tracing.otlp.grpc.insecure: true conflicts with default TLS values in Traefik v3.6+

[jankaltenecker]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What version of the Traefik's Helm Chart are you using?

39.0.0

What version of Traefik are you using?

v3.6.7

What did you expect to happen ?

When setting tracing.otlp.grpc.insecure: true, I expected Traefik to start successfully and send traces to my OpenTelemetry collector without TLS encryption.

Since insecure: true explicitly disables TLS, the chart should either:

1. Not render any tls.* arguments when insecure: true is set
2. Or set tls default values to null instead of having explicit values like insecureSkipVerify: false

What did you notice instead ?

Traefik fails to start with the following error:

{"level":"error","error":"command traefik error: tracing OTLP GRPC: TLS and Insecure options are mutually exclusive","time":"2026-01-24T14:05:16Z","caller":"github.com/traefik/traefik/v3/cmd/traefik/traefik.go:85","message":"Command error"}

The chart generates both --tracing.otlp.grpc.insecure=true AND TLS arguments (e.g., --tracing.otlp.grpc.tls.insecureSkipVerify=false) from the default values, which Traefik v3.6.7 rejects as mutually exclusive.

Workaround: Explicitly set tls: null to suppress TLS argument generation:

tracing:
  otlp:
    grpc:
      insecure: true
      tls: null  # Required workaround

What are your values ?

tracing:
  serviceName: "traefik"
  sampleRate: 1
  otlp:
    enabled: true
    grpc:
      enabled: true
      endpoint: signoz-otel-collector.signoz-system:4317
      insecure: true

Additional Information

The issue is in the `traefik.oltpCommonParams` helper in `_helpers.tpl`. It uses `traefik.yaml2CommandLineArgs` which converts all fields to CLI arguments without considering that `insecure` and `tls` are mutually exclusive:


{{- include "traefik.yaml2CommandLineArgs" (dict "path" (printf "%s.grpc" $path) "content" (omit . "enabled")) | nindent 2 }}

Since the default values define tls.insecureSkipVerify: false, this gets merged with user values and rendered as a CLI argument even when insecure: true.

Suggested fix: Modify the template to skip tls rendering when insecure: true:


{{- $content := omit . "enabled" }}
{{- if .insecure }}
  {{- $content = omit $content "tls" }}
{{- end }}
{{- include "traefik.yaml2CommandLineArgs" (dict "path" (printf "%s.grpc" $path) "content" $content) | nindent 2 }}

This likely also affects metrics.otlp.grpc and logs.otlp.grpc as they use the same helper.

[Davee02]

We're seeing the same error in our deployment. Sadly, we cannot use the workaround with setting tls: null as we use Flux as our GitOps tool, where this issue exists. This hinders us using chart versions >= 39.0.0.

I could open a PR with @jankaltenecker's suggestion to skip tls rendering when insecure: true if desired.

[mloiseleur]

@Davee02 sure, please go ahead.