Goals + Recap

  • Last we heard, our intrepid explorer was at an impasse on how to do wild card certificates for his apps. There is no golden path to follow ala Funky Penguin, because there is no direct cert-manager for DNS challenges via Porkbun. The alternatives then are to get a bit more complex and bring Vault into the mix or …
  • Simplify and do some shell script / cron job / kubeseal / kubectl hackery and get the certificates Lego generates already into my cluster and use them as the default Traefik certificate. Think this is what I’ll do.
  • What about internal tls traffic between apps using cert manager? I have none currently, so that can wait until I come to that bridge

The Big Plan

  • The plan is to redo the cluster again and do my own instance of
    • K3s
    • Sealed Secrets
    • Certmanager
    • Letsencrypt (using pre existing certs)
    • Get Traefik Ingress to work
  • And once that is done, do kanboard again
  • Begin by moving (lifting and shifting in popular parlance) Kanboard to the cluster
    • Cert will probably be needed
    • Learn how to configure an app with code
    • Figure out secrets, if there are any (for now sealed secrets ok, figure out vault and vault injection later)
    • Learn how to tunnel through and reverse proxy
    • Learn how to store data and back it up
  • Move Miniflux next, followed by Hedgedoc

2025-12-01 09:55

  • Starting slow, today
  • 2025-12-01 10:30: Figuring out Traefik basics
  • 2025-12-01 10:35: Tea Break
  • 2025-12-01 10:55: Back
  • 2025-12-01 11:28: Ok manually got the certs over from the other machine, created a tls secret with kubectl, converted it into a sealed-secret with kubeseal and pushed it to the git repo. Et voilà! I have it as a secret in my cluster barely a minute later! Thank you flux!
  • Trying to figure out how to replicate my secrets clusterwide now
  • 2025-12-01 11:54: Decided not to do it. If I run into such a need, I shall later
  • 2025-12-01 12:15: Getting into the swing of creating a primitive, committing to git and then watching flux create it live and then fix my mistakes and then iterate. This is fun!
  • 2025-12-01 12:30: Also getting confident enough to write stuff and push knowing Flux will handle the rest.
  • Need to remember to later change these frequent intervals to something reasonable. If I need something right now, I can always manually trigger stuff
  • 2025-12-01 13:05: Off to lunch

2025-12-01 13:25

  • Back. Continuing with Traefik. There seems to be some hiccough with the default values I provided
  • 2025-12-01 14:00: Botched my podinfo deploy. Flux is not fixing it. Troubleshooting in progress
  • 2025-12-01 14:10: Got podinfo working there is something wrong with my values. Commenting them all out did the trick. Trying it one more time.
  • 2025-12-01 14:15: Attemping a manual deletion of podinfo. Hoping to get it back via flux
  • 2025-12-01 14:22: Got it working. Figured out the offending bits in the values.yaml
  • 2025-12-01 14:24: Alos getting fluent*-er* with the limited subset of flux / kubectl commands I am learning
  • 2025-12-01 14:38: Accessed podinfo from outside! Basically means the network works! Not available over ssl. Need to check why. That can wait until tomorrow. Done with K3s for the day

2025-12-01 15:15

  • Doing some NMC work
  • 2025-12-01 15:30: Done for the day. Will do tea, walk, some french and then bed
  • Tomorrow, redo Traefik and figure out why it is not taking my wildcard cert

Feedback on this post?
Mail me at feedback at this domain.