Traefik Kubernetes with persistent volume for ssl and initContainer

urbaman · July 12, 2022, 9:15am

Hi,

I'm trying to implement ssl certs on persistent volume in Traefik (it is intalled in the traefik namespace).
Added the persitence, ge the following error:
"unable to get ACME account: open /ssl-certs/acme-cloudflare.json: permission denied"

I try to enable an initContainer for managing the certs permisisons, but it keeps staying in the "Back-off restarting failed container"

Pertinent values.yaml parts:

deployment:
  additionalContainers: []
  additionalVolumes: []
  annotations: {}
  enabled: true
  imagePullSecrets: []
  initContainers:
    - name: volume-permissions
      image: busybox:1.31.1
      command: ["sh", "-c", "chmod -Rv 600 /ssl-certs/*"]
      volumeMounts:
        - name: ssl-certs
          mountPath: /ssl-certs
  kind: Deployment
  labels: {}
  minReadySeconds: 0
  podAnnotations: {}
  podLabels: {}
  replicas: 1
  shareProcessNamespace: true
  terminationGracePeriodSeconds: 60

persistence:
  accessMode: ReadWriteMany
  annotations: {}
  enabled: true
  name: ssl-certs
  path: /ssl-certs
  size: 128Mi
  existingClaim: traefik-ssl-claim

How can I properly set the initContainer to run?
Thanks,
Nicola

sleighzy · July 18, 2022, 8:22pm

Have you tried a describe on the deployment, or events to see if it offers you more info on what the underlying error is?

Does your certs file already exist? One issue I had encountered previously was that the file does not initially exist within the volume and so the chmod command fails. See k3s-traefik-v2-kubernetes-crd/005-deployment.yaml at master · sleighzy/k3s-traefik-v2-kubernetes-crd · GitHub for a solution to this.

urbaman · August 24, 2022, 11:33am

Hi,

Sorry for being late, don't remember if it was due to a permission problem on the shared gluster cluster I was using for PVs or anything, I was able to run it without the init pod without any flaws, so kept it without the init pod.
Will try your solution, thank you very much!

Wishmaster · September 21, 2023, 2:23pm

I will keep it here if someone has the same issue (like I had). According to this: acme resolver not working with persistence enabled · Issue #396 · traefik/traefik-helm-chart · GitHub, the solution is:

  command: 
    [
      "sh",
      "-c",
      "touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json",
    ]
  securityContext:
    runAsNonRoot: false
    runAsGroup: 0
    runAsUser: 0

Where you create the file as root user, and change the ownership to 65532 after that.

Topic		Replies	Views
Kubernetes traefik tls acme.json permission denied Traefik v2 (latest) rancher , file , letsencrypt-acme	3	1149	May 8, 2023
Traefik SSL Let's Encrypty in Kubernetes Ingress Traefik v1 kubernetes-helm , kubernetes-ingress , letsencrypt-acme	2	1173	September 25, 2019
LetsEncrypt on Kubernetes... Not working & v2.1 User Guide.... Oddity Traefik v2 (latest) kubernetes-ingress , letsencrypt-acme	0	368	February 16, 2020
Traefik in kubernetes Traefik v1 kubernetes-ingress	7	1231	June 27, 2019
Traefik v2 on GKE fails all ACME challenges Traefik v2 (latest) kubernetes-crd , letsencrypt-acme	5	928	April 23, 2020

Traefik Kubernetes with persistent volume for ssl and initContainer

Related Topics