I'm experiment with some Kubernetes stuff TrueNAS Scale, which comes with K3s (1.25.3) installed. I installed one of the TrueCharts Apps (https://truecharts.org/) but the settings for it appear buggy. I had configured it to use a clusterissuer, but the relevant settings didn't end up in the (traefik) Ingress.
Therefore I manually changed the Ingress with k3s kubectl edit
and managed to get my certificate issued with cert-manager.io. This is what the Ingress looks like after editing:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: lets-encrypt-xxxxxx
meta.helm.sh/release-name: dokuwiki
meta.helm.sh/release-namespace: ix-dokuwiki
traefik.ingress.kubernetes.io/router.entrypoints: websecure
creationTimestamp: "2023-03-29T14:08:05Z"
generation: 13
labels:
app.kubernetes.io/instance: dokuwiki
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: dokuwiki
app.kubernetes.io/version: "20220731.1"
helm-revision: "6"
helm.sh/chart: dokuwiki-5.0.25
name: dokuwiki
namespace: ix-dokuwiki
resourceVersion: "6123797"
uid: fab6a1dd-6edd-4f8f-9e83-d4f1ed72dd1c
spec:
ingressClassName: traefik
rules:
- host: myhost.mydomain.com
http:
paths:
- backend:
service:
name: dokuwiki
port:
name: main
path: /
pathType: Prefix
tls:
- hosts:
- myhost.mydomain.com
secretName: myhost-mydomain-com-tls
status:
loadBalancer:
ingress:
- ip: 192.168.0.11
It seemed to work well enough, but when I stop and restart the app in the TrueNAS UI, the secretName disappears for some reason, even though the added annotation is kept, for example. This leads to the certificate not being used, but worse, it is also deleted so a new certificate will have to be issued when I add the secretName back. That's pretty bad, and obviously I want to keep my settings between restarts.
What causes this behavior and how can I prevent it?