We are trying to enable and use tls configuration with secret inside Traefik ingressroute CRD, but the secret is never found but really exist.
The error remain the same, secret is not found but secret is really present in the same namespace:
{"level":"error","providerName":"kubernetescrd","ingress":"health-ingress","namespace":"traefik","error":"secret traefik/tls-secret does not exist","time":"2025-05-06T15:11:11Z","message":"Error configuring TLS"}
So many post opened on stack, github,... and no really solution is working.
Please note if I disable tls, the service return a correct 200 OK answer from the service.
Let's share our configuration:
image:
repository: traefik
tag: '3.3.2'
deployment:
enabled: true
kind: Deployment
replicas: 2
ingressRoute:
dashboard:
enabled: true
entryPoints: ["internal","external","traefik"]
providers:
kubernetesCRD:
enabled: true
kubernetesIngress:
enabled: true
kubernetesGateway:
enabled: false
ingressClass:
enabled: true
isDefaultClass: true
additionalArguments:
- --entryPoints.internal.forwardedHeaders.trustedips=xx.xx.xx.xx/24
- --entryPoints.internal.transport.respondingTimeouts.readTimeout=40
- --entryPoints.internal.transport.respondingTimeouts.writeTimeout=40
- --entryPoints.internal.transport.respondingTimeouts.idleTimeout=40
- --entryPoints.external.forwardedHeaders.trustedips=xx.xx.xx.xx/24
- --entryPoints.external.transport.respondingTimeouts.readTimeout=40
- --api.insecure=false
ports:
traefik:
port: 9000
expose:
default: true
exposedPort: 9000
protocol: TCP
external:
port: 8000
expose:
default: true
exposedPort: 80
protocol: TCP
nodePort: 32180
internal:
port: 8443
expose:
default: true
exposedPort: 443
protocol: TCP
nodePort: 32080
web: null
websecure: null
metrics:
port: 9100
expose:
default: false
exposedPort: 9100
protocol: TCP
service:
enabled: true
type: NodePort
rbac:
enabled: true
namespaced: false
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: health-ingress
namespace: traefik
spec:
entryPoints:
- internal
- external
- traefik
routes:
- kind: Rule
match: Host(`test.mydomain.com`) && PathPrefix(`/mypath`)
services:
- kind: Service
name: my-service
port: 80
namespace: traefik
tls:
secretName: tls-secret
Certificates are created like this:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=test.mydomain.com"
Certificate seems ok.
-----BEGIN PRIVATE KEY-----
MIIEvwIBADAN....
-----END PRIVATE KEY-----
kubectl create secret tls --namespace=traefik tls-secret --key=tls.key --cert=tls.crt
Result of kubectl -n traefik get secret tls-secret -o yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTi...
tls.key: LS0tLS1CRUdJTiBQUklWQVRF...
kind: Secret
metadata:
creationTimestamp: "2025-05-06T15:11:20Z"
name: tls-secret
namespace: traefik
resourceVersion: "246132191"
uid: e57b99e2-2c1b-4e07-bf20-ed0b767ee2ef
type: kubernetes.io/tls
I can found with a base64 decode my certificate correctly.
I tried also to deploy ingressroute resource before secret (like suggested here) and also by doing a rollout restart of deployment or directly a new helm release.
Secrets can be retrieved by server via current service account as well:
kubectl auth can-i get secrets --namespace=traefik --as=system:serviceaccount:traefik:traefik
-> yes
I tried to add TLSOption for testing purpose but tls is not configured:
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: traefik
spec:
defaultCertificate:
secretName: tls-secret
If someone have an idea...
EDIT: I was wondering if issue was coming from my certificate. So i set up cert-manager to create selfsigned certficate. The certificate is correctly created but the issue is persisting from ingressroute traefik. The secret is not found.
# https://cert-manager.io/docs/configuration/selfsigned/
# kubectl -n cert-manager get clusterissuer
# kubectl -n cert-manager apply -f cert-manager-cluster-issuer.yaml
# kubectl -n cert-manager delete -f cert-manager-cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
namespace: cert-manager
spec:
selfSigned: {}
---
# https://cert-manager.io/docs/configuration/selfsigned/
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-selfsigned-ca
namespace: traefik
spec:
isCA: true
commonName: my-selfsigned-ca
secretName: cert-manager-issuer-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
#dnsNames:
# - xxxxxxx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: my-ca-issuer
spec:
ca:
# `ClusterIssuer` resource is not namespaced, so `secretName` is assumed to reference secret in `cert-manager` namespace.
secretName: cert-manager-issuer-secret
```
