K3s: Enable traefik dashboard - helm-install-traefik pod fails with "Error: unknown flag: --purge"

I tried what seemed like it was worth a shot: helm rollback traefik 1 --namespace kube-system

and got this error:

Error: failed to replace object: Service "traefik" is invalid: spec.clusterIP: Invalid value: "": field is immutable

Is there a way to remove traefik and get it reinstalled using the defaults like when I deployed k3s? I'm assuming it's not just a vanilla traefik helm install?

EDIT:

I decided to try uninstalling and installing traefik from scratch, I ran helm delete traefik --namespace kube-system and k3s automatically redeployed traefik (I should have guessed it would do that) so I didn't have to reinstall.

Traefik install still failed with the dashboard.enabled: "true" line so I removed that and things are mostly back to normal (some ingress problem that'll probably be fixed by recreating the ingress).

FWIW, this is the YAML I was trying to use. K3s is my first time using traefik so this may just not be a valid configuration but it seems like it is from looking at the traefik helm chart:

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-1.81.0.tgz
  set:
    rbac.enabled: "true"
    ssl.enabled: "true"
    metrics.prometheus.enabled: "true"
    kubernetes.ingressEndpoint.useDefaultPublishedService: "true"
    dashboard.enabled: "true"

I've had issues with Helm charts where the install Job fails in an odd way that causes the remove to also fail. I had to remove the manifest from the filesystem, delete the HelmChart, delete the stuck remove Job, then go edit the chart to remove the finalizer before it would actually finish deleting. Once that was done I was able to move the fixed manifest back into place.

After a few rounds of that I gave up on trying to iterate on Helm charts since updates don't seem to work right. I'm just rendering the template out to the manifests dir using helm template and letting the addon controller work its magic.

@jonstelly have you tried deploying the cluster without traefik (--no-deploy=traefik) and installing traefik manually?

Not yet. I'll try that out in the next few days along with the suggestion to try removing the traefik.yaml manifest and giving the cluster some time to get everything cleaned up, then drop the file back in the directory with the dashboard enabled.

I'm guessing removing the manifest for a short time is similar to specifying --no-deploy=traefik? Maybe some internal plumbing differences. Judging by the default traefik.yaml there doesn't seem to be a lot of customization from the chart defaults, but I'll try this out in a temporary cluster, I'd rather not have to recreate my existing cluster for this change.

And I just saw that #1347 says this might be fixed in v1.17.2-alpha3+k3s1 so I'll try that out first. Will report back with results.

Resolved with v1.17.2-alpha3+k3s1. Closing issue.

I've verified that simply editing /var/lib/rancher/k3s/server/manifests/traefik.yaml works in k3s v1.17.2+k3s1. I added the following:

    dashboard.enabled: "true"
    dashboard.domain: "traefik.me.somewhere"

The change gets deployed and ingress through traefik.me.somewhere shows me the traefik dashboard. Super easy, very cool!

I've verified it works on a single node but in a k3s cluster, editing a manifest file ends up with a total mess. I am not sure if it's fighting with different configurations on servers. I tried to edit the file on all servers and it literally crashed all with a CrashLoopBackOff of Helm-install. So the question is: how to you edit manifest to enable dashboard or set ACME, etc... in such a deployment? Should you disable everything and go with traditional helm deployment?

I asked the same question elsewhere. The docs don't cover how to figure out which node is running the helm controller, or any of the other custom controllers for that matter. I think they use an endpoint lock annotation to hold the master election, but I can't recall for sure.

Then would you suggest to completely disable traefik and use standard helm to deploy it? I found the helm-install concept interesting at first.

I've verified that simply editing /var/lib/rancher/k3s/server/manifests/traefik.yaml works in k3s v1.17.2+k3s1. I added the following:

    dashboard.enabled: "true"
    dashboard.domain: "traefik.me.somewhere"

The change gets deployed and ingress through traefik.me.somewhere shows me the traefik dashboard. Super easy, very cool!

hi how did you deployed the changes?

@ozeta All you need to do is edit the manifest file, the deploy controller picks up the changes automatically. If there are any errors in the manifest, you should see something marginally useful in the k3s logs. If there's an error in the actual Helm output, that goes into a job container that's harder to get at.

OK, so on a cluster, this is what I get when updating the yaml manifest. It tried to install/deploy the new helm in loop and crashes in loop. This works correctly on a single node.

kube-system   1s          Normal    Created                  pod/helm-install-traefik-8w2qz   Created container helm
kube-system   1s          Normal    Started                  pod/helm-install-traefik-8w2qz   Started container helm
kube-system   1s          Normal    SuccessfulCreate         job/helm-install-traefik         Created pod: helm-install-traefik-g8ntq
kube-system   <unknown>   Normal    Scheduled                pod/helm-install-traefik-g8ntq   Successfully assigned kube-system/helm-install-traefik-g8ntq to kiddy
kube-system   1s          Normal    Pulled                   pod/helm-install-traefik-g8ntq   Container image "rancher/klipper-helm:v0.2.3" already present on machine
kube-system   0s          Normal    Created                  pod/helm-install-traefik-g8ntq   Created container helm
kube-system   0s          Normal    Started                  pod/helm-install-traefik-g8ntq   Started container helm
kube-system   0s          Normal    SuccessfulCreate         job/helm-install-traefik         Created pod: helm-install-traefik-f24xx
kube-system   <unknown>   Normal    Scheduled                pod/helm-install-traefik-f24xx   Successfully assigned kube-system/helm-install-traefik-f24xx to stuffy
kube-system   0s          Normal    Pulled                   pod/helm-install-traefik-f24xx   Container image "rancher/klipper-helm:v0.2.3" already present on machine
kube-system   0s          Normal    Created                  pod/helm-install-traefik-f24xx   Created container helm
kube-system   0s          Normal    Started                  pod/helm-install-traefik-f24xx   Started container helm
kube-system   0s          Normal    SuccessfulCreate         job/helm-install-traefik         Created pod: helm-install-traefik-cgwlp
kube-system   0s          Normal    Pulled                   pod/helm-install-traefik-f24xx   Container image "rancher/klipper-helm:v0.2.3" already present on machine
kube-system   0s          Normal    Created                  pod/helm-install-traefik-f24xx   Created container helm
kube-system   0s          Warning   Failed                   pod/helm-install-traefik-f24xx   Error: failed to create containerd task: OCI runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/var/lib/kubelet/pods/acf4cb5b-b945-4c25-bb5c-50c86ed289c3/volumes/kubernetes.io~secret/helm-traefik-token-wvq2l\\\" to rootfs \\\"/run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/helm/rootfs\\\" at \\\"/var/run/secrets/kubernetes.io/serviceaccount\\\" caused \\\"stat /var/lib/kubelet/pods/acf4cb5b-b945-4c25-bb5c-50c86ed289c3/volumes/kubernetes.io~secret/helm-traefik-token-wvq2l: no such file or directory\\\"\"": unknown
kube-system   <unknown>   Normal    Scheduled                pod/helm-install-traefik-cgwlp   Successfully assigned kube-system/helm-install-traefik-cgwlp to kiddy
kube-system   1s          Normal    Pulled                   pod/helm-install-traefik-cgwlp   Container image "rancher/klipper-helm:v0.2.3" already present on machine
kube-system   0s          Normal    Created                  pod/helm-install-traefik-cgwlp   Created container helm
kube-system   0s          Normal    Started                  pod/helm-install-traefik-cgwlp   Started container helm

Can you provide more info in your cluster? Looks like one of the nodes isn't working properly.

also getting similar error on v1.17.4

CHART=$(sed -e "s/%{KUBERNETES_API}%/${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/g" <<< "${CHART}")
set +v -x
+ cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/
+ update-ca-certificates
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
+ export HELM_HOST=127.0.0.1:44134
+ HELM_HOST=127.0.0.1:44134
+ helm_v2 init --skip-refresh --client-only
+ tiller --listen=127.0.0.1:44134 --storage=secret
Creating /root/.helm 
Creating /root/.helm/repository 
Creating /root/.helm/repository/cache 
Creating /root/.helm/repository/local 
Creating /root/.helm/plugins 
Creating /root/.helm/starters 
Creating /root/.helm/cache/archive 
Creating /root/.helm/repository/repositories.yaml 
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com 
Adding local repo with URL: http://127.0.0.1:8879/charts 
$HELM_HOME has been configured at /root/.helm.
Not installing Tiller due to 'client-only' flag having been set
Happy Helming!
++ helm_v2 ls --all '^traefik$' --output json
++ jq -r '.Releases | length'
[main] 2020/04/15 13:28:17 Starting Tiller v2.12.3 (tls=false)
[main] 2020/04/15 13:28:17 GRPC listening on 127.0.0.1:44134
[main] 2020/04/15 13:28:17 Probes listening on :44135
[main] 2020/04/15 13:28:17 Storage driver is Secret
[main] 2020/04/15 13:28:17 Max history per release is 0
[storage] 2020/04/15 13:28:18 listing all releases with filter
+ EXIST=1
+ '[' 1 == 1 ']'
+ HELM=helm_v2
+ NAME_ARG=--name
+ JQ_CMD='"\(.Releases[0].AppVersion),\(.Releases[0].Status)"'
+ helm_repo_init
+ grep -q -e 'https\?://'
+ '[' helm_v2 == helm_v3 ']'
+ helm_v2 repo update --strict
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈ 
+ '[' -n '' ']'
+ helm_update install
+ '[' helm_v2 == helm_v3 ']'
++ helm_v2 ls --all '^traefik$' --output json
++ ++ tr '[:upper:]' jq '[:lower:]'
-r '"\(.Releases[0].AppVersion),\(.Releases[0].Status)"'
[storage] 2020/04/15 13:28:24 listing all releases with filter
+ LINE=1.7.19,failed
++ ++ cut -f1 -d,
echo 1.7.19,failed
+ INSTALLED_VERSION=1.7.19
++ echo 1.7.19,failed
++ cut -f2 -d,
+ STATUS=failed
+ '[' -e /config/values.yaml ']'
+ VALUES='--values /config/values.yaml'
+ '[' install = delete ']'
+ '[' -z 1.7.19 ']'
+ '[' -z '' ']'
+ '[' failed = deployed ']'
+ '[' failed = failed ']'
+ '[' helm_v2 == helm_v3 ']'
+ helm_v2 install --purge traefik
Error: unknown flag: --purge 

can be fixed by removing traefik.yaml from the manifests folder, removing the traefik resources and putting the yaml back,

mv /var/lib/rancher/k3s/server/manifests/traefik.yaml /tmp/traefik.yaml
kubectl -n kube-system delete helmcharts.helm.cattle.io traefik
kubectl delete -n kube-system service traefik-dashboard
kubectl delete -n kube-system ingress traefik-dashboard
mv /tmp/traefik.yaml /var/lib/rancher/k3s/server/manifests/traefik.yaml

so it seems it's not issue with the manifest or their deployment, it's the updating them that fails

@kalgecin I found that I had to do this remove/cleanup/replace dance with the manifest whenever I ran into an issue with a Helm chart using the built-in controller.

The integrated deploy and helm controllers are great for bootstrapping the cluster, but there are some issues like this one, and the fact that it overwrites the templates on restart, and the poor logging... that make it really difficult to use them for extensive customization.

"and the fact that it overwrites the templates on restart" wait a minute, the design is that the yaml is erased with the default one everytime you restart the server?

yup, i have a script that copies my yaml after the server has restarted

Thanks. I guess I will disable and deploy it with helm myself then.

yeah, I've taken to disabling all the built-in templates and just copying stuff into the manifests folder when I want it deployed. For Helm charts I just use helm template to render it locally and then copy the generated yaml over.