Hey tim.

I'm trying to create my own setup with your "Wildcard Certificates with Traefik + cert-manager" video and I think I found an interesting behavior.

as you describe both cloudflare and configs have wildcard dns entry
for example: *.example.com

Everything works fine with 1st degree subdomains like "a.example.com"
But it breaks when using multi-level subdomains like "a.b.example.com"

I spent hours trying to realize this. I would like to leave this painful experience as a note here, maybe you can consider adding it in your documentation.

(don't worry i know this is not related to you 😅)

I ran into this issue while attempting to deploy kube-prometheus-stack as described here: https://www.youtube.com/watch?v=fzny5uUaAeY&t=1210s,

The specific error I got was: msg="Error loading config (--config.file=/etc/prometheus/config_out/prometheus.env.yaml)" file=/etc/prometheus/config_out/prometheus.env.yaml err="parsing YAML file /etc/prometheus/config_out/prometheus.env.yaml: empty duration string"

Per this: prometheus-operator/prometheus-operator#5197 the issue comes from needing to update the Prometheus operator CRDs.

Basically, the scrape and evaluation intervals are no longer defined as default values so you need to add them, I resolved it by adding the following to the Prometheus section of the values.yaml file:
scrapeInterval: 30s
evaluationInterval: 30s

I.e. the easy solution seems to be update the values.yaml, is to pull the latest CRDs in the values.yaml

ERROR! the role 'gantsign.oh-my-zsh' was not found

The docker image that replaced the deprecated ozno is now deprecated.

docker/guacamole/docker-compose.yml

image: maxwaldorf/guacamole is now deprecated.

Hello!

thank you for this beauty! I lost 3 hours of my life because that nginx cert tls secret was not in staging.

Otherwise top documentation / video !

I have my domain example.com pointed to my router. I pointed my ports 80 and 443 to the LoadBalancer IP:

service:
  enabled: true
  type: LoadBalancer
  annotations: {}
  labels: {}
  spec:
    loadBalancerIP: 192.168.178.89 # this should be an IP in the MetalLB range
  loadBalancerSourceRanges: []
  externalIPs: []

And when I run a curl:

$ curl 192.168.178.89                     
Moved Permanently%   

THis is the result

Because when I try to access treafik.example.com I get no result?

Went through a bunch of pain trying to set up notifications based off of https://docs.technotim.live/posts/flux-devops-gitops/, turns out the discord-provider/alert files need to be added to the kustomization.yaml resources list for the alert to be actually picked up and created by flux. I don't know if this is supposed to be obvious, but the docs / example should still probably have it.

Were you able to get alerts working without doing this?

refs:

• fluxcd/notification-controller#494
• https://github.com/techno-tim/launchpad/blob/master/demos/flux-demo/clusters/home/flux-system/kustomization.yaml#L5

Hello,
I was following your "2 Factor Auth and Single Sign on with Authelia" video and I have an issue with the whitelist middleware on traefik. for some reason is not quite working.

here is the section of the config.yml file. In here, I'm not sure if you need some indentation on the IP field.

default-whitelist:
      ipWhiteList:
        sourceRange:
        - "98.143.96.201/32" # you have it like this
          - "98.143.96.201/32" # I think it should be like this

It doesn't matter from what IP I try to connect, I always reach both traefik and portainer portals.

I even added these two lines on both docker-compose files (traefik and portainer) and recreate the containers but nothing changed.

labels:
...
- "traefik.http.routers.traefik.middlewares=default-whitelist"
- "traefik.http.middlewares.default-whitelist.ipwhitelist.sourcerange=98.143.96.201/32"

Does the order of the lines matter? I tried at the end of the labels section, then right after you define the host and set the login credentials. Made no difference.

I also tried to add the middleware directly on an external service that I'm running but nothing, it doesn't work. I can reach the site from any IP.
Here is a section of the config.yml file.

http:
  routers:
    rancher:
      entryPoints:
        - "https"
      rule: "Host(`rancher.example.com`)"
      middlewares:
        - authelia
        - default-headers
        - default-whitelist
      tls: {}
      service: rancher

Do we need both the labels and the middleware set? what else can I try to make it work?

Thanks.

Recently worked on a way to optimize the Traefik Config/Labels to reduce the amount of per container config that I thought might be a good idea:

traefik.yml would look like (entrypoints):

entryPoints:
  http:
    address: ":80"
    http:
     redirections:
      entryPoint:
        to: https
  https:
    http:
      middlewares:
        - default-headers@file
    address: ":443"
    forwardedHeaders:
     insecure: true

This allows the default-headers to be truly default and will apply globally. Also allows http traffic to be routed to https by default on the entry, removing the need for it to be defined on a per container basis.

A compose label section would go from:

    labels: 
      - "traefik.enable=true"
      - "traefik.http.routers.web.entrypoints=http"
      - "traefik.http.routers.web.rule=Host(`sub.domain.tld`)"
      - "traefik.http.middlewares.web-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.web.middlewares=web-https-redirect"
      - "traefik.http.routers.web-secure.entrypoints=https"
      - "traefik.http.routers.web-secure.rule=Host(`sub.domain.tld`)"
      - "traefik.http.routers.web-secure.tls=true"
      - "traefik.http.routers.web-secure.service=web"
      - "traefik.http.services.web.loadbalancer.server.port=3000"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.web.middlewares=sslheader@docker"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"

to:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.web.entrypoints=https"
      - "traefik.http.routers.web.rule=Host(`sub.domain.tld`)"
      - "traefik.http.routers.web.tls=true"
      - "traefik.http.routers.web.service=web"
      - "traefik.http.services.web.loadbalancer.server.port=3000"
      - "traefik.docker.network=proxy"

It will also allow for a clear way to demonstrate how to apply middlewares to an entryPoint for ones that you want to have apply to all services, which took me a bit longer then i care to admit to figure out on my own.

I usw ur Setup many Times now , works great, but now i become 404 in Traefik Dashboard. Set it up 4 Times now, but i got it not work.

Hi Tim!

i have a problem with clusterIssuer. I can't manage why im still getting error like this:

E1005 11:18:39.797876 1 controller.go:166] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="specified key "API token from Cloudflare" not found in secret cert-manager/cloudflare-token-secret" "key"="default/local-mysite-name-gks9v-1493540579-3817414012"

My config is looking like this:

---
apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-token-secret
  namespace: cert-manager
type: Opaque
stringData:
  cloudflare-token: <API token Cloudflare >

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - dns01:
          cloudflare:
            email: [email protected]
            apiTokenSecretRef:
              name: cloudflare-token-secret
              key: <API token Cloudflare>
        selector:
          dnsZones:
            - "mysitename.com"

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-production
    solvers:
      - dns01:
          cloudflare:
            email: [email protected]
            apiTokenSecretRef:
              name: cloudflare-token-secret
              key: <API token Cloudflare>
        selector:
          dnsZones:
            - "mysitename.com"

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: local-mysitename-staging-cloud
  namespace: default
spec:
  secretName: local-mysitename-staging-tls
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: "*.local.mysitename.com"
  dnsNames:
  - "local.mysitename.com"
  - "*.local.mysitename.com"

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: local-mysitename
  namespace: default
spec:
  secretName: local-mysitename-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "*.local.mysitename.com"
  dnsNames:
  - "local.mysitename.com"
  - "*.local.mysitename.com"

Great video series, Definitely some fun stuff learned while migrating my docker swarm to kubernetes.

In the file launchpad/kubernetes/traefik-cert-manager/traefik/dashboard/ingress.yaml, the tls secret, that is now commented out, won't work because the certificate is generated in the default namespace while the ingressRoute defined for the dashboard is defined in the traefik namespace. I think you would need to either create some form of trust, duplication, or have this all in the default namespace. In the video I think you mentioned that having the certificate in the default namespace would make it available to all other services? Perhaps you meant that it would be available to all services in the default namespace? The nginx sample works fine because the whole example is defined in the default namespace, but you can not access secrets between different namespaces without additional configuration.

If I am mistaken please disregard

Using "here" links in any document is regarded as very bad practice....

Usability & Web Accessibility - Link Text

Why Your Links Should Never Say “Click Here”

There are LOTS more such pages all over the net.

Also when writing a README you should write it as if a 'random person' just came across for the first time.
You may know what you are looking at, they may not! Do not assume they are coming from your video.

Making this your "README.md" will make it a lot better...

# Linux Desktop, in a container, in a browser?  A Webtop

An example compose file to complement a YouTube Video on webtops in a container.

[Youtube Video](https://www.youtube.com/watch?v=Gd9bvdkIXOQ)

[Webtop Documentation](https://docs.technotim.live/posts/webtop-container/)

Hi,

I'm following along this post:
https://technotim.live/posts/kube-traefik-cert-manager-le/
(Great stuff! Much appreciated!)

Using k3s version v1.29.2+k3s1:

$ k3s -v
k3s version v1.29.2+k3s1 (86f10213)
go version go1.21.7

Then after applying the latest (v1.14.4) cert-manager CRDs:

$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io unchanged

k3s does not recognize the new CRDs:

$ k get certificates
error: the server doesn't have a resource type "certificates"

The cert-manager helm install works well, but also complains about missing 'Certificate' resources.

Could this be an API mismatch with my version of k3s?

Thanks a lot for any help.

https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/master/values.yaml

this link is bad for the default values for gitlab-runner

I believe this is the correct link: (looks like they went from master to "main"
https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/main/values.yaml

launchpad/kubernetes/traefik-cert-manager

symptom

after following instructions for staging cert, traefik didn't use the cert

cause

unknown

resolution

upgrade cert-manager

How to upgrade

cert_manager_version='v1.13.1'
kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${cert_manager_version}/cert-manager.crds.yaml"
helm upgrade --version "${cert_manager_version}" cert-manager jetstack/cert-manager --namespace cert-manager

• https://cert-manager.io/docs/installation/upgrade/
• https://github.com/cert-manager/cert-manager/releases

I spent the last few days trying to figure out how I can use the kubernetes hosted traefik, which does know of the let's encrypt wildcard certificate, to handle also external services not located in kubernetes directly.

I.e. I have a couple of portainer installations which I "grouped up" in the past already via the environment section of portainer on my main server. That portainer was so far reachable via an internal host name I set for my server but it didn't use a valid certificate.

With the configuration below I am now finally able to address external services through traefik which itself is running in kubernetes (k3s to be precise). This allows to utilize the wildcard certificate obtained from let's encrypt on external service which are not yet part of kubernetes.

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: default-headers
  namespace: portainer
spec:
  headers:
    browserXssFilter: true
    contentTypeNosniff: true
    forceSTSHeader: true
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 15552000
    customFrameOptionsValue: SAMEORIGIN
    customRequestHeaders:
      X-Forwarded-Proto: https
---
apiVersion: v1
kind: Service
metadata:
  name: portainer
  namespace: portainer
spec:
  type: ClusterIP
  ports:
    - name: https
      port: 443
      targetPort: 9443
      protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
  name: portainer
  namespace: portainer
subsets:
  - addresses:
    - ip: {ip-of-external-server}
    ports:
      - name: https
        port: 9443
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: portainer
  namespace: portainer
  annotations:
    kubernetes.io/ingress.class: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`portainer.local.example.com`)
      kind: Rule
      services:
        - name: portainer
          port: 443
      middlewares:
        - name: default-headers
  tls:
    secretName: local-example-com-tls

The ingress configuration is rather straight forward, though the service definition differs here. I tried a lot with ExternalName or ExternalIPs in the service config, though the primer one doesn't use ports while the latter one didn't show up in traefik dashboard no matter what I tried.

The final clue came while watching this Google Cloud Tech video where Sandeep mentioned all of the hurdles I faced and that on defining an Endpoints resource and defining the IP and port there directly one can still make use of traefik for external resources.

Hope this helps others :) If there is a simpler approach to get the job done, please feel free to post it here as I'm always keen on learning new tech-tings I can try in my homelab .

After running the docker compose I run the command you have for making a user: docker-compose run --rm panel php artisan p:user:mak

I am getting

Connection.php line 692:
SQLSTATE[HY000] [1045] Access denied for user 'pterodactyl'@'172.20.0.5' (using password: YES) (SQL: select * from information_schema.tables where table_schema = panel and table_name = migrations and table_type = 'BASE T ABLE')

And Both
In PDOConnection.php line 39:
In Exception.php line 18:
are giving the error: SQLSTATE[HY000] [1045] Access denied for user 'pterodactyl'@'172.20.0.5' (using password: YES)

I saw that it is looking for an IP of 172.20.0.5 but when I check all the container IP's with docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $(docker ps -q)

I get this list of IP's:
172.20.0.4 172.20.0.2 172.20.0.3

How can I set the IP for the database in the Docker-Compose file.
I found this but I don't understand it: Link