Various - Persistant Volumes, Namespace issues

boomam · May 15, 2022, 8:04pm

Hi,
I'm trying to do a test deployment of Traefik on a K3s install (traefik was disabled on initial cluster init so i can build from scratch).

I'm having two main issues right now -

If i deploy to a custom namespace (in this case, called 'traefik'), i get the following error -

 INSTALLATION FAILED: rendered manifests contain a resource that already exists. 
Unable to continue with install: ClusterRole "traefik" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-namespace" must equal "traefik": current value is "default"

But if i deploy without "--namespace", it works fine.
Equally, if i change the namespace context to the correct namespace, and then deploy without --namespace again, it still generates the same error.

If i update the persistant storage section of the values.yaml to as below, in an effort for the persistant storage to use an NFS storage class, it just flat out ignores the config.

- --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
.....
# Persistent Storage
persistence:
  enabled: true
  name: ssl-certs
  accessMode: ReadWriteOnce
  size: 1Gi
  storageClass: nfs-client
  path: /ssl-certs

Is anyone able to advise on either of these?

Thanks in advance!

jakubhajek · May 18, 2022, 10:57am

boomam:

If i deploy to a custom namespace (in this case, called 'traefik'), i get the following error -

 INSTALLATION FAILED: rendered manifests contain a resource that already exists. 
Unable to continue with install: ClusterRole "traefik" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-namespace" must equal "traefik": current value is "default"

Before installing Traefik in a new namespace, can you please ensure if the cluster role "traefik" already exists? If so, you can try to delete it and try once again.

boomam:

- --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
.....
# Persistent Storage
persistence:
  enabled: true
  name: ssl-certs
  accessMode: ReadWriteOnce
  size: 1Gi
  storageClass: nfs-client
  path: /ssl-certs

can you please share the entire values configuration file as well as the Helm command you try to deploy Traefik?

Thank you,

boomam · May 18, 2022, 11:20am

Hi,
RE: Cluster role
No, none exists - between each attempt I'm removing everything Traefik from the cluster, including that role.

RE: Values of config file -

additionalArguments:
# DNS Challenge
# ---
Cloudflare Example:
  - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
  - --certificatesresolvers.cloudflare.acme.email=email@email.com
  - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
  - --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
#
# Generic (replace with your DNS provider):
#  - --certificatesresolvers.generic.acme.dnschallenge.provider=generic
#  - --certificatesresolvers.generic.acme.email=your-email@example.com
#  - --certificatesresolvers.generic.acme.storage=/ssl-certs/acme-generic.json

logs:
# Configure log settings here...
  general:
    level: ERROR

ports:
# Configure your entrypoints here...
  web:
    # (optional) Permanent Redirect to HTTPS
    redirectTo: websecure
  websecure:
    tls:
      enabled: true
      # (optional) Set a Default CertResolver
      certResolver: cloudflare
  traefik:
    port: 9000

env:
# Set your environment variables here...
# 
# DNS Challenge Credentials
# ---
# Cloudflare Example:
   - name: CF_API_EMAIL
     valueFrom:
       secretKeyRef:
         key: email
         name: cloudflare-credentials
   - name: CF_API_KEY
     valueFrom:
       secretKeyRef:
         key: apiKey
         name: cloudflare-credentials

# Disable Dashboard
ingressRoute:
  dashboard:
    enabled: true

# Persistent Storage
persistence:
  enabled: true
  name: ssl-certs
  accessMode: ReadWriteOnce
  size: 1Gi
  storageClass: nfs-client
  path: /ssl-certs

deployment:
  initContainers:
    # The "volume-permissions" init container is required if you run into permission issues.
    # Related issue: https://github.com/containous/traefik/issues/6972
    - name: volume-permissions
      image: busybox:1.31.1
      command: ["sh", "-c", "chmod -Rv 600 /ssl-certs/*"]
      volumeMounts:
        - name: ssl-certs
          mountPath: /ssl-certs
  replicas: 3
  labels:
    service: traefik
    type: reverse-proxy


# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
ingressClass:
  enabled: true
  isDefaultClass: true

# Set Security Contexts
securityContext:
  capabilities:
    drop: [ALL]
  readOnlyRootFilesystem: true
  runAsGroup: 65532
  runAsNonRoot: true
  runAsUser: 65532

podSecurityContext:
  fsGroup: 65532

RE: Helm command:
helm install traefik traefik/traefik --namespace=traefik --values=traefik-chart-values.yaml

RE: Persistant storage
I know my nfs-pvc works, as it does with other containers, however the values file doesn't appear to have options that Traefik recognizes to tell it which PVC to use. I'm wondering if its easier to drop using Helm and just do it all with Kubectl instead...

Thanks!

boomam · May 29, 2022, 6:14pm

Anyone got any advice or ideas on this one?

Topic		Replies	Views
Traefik Ingress with persistent volume claim Traefik v2 kubernetes-ingress	0	1047	November 9, 2022
Clarification on storage (persistence/volumes) for Helm installs Traefik v2 file	0	1322	September 9, 2023
Error logged for non-existent tls certResolver across namespaces Traefik v2 kubernetes-crd	3	760	February 8, 2021
Traefik Kubernetes with persistent volume for ssl and initContainer Traefik v2 kubernetes-ingress	3	2280	September 21, 2023
Install mesh to GKE cluster with lnkerd Traefik Mesh	0	520	December 20, 2022

Various - Persistant Volumes, Namespace issues

Related topics