proxmox

Complex Simple Solutions Continued (Day 7)

Vince

1 min read
Complex Simple Solutions Continued (Day 7)
Photo by Eric Prouzet / Unsplash

This is a continuation of the previous post here.

Left off with the Traefik setup in k3s not picking up the certificate, and if you read that post one thing that immediately comes to mind is “Did you check the right TLS secret was being used?”

Since I’m working with Helm charts with nested dependencies, I decided to use helmfile template to see what’s being deployed:

helmfile template --file apps.yaml > rendered.yaml

Looking at the output, I spot the issue:

# Source: traefik-config/templates/ingress-route.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`ark.prism.home.mrdvince.me`)
      middlewares:
        - name: traefik-dashboard-basicauth
          namespace: kube-system
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    secretName:    # Aha! there you go, empty secret name

Well, that explains why Traefik is falling back to its self-signed certificate. The certificate is there and valid, but this naming mismatch in the chart config means Traefik doesn’t know about it.

After some chart refactoring and a crash course in Go templating, I’ve got everything working.

sidenote: It really does help to debug with a fresh mind, sometimes the obvious answers become apparent after stepping away for a bit.