 @@ spec:
                 secretKeyRef:
                   name: aws-secrets
                   key: AWS_SECRET_ACCESS_KEY
-            - name: AWS_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: aws-secrets
-                  key: AWS_REGION
-          ports:
-            - name: web
-              containerPort: 80
-            - name: admin
-              containerPort: 8080
-            - name: websecure
-              containerPort: 443
-          volumeMounts:
-          - name: cert-volume
-            mountPath: /certs
-      imagePullSecrets:
-        - name: registrypullsecret
-      volumes:
-      - name: cert-volume
-        persistentVolumeClaim:
-          claimName: certs-pvc
\ No newline at end of file
diff --git a/traefik/edge-router/traefik-services.yml b/traefik/edge-router/traefik-services.yml
index 6a0515f..e43150f 100644
--- a/traefik/edge-router/traefik-services.yml
+++ b/traefik/edge-router/traefik-services.yml
@@ -10,10 +10,10 @@ spec:
   ports:
     - name: web
       port: 80
-      targetPort: web
+      targetPort: 80
     - name: websecure
       port: 443
-      targetPort: websecure
+      targetPort: 443
     - name: admin
       port: 8080
-      targetPort: admin
+      targetPort: 8080