I'm experiment with some Kubernetes stuff TrueNAS Scale, which comes with K3s (1.25.3) installed. I installed one of the TrueCharts Apps (https://truecharts.org/) but the settings for it appear buggy. I had configured it to use a clusterissuer, but the relevant settings didn't end up in the (traefik) Ingress.
Therefore I manually changed the Ingress with
k3s kubectl edit and managed to get my certificate issued with cert-manager.io. This is what the Ingress looks like after editing:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: lets-encrypt-xxxxxx meta.helm.sh/release-name: dokuwiki meta.helm.sh/release-namespace: ix-dokuwiki traefik.ingress.kubernetes.io/router.entrypoints: websecure creationTimestamp: "2023-03-29T14:08:05Z" generation: 13 labels: app.kubernetes.io/instance: dokuwiki app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: dokuwiki app.kubernetes.io/version: "20220731.1" helm-revision: "6" helm.sh/chart: dokuwiki-5.0.25 name: dokuwiki namespace: ix-dokuwiki resourceVersion: "6123797" uid: fab6a1dd-6edd-4f8f-9e83-d4f1ed72dd1c spec: ingressClassName: traefik rules: - host: myhost.mydomain.com http: paths: - backend: service: name: dokuwiki port: name: main path: / pathType: Prefix tls: - hosts: - myhost.mydomain.com secretName: myhost-mydomain-com-tls status: loadBalancer: ingress: - ip: 192.168.0.11
It seemed to work well enough, but when I stop and restart the app in the TrueNAS UI, the secretName disappears for some reason, even though the added annotation is kept, for example. This leads to the certificate not being used, but worse, it is also deleted so a new certificate will have to be issued when I add the secretName back. That's pretty bad, and obviously I want to keep my settings between restarts.
What causes this behavior and how can I prevent it?