2025-12-02 Notes

Goals + Recap

• I crashed Traefik at the end of the day yesterday. At least that shows me what’ll happen when stuff crashes in my cluster and how good a job I’ve done with setting things up. This is the first order of the day today.
• Stand Traefik back up and figure out how to get it to accept my wildcard cert
• Yesterday I learned that an “ingress” and an “ingressRule” were two different beasts. Ingress is a Kubernetes native thing and IngressRule is a Traefik definition. I could use either, but better to do IngressRules for now. Go all in on Traefik.
• Pat on the back for setting up my Haproxy well enough, that network routing from the outside to the cluster worked without a hitch! (2025-12-02 11:09: Spoke too soon. Local sites on the network are borked 😂)

The Big Plan

• The plan is to redo the cluster again and do my own instance of
  • K3s
  • Sealed Secrets
  • Certmanager
  • Letsencrypt (using pre existing certs)
  • Get Traefik Ingress to work
  • Figure out a way to get certs automatically into the cluster
• And once that is done, figure out an app to move (Miniflux or Hedgedoc?)
• Begin by moving (lifting and shifting in popular parlance) Kanboard to the cluster
  • Cert will probably be needed (Wildcard cert works now, just like it does without the cluster)
  • Learn how to configure an app with code
  • Learn how to store data and back it up
  • Figure out secrets, if there are any (for now sealed secrets ok, figure out vault and vault injection later)
  • Learn how to tunnel through and reverse proxy (Traefik does this natively)
  • Figure out other apps later

2025-12-02 08:30

• Fixed the bloody traefik cert issue. Classic case of fat fingers and I didn’t know any better. At least this will teach me to always check my yaml indentation.
  I did:

1
2
3
4

tlsStore:
  default:
    defaultCertificate:
    secretName:  letsencrypt-cert

instead of the actual (Line 4’s indentation is fixed):

1
2
3
4

tlsStore:    
  default:
    defaultCertificate:
      secretName: letsencrypt-cert

• 2025-12-02 09:44: Figured out a way to get my remote certs into my machine.
  Dumped the commands into a bash script. Here’s the command for the cert. I have to to the same with the key.

ssh user@certificate-host 'sudo cat /path/to/certificates/wildcard.crt' > \
/local/directory/certificates/wildcard.crt

Since the key and the cert are protected file and I don’t want to mess with remote file permissions, I just cat each file with sudo access and then dump the contents into a local file.

• 2025-12-02 09:49: Tea break

2025-12-02 10:20

• Back, now to scribble another script to update the wildcard sealed secret
• 2025-12-02 11:15: I wrote about borking my Haproxy. No it wasn’t. It was just a caching issue. All is fine! Claps all around 👏
• 2025-12-02 11:17: Think I got the cert thing working. Now to put them into cron
• 2025-12-02 11:18: Trying to force flux to update the secret to see if it works
• 2025-12-02 12:06: Does not seem to make a difference. Will see when the cert changes itself.
• 2025-12-02 12:07: Client Meeting
• 2025-12-02 13:57: Lunch

2025-12-02 14:25

• 2025-12-02 14:46: Ok scripts in place. One script gets certs into the local node. The other creates a sealed secret and commits it to git
• 2025-12-02 16:20: Client meeting

2025-12-02 18:48

• Trying to get some work done now!
• 2025-12-02 19:25: Kanboard does not seem to be Kubernetes ready. Will need one of my apps that is compatible with what I have done so far, so I can see if it all works. Maybe Miniflux or Hedgedoc if they have ready made helm charts. Converting one of the other apps to a kubernetes deployment is something to tackle later
• 2025-12-02 20:10: Ok nothing is available. I’ll just have to go do it myself. Will write straight deployments and use flux to reconcile them. That seems to be the most straightforward approach. I need automatic upgrades and that Flux can do with its annotations and ImageRepository/ImageUpdateAutomation stuff. Time for bed.