Clarification on storage (persistence/volumes) for Helm installs

jmcombs · September 9, 2023, 2:03am

I am using Helm to install Traefik in K8s (specifically RKE2) and have some clarification questions regarding to storage.

In the Helm Chart values.yaml, there are these two sections:

#
# -- Add volumes to the traefik pod. The volume name will be passed to tpl.
# This can be used to mount a cert pair or a configmap that holds a config.toml file.
# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
# `additionalArguments:
# - "--providers.file.filename=/config/dynamic.toml"
# - "--ping"
# - "--ping.entrypoint=web"`
volumes: []
# - name: public-cert
#   mountPath: "/certs"
#   type: secret
# - name: '{{ printf "%s-configs" .Release.Name }}'
#   mountPath: "/config"
#   type: configMap

persistence:
  # -- Enable persistence using Persistent Volume Claims
  # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
  # It can be used to store TLS certificates, see `storage` in certResolvers
  enabled: false
  name: data
#  existingClaim: ""
  accessMode: ReadWriteOnce
  size: 128Mi
  # storageClass: ""
  # volumeName: ""
  path: /data
  annotations: {}
  # -- Only mount a subpath of the Volume into the pod
  # subPath: ""

My questions are as follows:

I migrated over from Docker Swarm and in Docker Swarm I mounted an NFS volume for my traefik-dynamic-configuration.yaml and traefik-static-configuration.yaml files and assumed that I could do the same in Kubernetes. I set up the csi-driver-nfs Storage Class and then configured a PersistentVolumeClaim (which uses said Storage Class). When I try to specify that PVC in my Helm values.yaml file the container never mounts or uses it. In fact, when I run a kubectl describe pod it shows the config mount as an EmptyDir.

extraArgs:
  - --providers.file.filename=/config/traefik-dynamic-config.yaml
volumes:
  - name: nfs-traefik-config
    mountPath: /config
    type: persistentVolumeClaim

So, my question is, are the only supported types of volumes configMap and secret for volumes or am I doing something wrong? My hope was to be able to mount the NFS share and use the --providers.file.folder=/config and --providers.file.watch=true options.

With regards to persistence, is this only for certificate storage or is this what I would use to store static and dynamic configuration files and certificates?

persistence:
  enabled: true
  existingClaim: nfs-traefik-certs

Your help is greatly appreciated.

brudnevskij · February 26, 2025, 9:06pm

Hey there!

I encountered a similar issue when using Helm to mount a CSI volume for secrets in Traefik on Azure Kubernetes Service. After debugging, I realized that the volumes: section in values.yaml only supports configMap and secret types.

You can see this behavior directly in the Helm template:
traefik 34.3.0 · traefik/traefik
In the template, volumes: only allows configMap or secret types:

      volumes:
        - name: {{ .Values.persistence.name }}
          {{- if .Values.persistence.enabled }}
          persistentVolumeClaim:
            claimName: {{ default (include "traefik.fullname" .) .Values.persistence.existingClaim }}
          {{- else }}
          emptyDir: {}
          {{- end }}
        - name: tmp
          emptyDir: {}
        {{- $root := . }}
        {{- range .Values.volumes }}
        - name: {{ tpl (.name) $root | replace "." "-" }}
          {{- if eq .type "secret" }}
          secret:
            secretName: {{ tpl (.name) $root }}
          {{- else if eq .type "configMap" }}
          configMap:
            name: {{ tpl (.name) $root }}
          {{- end }}
        {{- end }}
        {{- if .Values.deployment.additionalVolumes }}
          {{- toYaml .Values.deployment.additionalVolumes | nindent 8 }}
        {{- end }}
        {{- if and (gt (len .Values.experimental.plugins) 0) (ne (include "traefik.hasPluginsVolume" .Values.deployment.additionalVolumes) "true") }}
        - name: plugins
          emptyDir: {}
        {{- end }}
        {{- if .Values.providers.file.enabled }}
        - name: traefik-extra-config
          configMap:
            name: {{ template "traefik.fullname" . }}-file-provider
        {{- end }}

I found a workaround: you can specify a "custom" volume using deployment.additionalVolumes instead:

I understand that the topic is quite old. However, somebody like me a few days ago might find it helpful. Hope it saves you some time!

Topic		Replies	Views
Traefik Ingress with persistent volume claim Traefik v2 kubernetes-ingress	0	1141	November 9, 2022
Traefik on Kubernetes - HELP Traefik v3 (latest) kubernetes-crd	1	344	August 23, 2024
Various - Persistant Volumes, Namespace issues Traefik v2 rancher	3	2217	May 29, 2022
Tlsstore not working with kubernetes-crd for self-signed certificate Traefik v2 kubernetes-crd	5	1821	August 31, 2021
Are the LE certs stored persistently with k8s? Traefik v2 letsencrypt-acme	9	442	January 21, 2020

Clarification on storage (persistence/volumes) for Helm installs

Related topics