I have been trying to find a contemporary WORKING example of ACME / Letsencrypt SSL 443 (containous/whoami) for over a week.
All the examples I have found to date in documentation or web posts seem to be:
Is there any possibility of providing this most basic building block of knowledge to the K3S user community?
Hi @jsmith-dev,
As k3s deploy Traefik using the official Helm Chart (ref. https://github.com/helm/charts/tree/master/stable/traefik) , either:
Update the configmap containing the traefik.toml static configuration, created by the helm install, and add the ACME section to configure Let's Encrypt. You might need to specify an acme.json file storage path to a persistent volume. Then kill Traefik's pod to apply the configuration.
Or (recommended) update the helm chart values of traefik, using https://github.com/helm/charts/tree/master/stable/traefik#configuration , to pass the right settings for ACME.
The 2nd one seems a better fit, as k3s propose the following option: https://rancher.com/docs/k3s/latest/en/configuration/#auto-deploying-manifests . So I would disable the default traefik installation (--no-deploy=traefik option for the k3s server), and provide a simple manifest that would install Traefik chart with your own settings.
Damian,
Thank you so much for this advice. I bet your analysis is correct.
However, following your advice relies upon being more intimately familiar with Kubernetes and Helm operation than a new user (like me) has, even coming from a developer / programmer background.
I would be very grateful and I think it would be a great service if you might be able to provide a concrete example.
Perhaps of the "a simple manifest" you specified would be required in option two.
Edit: @geraldcroes - Any chance you could write about this?
Thank for the feedback @jsmith-dev, sounds good to me!
Let's start to make it work for you here, and then we'll discuss the writing of the user guide/contributing to Traefik doc, and/or k3s doc (I'm mentioning that because you are in the best situation to help writing a good user guide as your are living through a newcomer expectations, while maintainers as might be biased as we know both tools pretty well 
).
I'll try coming back with something here in the next hours
@jsmith-dev have you seen our demo section on Github? It's the one we use during conferences.
I just tried this demo and it works perfectly on my side.
This will show what you're asking 
Is there any possibility of providing this most basic building block of knowledge to the K3S user community?
Thank you. I will explore today and report back on this thread.
Hello y'all !
Just a side status: I think we might hit a bug in k3 (thanks @daniel.tomcej! )
The "custom manifest" system in k3s (ref. https://rancher.com/docs/k3s/latest/en/configuration/#auto-deploying-manifests), used for installing Traefik, is not able to translate boolean values in the yaml. So when Helm charts (not only Traefik) are doing a logical {{ if .Values.somevalue }}, but the value is a string (somevalue="false"), then the directive is evaluated as true. If you specify a real boolean, then k3s fails to parse the value. I should look on k3s issue tracker for such beahvior, and open a new issue if it does not already exist.
In the Helm Chart for Traefik v1 (which is community maintained: it's not completely managed by the Traefik project), there could be an improvement so this boolean is also checked against the string value "false", and eventually improve the feature by passing a custom ACME URL so other systems than Let's Encrypt can be used.
I'll keep you posted as soon as I have confirmed this.
OK @jsmith-dev, bug and fixes confirmed, and also I can provide you a "hotfix" for now:
You can try this change already today with the following elements:
/var/lib/rancher/k3s/server/manifests/traefik.yaml to the following content (and adapt some of the values in the set: section):apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: traefik
namespace: kube-system
spec:
chart: traefik
repo: https://helm-tests.s3.eu-west-2.amazonaws.com/traefik-v1/charts/
version: 1.83.0
targetNamespace: kube-system
set:
rbac.enabled: "true"
ssl.enabled: "true"
ssl.enforced: "true"
kubernetes.ingressEndpoint.useDefaultPublishedService: "true"
dashboard.enabled: "true"
dashboard.domain: "<redacted>"
imageTag: "1.7.20"
acme.enabled: "true"
acme.email: "<redacted>"
acme.logging: "true"
acme.persistence.enabled: "true"
acme.staging: "false"
This should enable properly acme with production Let's Encrypt.
=> As soon as the PR is merged, then you can benefit from the latest chart by setting the file /var/lib/rancher/k3s/server/manifests/traefik.yaml to the following content:
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: traefik
namespace: kube-system
spec:
chart: stable/traefik
set:
rbac.enabled: "true"
ssl.enabled: "true"
ssl.enforced: "true"
kubernetes.ingressEndpoint.useDefaultPublishedService: "true"
dashboard.enabled: "true"
dashboard.domain: "<redacted>"
imageTag: "1.7.20"
acme.enabled: "true"
acme.email: "<redacted>"
acme.logging: "true"
acme.persistence.enabled: "true"
acme.staging: "false"
@jsmith-dev let us know the result
Result: Works!
So SSL on the Traefik dashboard is a success.
What would be the best config for an example containous/whoami SSL secured service?
Note: I will publish a blog post about both the success and the journey. I am very appreciative of the assistance and what both the platforms and the culture to be celebrated.