Hello,
Traefik is the first Helm chart I installed on my cluster. In its values.yaml I only define some ports and a couple of additionalArguments.
Then, I installed my application (still with Helm), and depending upon some properties defined in its values.yaml some tls certs are created and placed in a dedicated secret.
My question is then to know what is the cleanest way to update Traefik and to tell it to use that tls configuration while it has not been configured with any volume when it was launched.
From what I see, I need to:
- create a configMap with the tls information when deploying the app (those tls are tighly coupled to the app)
- relaunch Traefik Chart with a different values.yaml that should now contain a "volumes" property with an entry indicating where this configMap (containing the dynamic conf) is and another one to define where the secret (containing the certs) needs to be mounted.
The thing is when my app starts it makes references to tls option not yet present in Traefik, so I need to relaunch Traefik afterhand to add the tls option.
Any though ?
Luc
Hello @luc.juggery,
What provider are you using? If you are using Ingress or IngressRoute, you can dynamically provide routing configuration to Traefik without having to restart it.
You can also reference secrets containing TLS certificates without having to mount them, and Traefik will dynamically load them so that it doesn't have to restart.
Hello @daniel.tomcej, thanks for your reply.
I'm using IngressRoute, no problem to create routing configuration dynamically.
Basically, I have a Helm value files (thus for the static configuration) that contains (among other things):
additionalArguments:
- "--providers.file.filename=/config/dynamic.yaml"
- "--providers.file.watch=true"
- "--ping"
- "--ping.entrypoint=web"
...
volumes:
- name: traefik-config <-- used to provide dynamic configuration
mountPath: /config
type: configMap
- name: traefik-certs <-- used to provide certs later on
mountPath: /etc/ssl/certs
type: secret
Also, the dynamic configuration is the following one:
tls:
certificates:
- certFile: /etc/ssl/certs/https_server.crt
keyFile: /etc/ssl/certs/https_server.key
options:
default:
minVersion: VersionTLS12
tcp:
minVersion: VersionTLS12
cipherSuites:
...
clientAuth:
caFiles:
- /etc/ssl/certs/ca.crt
clientAuthType: RequireAndVerifyClientCert
When running Traefik for the first time, the configmap and secret are not there so Traefik will fail and restart in a loop.
The ConfigMap and Secret are created when the main application is deployed with Helm.
I do not really get the best way to do that, ideally I'd like to start Traefik via Helm with a basic config and dynamically add the configmap / secret when the app starts to have Traefik automatically reconfigured.
I did not see that before but it seems I can manage the tls configuration in the TLSOption CRD and the tls certificates in TLSStore CRD. Do you confirm this is the way to go so removing the need for a dynamic configuration file in that particular case ?