Patching Traefik HelmChart with Kustomize returns error

MarcoipPolo · January 23, 2026, 11:53am

I’m setting up Traefik using Flux to deploy its Helm configuration. Deploying the base chart without any modifications works as expected.
However, when I use Kustomize to patch the HelmRelease values, the deployment fails and an error is shown in the Flux console.

traefik-chart   main@sha1:c8eccfad      False   False   kustomize build failed: map[string]interface {}{"apiVersion":"helm.toolkit.fluxcd.io/v2", "kind":"HelmRelease", "metadata":map[string]interface {}{"name":"traefik", "namespace":"traefik"}, "spec":map[string]interface {}{"chart":map[string]interface {}{"spec":map[string]interface {}{"chart":"traefik", "sourceRef":map[string]interface {}{"kind":"HelmRepository", "name":"traefik", "namespace":"flux-system"}, "version":"38.0.2"}}, "install":map[string]interface {}{"remediation":map[string]interface {}{"retries":3}}, "interval":"5m", "maxHistory":3, "releaseName":"traefik", "values":map[string]interface {}{"additionalArguments":[]interface {}{}, "additionalVolumeMounts":[]interface {}{}, "affinity":map[string]interface {}{}, "api":map[string]interface {}{"basePath":"", "dashboard":true}, "autoscaling":map[string]interface {}{"behavior":map[string]interface {}{}, "enabled":false, "metrics":[]interface {}{}, "scaleTargetRef":map[string]interface {}{"apiVersion":"apps/v1", "kind":"Deployment", "name":"{{ template \"traefik.fullname\" . }}"}}, "certificatesResolvers":map[string]interface {}{}, "commonLabels":map[string]interface {}{}, "core":map[string]interface {}{"defaultRuleSyntax":""}, "deployment":map[string]interface {}{"additionalContainers":[]interface {}{}, "additionalVolumes":[]interface {}{}, "annotations":map[string]interface {}{}, "dnsConfig":map[string]interface {}{}, "dnsPolicy":"", "enabled":true, "goMemLimitPercentage":0.9, "healthchecksHost":"", "healthchecksPort":0, "hostAliases":[]interface {}{}, "imagePullSecrets":[]interface {}{}, "initContainers":[]interface {}{}, "kind":"Deployment", "labels":map[string]interface {}{}, "lifecycle":map[string]interface {}{}, "livenessPath":"", "minReadySeconds":0, "podAnnotations":map[string]interface {}{}, "podLabels":map[string]interface {}{}, "readinessPath":"", "replicas":2, "revisionHistoryLimit":5, "runtimeClassName":"", "shareProcessNamespace":false, "terminationGracePeriodSeconds":60}, "env":[]interface {}{}, "envFrom":[]interface {}{}, "experimental":map[string]interface {}{"abortOnPluginFailure":false, "fastProxy":map[string]interface {}{"debug":false, "enabled":false}, "knative":false, "kubernetesGateway":map[string]interface {}{"enabled":false}, "localPlugins":map[string]interface {}{}, "otlpLogs":false, "plugins":map[string]interface {}{}}, "extraObjects":[]interface {}{}, "gateway":map[string]interface {}{"annotations":map[string]interface {}{}, "enabled":true, "infrastructure":map[string]interface {}{}, "listeners":map[string]interface {}{"web":map[string]interface {}{"hostname":"", "port":8000, "protocol":"HTTP"}}, "name":"", "namespace":""}, "gatewayClass":map[string]interface {}{"enabled":true, "labels":map[string]interface {}{}, "name":""}, "global":map[string]interface {}{"azure":map[string]interface {}{"enabled":false, "images":map[string]interface {}{"hub":map[string]interface {}{"image":"traefik-hub", "registry":"ghcr.io/traefik", "tag":"latest"}, "proxy":map[string]interface {}{"image":"traefik", "registry":"docker.io/library", "tag":"latest"}}}, "checkNewVersion":true, "sendAnonymousUsage":false}, "hostNetwork":false, "hub":map[string]interface {}{"aigateway":map[string]interface {}{"enabled":false}, "apimanagement":map[string]interface {}{"admission":map[string]interface {}{"annotations":map[string]interface {}{}, "customWebhookCertificate":map[string]interface {}{}, "listenAddr":"", "restartOnCertificateChange":true, "secretName":"hub-agent-cert", "selfManagedCertificate":false}, "enabled":false, "openApi":map[string]interface {}{"validateRequestMethodAndPath":false}}, "mcpgateway":map[string]interface {}{"enabled":false}, "namespaces":[]interface {}{}, "pluginRegistry":map[string]interface {}{"sources":map[string]interface {}{}}, "providers":map[string]interface {}{"consulCatalogEnterprise":map[string]interface {}{"cache":false, "connectAware":false, "connectByDefault":false, "constraints":"", "defaultRule":"Host(`{{ normalize .Name }}`)", "enabled":false, "endpoint":map[string]interface {}{"address":"", "datacenter":"", "endpointWaitTime":0, "httpauth":map[string]interface {}{"password":"", "username":""}, "scheme":"", "tls":map[string]interface {}{"ca":"", "cert":"", "insecureSkipVerify":false, "key":""}, "token":""}, "exposedByDefault":true, "namespaces":"", "partition":"", "prefix":"traefik", "refreshInterval":15, "requireConsistent":false, "serviceName":"traefik", "stale":false, "strictChecks":"passing, warning", "watch":false}, "microcks":map[string]interface {}{"auth":map[string]interface {}{"clientId":"", "clientSecret":"", "endpoint":"", "token":""}, "enabled":false, "endpoint":"", "pollInterval":30, "pollTimeout":5, "tls":map[string]interface {}{"ca":"", "cert":"", "insecureSkipVerify":false, "key":""}}}, "redis":map[string]interface {}{"endpoints":"", "password":"", "sentinel":map[string]interface {}{"masterset":"", "password":"", "username":""}, "timeout":"", "tls":map[string]interface {}{"ca":"", "cert":"", "insecureSkipVerify":false, "key":""}, "username":""}, "token":"", "tracing":map[string]interface {}{"additionalTraceHeaders":map[string]interface {}{"enabled":false, "traceContext":map[string]interface {}{"parentId":"", "traceId":"", "traceParent":"", "traceState":""}}}}, "image":map[string]interface {}{"pullPolicy":"IfNotPresent", "registry":"docker.io", "repository":"traefik"}, "ingressClass":map[string]interface {}{"enabled":true, "isDefaultClass":true, "name":""}, "ingressRoute":map[string]interface {}{"dashboard":map[string]interface {}{"annotations":map[string]interface {}{}, "enabled":false, "entryPoints":[]interface {}{"traefik"}, "labels":map[string]interface {}{}, "matchRule":"PathPrefix(`/dashboard`) || PathPrefix(`/api`)", "middlewares":[]interface {}{}, "services":[]interface {}{map[string]interface {}{"kind":"TraefikService", "name":"api@internal"}}, "tls":map[string]interface {}{}}, "healthcheck":map[string]interface {}{"annotations":map[string]interface {}{}, "enabled":false, "entryPoints":[]interface {}{"traefik"}, "labels":map[string]interface {}{}, "matchRule":"PathPrefix(`/ping`)", "middlewares":[]interface {}{}, "services":[]interface {}{map[string]interface {}{"kind":"TraefikService", "name":"ping@internal"}}, "tls":map[string]interface {}{}}}, "instanceLabelOverride":"", "livenessProbe":map[string]interface {}{"failureThreshold":3, "initialDelaySeconds":2, "periodSeconds":10, "successThreshold":1, "timeoutSeconds":2}, "logs":map[string]interface {}{"access":map[string]interface {}{"addInternals":false, "enabled":false, "fields":map[string]interface {}{"general":map[string]interface {}{"defaultmode":"keep", "names":map[string]interface {}{}}, "headers":map[string]interface {}{"defaultmode":"drop", "names":map[string]interface {}{}}}, "filters":map[string]interface {}{"minduration":"", "retryattempts":false, "statuscodes":""}, "otlp":map[string]interface {}{"enabled":false, "grpc":map[string]interface {}{"enabled":false, "endpoint":"", "insecure":false, "tls":map[string]interface {}{"ca":"", "cert":"", "insecureSkipVerify":false, "key":""}}, "http":map[string]interface {}{"enabled":false, "endpoint":"", "headers":map[string]interface {}{}, "tls":map[string]interface {}{"ca":"", "cert":"", "key":""}}, "resourceAttributes":map[string]interface {}{}}, "timezone":""}, "general":map[string]interface {}{"filePath":"", "level":"INFO", "noColor":false, "otlp":map[string]interface {}{"enabled":false, "grpc":map[string]interface {}{"enabled":false, "endpoint":"", "insecure":false, "tls":map[string]interface {}{"ca":"", "cert":"", "insecureSkipVerify":false, "key":""}}, "http":map[string]interface {}{"enabled":false, "endpoint":"", "headers":map[string]interface {}{}, "tls":map[string]interface {}{"ca":"", "cert":"", "key":""}}, "resourceAttributes":map[string]interface {}{}}}}, "metrics":map[string]interface {}{"addInternals":false, "otlp":map[string]interface {}{"enabled":false, "explicitBoundaries":[]interface {}{}, "grpc":map[string]interface {}{"enabled":false, "endpoint":"", "insecure":false, "tls":map[string]interface {}{"ca":"", "cert":"", "insecureSkipVerify":false, "key":""}}, "http":map[string]interface {}{"enabled":false, "endpoint":"", "headers":map[string]interface {}{}, "tls":map[string]interface {}{"ca":"", "cert":"", "key":""}}, "pushInterval":"", "resourceAttributes":map[string]interface {}{}}, "prometheus":map[string]interface {}{"buckets":"", "entryPoint":"metrics", "headerLabels":map[string]interface {}{}, "manualRouting":false, "prometheusRule":map[string]interface {}{"additionalLabels":map[string]interface {}{}, "apiVersion":"monitoring.coreos.com/v1", "enabled":false, "namespace":""}, "service":map[string]interface {}{"annotations":map[string]interface {}{}, "enabled":false, "labels":map[string]interface {}{}}, "serviceMonitor":map[string]interface {}{"additionalLabels":map[string]interface {}{}, "apiVersion":"monitoring.coreos.com/v1", "enableHttp2":false, "enabled":false, "followRedirects":false, "honorLabels":false, "honorTimestamps":false, "interval":"", "jobLabel":"", "metricRelabelings":[]interface {}{}, "namespace":"", "namespaceSelector":map[string]interface {}{}, "relabelings":[]interface {}{}, "scrapeTimeout":""}}}, "namespaceOverride":"", "nodeSelector":map[string]interface {}{}, "oci_meta":map[string]interface {}{"enabled":false, "images":map[string]interface {}{"hub":map[string]interface {}{"image":"traefik-hub", "tag":"latest"}, "proxy":map[string]interface {}{"image":"traefik", "tag":"latest"}}, "repo":"traefik"}, "ocsp":map[string]interface {}{"enabled":false, "responderOverrides":map[string]interface {}{}}, "persistence":map[string]interface {}{"accessMode":"ReadWriteOnce", "annotations":map[string]interface {}{}, "enabled":false, "existingClaim":"", "name":"data", "path":"/data", "size":"128Mi", "subPath":"", "volumeName":""}, "podDisruptionBudget":map[string]interface {}{"enabled":false}, "podSecurityContext":map[string]interface {}{"runAsGroup":65532, "runAsNonRoot":true, "runAsUser":65532}, "podSecurityPolicy":map[string]interface {}{"enabled":false}, "ports":map[string]interface {}{"metrics":map[string]interface {}{"expose":map[string]interface {}{"default":false}, "exposedPort":9100, "observability":map[string]interface {}{}, "port":9100, "protocol":"TCP"}, "traefik":map[string]interface {}{"expose":map[string]interface {}{"default":false}, "exposedPort":8080, "observability":map[string]interface {}{}, "port":8080, "protocol":"TCP"}, "web":map[string]interface {}{"expose":map[string]interface {}{"default":true}, "exposedPort":80, "forwardedHeaders":map[string]interface {}{"insecure":false, "trustedIPs":[]interface {}{}}, "observability":map[string]interface {}{}, "port":8000, "protocol":"TCP", "proxyProtocol":map[string]interface {}{"insecure":false, "trustedIPs":[]interface {}{}}, "redirections":map[string]interface {}{"entryPoint":map[string]interface {}{}}, "transport":map[string]interface {}{"lifeCycle":map[string]interface {}{}, "respondingTimeouts":map[string]interface {}{}}}, "websecure":map[string]interface {}{"allowACMEByPass":false, "expose":map[string]interface {}{"default":true}, "exposedPort":443, "forwardedHeaders":map[string]interface {}{"insecure":false, "trustedIPs":[]interface {}{}}, "http":map[string]interface {}{"encodedCharacters":map[string]interface {}{"allowEncodedBackSlash":false, "allowEncodedHash":false, "allowEncodedNullCharacter":false, "allowEncodedPercent":false, "allowEncodedQuestionMark":false, "allowEncodedSemicolon":false, "allowEncodedSlash":false}}, "http3":map[string]interface {}{"enabled":false}, "middlewares":[]interface {}{}, "observability":map[string]interface {}{}, "port":8443, "protocol":"TCP", "proxyProtocol":map[string]interface {}{"insecure":false, "trustedIPs":[]interface {}{}}, "tls":map[string]interface {}{"certResolver":"", "domains":[]interface {}{}, "enabled":true, "options":""}, "transport":map[string]interface {}{"lifeCycle":map[string]interface {}{}, "respondingTimeouts":map[string]interface {}{}}}}, "priorityClassName":"", "providers":map[string]interface {}{"file":map[string]interface {}{"content":"", "enabled":false, "watch":true}, "knative":map[string]interface {}{"enabled":false, "labelSelector":"", "namespaces":[]interface {}{}}, "kubernetesCRD":map[string]interface {}{"allowCrossNamespace":false, "allowEmptyServices":true, "allowExternalNameServices":false, "enabled":true, "ingressClass":"", "labelSelector":"", "namespaces":[]interface {}{}, "nativeLBByDefault":false}, "kubernetesGateway":map[string]interface {}{"enabled":true, "experimentalChannel":false, "labelSelector":"", "namespaces":[]interface {}{}, "nativeLBByDefault":false, "statusAddress":map[string]interface {}{"hostname":"", "ip":"", "service":map[string]interface {}{"enabled":true, "name":"", "namespace":""}}}, "kubernetesIngress":map[string]interface {}{"allowEmptyServices":true, "allowExternalNameServices":false, "disableIngressClassLookup":false, "enabled":false, "namespaces":[]interface {}{}, "nativeLBByDefault":false, "publishedService":map[string]interface {}{"enabled":true, "pathOverride":""}, "strictPrefixMatching":false}, "kubernetesIngressNginx":map[string]interface {}{"certAuthFilePath":"", "controllerClass":"k8s.io/ingress-nginx", "defaultBackendService":"", "disableSvcExternalName":false, "enabled":false, "endpoint":"", "ingressClass":"nginx", "ingressClassByName":false, "publishService":map[string]interface {}{"enabled":false, "pathOverride":""}, "publishStatusAddress":"", "throttleDuration":"", "token":"", "watchIngressWithoutClass":false, "watchNamespace":"", "watchNamespaceSelector":""}}, "rbac":map[string]interface {}{"aggregateTo":[]interface {}{}, "enabled":true, "namespaced":false, "secretResourceNames":[]interface {}{}}, "readinessProbe":map[string]interface {}{"failureThreshold":1, "initialDelaySeconds":2, "periodSeconds":10, "successThreshold":1, "timeoutSeconds":2}, "resources":map[string]interface {}{}, "securityContext":map[string]interface {}{"allowPrivilegeEscalation":false, "capabilities":map[string]interface {}{"drop":[]interface {}{"ALL"}}, "readOnlyRootFilesystem":true}, "service":map[string]interface {}{"additionalServices":map[string]interface {}{}, "annotations":map[string]interface {}{}, "annotationsTCP":map[string]interface {}{}, "annotationsUDP":map[string]interface {}{}, "enabled":true, "externalIPs":[]interface {}{}, "labels":map[string]interface {}{}, "loadBalancerSourceRanges":[]interface {}{}, "single":true, "spec":map[string]interface {}{}, "type":"LoadBalancer"}, "serviceAccount":map[string]interface {}{"name":""}, "serviceAccountAnnotations":map[string]interface {}{}, "startupProbe":map[string]interface {}{}, "tlsOptions":map[string]interface {}{}, "tlsStore":map[string]interface {}{}, "tolerations":[]interface {}{}, "topologySpreadConstraints":[]interface {}{}, "tracing":map[string]interface {}{"addInternals":false, "capturedRequestHeaders":[]interface {}{}, "capturedResponseHeaders":[]interface {}{}, "otlp":map[string]interface {}{"enabled":false, "grpc":map[string]interface {}{"enabled":false, "endpoint":"", "insecure":false, "tls":map[string]interface {}{"ca":"", "cert":"", "insecureSkipVerify":false, "key":""}}, "http":map[string]interface {}{"enabled":false, "endpoint":"", "headers":map[string]interface {}{}, "tls":map[string]interface {}{"ca":"", "cert":"", "insecureSkipVerify":false, "key":""}}}, "resourceAttributes":map[string]interface {}{}, "safeQueryParams":[]interface {}{}}, "updateStrategy":map[string]interface {}{"rollingUpdate":map[string]interface {}{"maxSurge":1, "maxUnavailable":0}, "type":"RollingUpdate"}, "versionOverride":"", "volumes":[]interface {}{}}}}: yaml: line 756: could not find expected ':'

These are my values:

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: traefik
  namespace: traefik
spec:
  releaseName: traefik
  chart:
    spec:
      chart: traefik
      version: 38.0.2
      sourceRef:
        kind: HelmRepository
        name: traefik
        namespace: flux-system
  maxHistory: 3
  interval: 5m
  install:
    remediation:
      retries: 3
  values:
    # Default traefik chart values goes in here

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: traefik-chart
  namespace: flux-system
spec:
  patches:
    - target:
        kind: HelmRelease
        name: traefik
        namespace: traefik
      patch: |-
        apiVersion: helm.toolkit.fluxcd.io/v2
        kind: HelmRelease
        metadata:
          name: traefik
          namespace: traefik
        spec:
          chart:
            spec:
              version: 38.0.2
          values:
            deployment:
              replicas: 2  # Trying to patch a simple value

apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: traefik
  namespace: flux-system
spec:
  interval: 10m
  url: https://traefik.github.io/charts

Topic		Replies	Views
Traefik v2 Helm Chart stuck at 9.1.1 Traefik v2 kubernetes-crd	0	413	October 18, 2020
Traefik 3.0 no CRDs are deployed with helm? Traefik v3 (latest) kubernetes-ingress	2	3003	February 20, 2025
Helm chart repository doesn't work Traefik v2 kubernetes-ingress	1	1342	February 8, 2021
Unable to install Traefik from Helm Chart: no matches for kind "IngressRoute" in version "traefik.io/v1alpha1" Traefik v2 kubernetes-crd	0	972	March 13, 2024
Error during helm install Traefik v2 kubernetes-ingress	2	2226	November 26, 2022

Patching Traefik HelmChart with Kustomize returns error

Related topics