This is a continuation of the previous post here.

Left off with the Traefik setup in k3s not picking up the certificate, and if you read that post one thing that immediately comes to mind is “did you check the right TLS secret was being used?”

Since I’m working with Helm charts with nested dependencies, I decide to use helmfile template to see what’s actually being deployed:

helmfile template --file apps.yaml > rendered.yaml

Looking at the output, I spot the issue:

# Source: traefik-config/templates/ingress-route.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`ark.prism.home.mrdvince.me`)
      middlewares:
        - name: traefik-dashboard-basicauth
          namespace: kube-system
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    secretName:    # Aha! there you go, empty secret name

Well, that explains why Traefik is falling back to its self-signed certificate. The certificate is there and valid, but this naming mismatch in the chart config means Traefik doesn’t know about it.

After some chart refactoring and a crash course in Go templating, I’ve got everything working.

sidenote: It really does help to debug with a fresh mind, sometimes the obvious answers become apparent after stepping away for a bit.