Hello,
it seemk traefik v3.0.0 does not honor any custom root CA.
I'm using the traefik helm chart version: 28.0.0 with appVersion: v3.0.0 and kubernetes 1.30.0
Here is the relevant part related to the set up of the root ca
apiVersion: v1
kind: Pod
metadata:
spec:
volumes:
- name: traefik-root-ca
secret:
secretName: traefik-root-ca
defaultMode: 420
- name: kube-api-access-ctwtl
projected:
sources:
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
containers:
- name: traefik
image: docker.io/traefik:v3.0.0
args:
- '--serverstransport.insecureskipverify=true'
- '--serverstransport.rootcas=/certs/traefik-root-ca/ca.crt'
volumeMounts:
- name: traefik-root-ca
readOnly: true
mountPath: /certs/traefik-root-ca
---
apiVersion: v1
kind: Secret
metadata:
name: traefik-root-ca
namespace: traefik
data:
ca.crt: >-
LS0tLS1CRU+REDACTED+
type: Opaque
It seems the rootCA file is mounted in the correct location (/certs/traefik-root-ca/ca.crt), but it is not read.
The app refuses to connect to any backend for which a correct certificate has been generated.
The only way to make it work is to add the --serverstransport.insecureskipverify=true argument when launching the application.
Thanks,
Fabio