kubernetes kubernetes-ingress traefik lets-encrypt traefik-ingress

Traefik2.4: uses a non-existent resolver: inwx

i am hiting the issue resolver cannot be found, and read all the related topics, but got no answer

ENV:

kubernetes v1.20.6
traefik: 2.4.9

Traefik is beeing installed with helm chart. The values.yaml looks like:

image:
  name: traefik

globalArguments: # tried with "globalArguments" and "additionalArguments"
  - "--api.insecure=true"
  - "--accesslog=false"
  - "--log.level=DEBUG"
  - "--certificatesresolvers.inwx.acme.email=*****@example.com"
  - "--certificatesresolvers.inwx.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
  - "--certificatesresolvers.inwx.acme.dnschallenge=true"
  - "--certificatesresolvers.inwx.acme.dnschallenge.provider=inwx"
  - "--certificatesresolvers.inwx.acme.storage=/data/acme.json"

ingressRoute:
  dashboard:
    enabled: true
    insecure: true
  api:
    insecure: true

persistence:
  enabled: true
  accessMode: ReadWriteOnce
  size: 128Mi
  path: /data
  annotations: {}

env:
  - name: INWX_USERNAME
    valueFrom:
      secretKeyRef:
        name: inwx-dns
        key: INWX_USERNAME
  - name: INWX_PASSWORD
    valueFrom:
      secretKeyRef:
        name: inwx-dns
        key: INWX_PASSWORD

rbac:
  enabled: true
  namespaced: false

ports:
  traefik:
    port: 9000
    expose: true

result: an empty acme.json was created at the desired location but taefik print:

the router flweber-whoami-ingress-flweber-test-foo-example-de-flweber-whoami@kubernetes uses a non-existent resolver: inwx

Ingress Definition:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: flweber-whoami-ingress
  namespace: flweber-test
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.tls.certresolver: "inwx"
    traefik.ingress.kubernetes.io/router.middlewares: flweber-test-flweber-stripprefix@kubernetescrd
spec:
  rules:
    - host: foo.example.de
      http:
        paths:
          - path: /flweber-whoami
            pathType: Prefix
            backend:
              service:
                name: flweber-whoami
                port:
                  number: 80

thanks in advance

Note: I had to replace all domains with placeholders. I'm not using example.com or example.de in the real configuration

Solution

For all who have a similar problem, check your debug logs very well. In my case between all the debug output was this line:

time="2021-07-26T09:56:43Z" level=error msg="The ACME resolver \"inwx\" is skipped from the resolvers list because: unable to get ACME account: permissions 660 for /data/acme.json are too open, please use 600"

The first time traefik starts all was fine but if i had done a helm upgrade i get the log above.

I could fix it with an init container which sets the permissions correctly.

Following section i added to my values.yaml:

deployment:
  initContainers:
    - name: volume-permissions
      image: busybox:1.31.1
      command: ["sh", "-c", "chmod -Rv 600 /data/*"]
      volumeMounts:
        - name: data
          mountPath: /data

If your interested if there is a better solution i also opened a discussion in traefik's forum at this link: https://community.traefik.io/t/traefik2-4-uses-a-non-existent-resolver-inwx/11283/3

Hope i could help someone :)