Change default TLS certificate for Traefik in K3S // Blog Notes

Before starting, we need to make sure that we have the required certificate. I do it in another place and bring it to the server with automation.

First, we need to create a secret in the kube-system namespace. The secret should be named default-ingress-cert and we can create or update it with the following command:

kubectl -n kube-system create secret tls default-ingress-cert \
  --key=/etc/ssl/private/_.example.com.key \
  --cert=/etc/ssl/private/_.example.com.crt \
  --dry-run=client --save-config -o yaml  | kubectl apply -f -

After that, we need to create configuration for the traefik.

apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: kube-system

spec:
  defaultCertificate:
    secretName: default-ingress-cert

And apply it with the following command:

kubectl apply -f k3s-traefik-tls-store.yaml