Traefik找不到基本的身份验证机密

Question

我的Traefik（1.7.10）入口控制器突然停止使用Kubernetes中的基本身份验证秘密。特雷菲克（Traefik）记录了一条警告，说即使我觉得这些秘密都是正确的，也无法找到这些秘密。权限设置良好，所有操作也都在同一个命名空间中完成。

我尝试将身份验证机密更改为用户名admin和密码admin，只是为了看看是否有任何区别。没有。我还尝试过从RBAC设置中删除秘密资源权限。正如预期的那样，这导致Traefik记录了一条警告，指出它无权列出机密信息。放回许可后，该警告消失了，但仍然找不到秘密。我还尝试降级到最新的1.6版本（1.6.6），但在那里同样发生了问题。

我的秘密：

@Transactional
@Service
public class UserServiceImpl implements  UserService {

    @PersistenceContext
    EntityManager entityManager;

    public void init(){
          // i called this code in controller in index method
        AppUsers user = new AppUsers();
        user.setId(1);
        user.setName("alice");
        user.setLastname("brown");
        user.setEmail("example@gmail.com");
        user.setPassword("123456");
        entityManager.persist(user);
    }}

我的入口：

apiVersion: v1
kind: Secret
metadata:
 name: access-secret
 namespace: my-namespace
type: Opaque
data:
 auth: YWRtaW46YWRtaW4=

我的DaemonSet：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: configuration-docs-ingress
 namespace: my-namespace
 annotations:
   traefik.ingress.kubernetes.io/auth-type: "basic"
   traefik.ingress.kubernetes.io/auth-secret: "access-secret"
   traefik.frontend.rule.type: PathPrefixStrip
spec:
 rules:
 - host: my.documentation.domain
   http:
     paths:
     - path: /
       backend:
         serviceName: configuration-docs
         servicePort: 80

我的集群角色和绑定：

kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
 name: traefik-ingress-controller
 namespace: my-namespace
 labels:
   k8s-app: traefik-ingress-lb
spec:
 template:
   metadata:
     labels:
       k8s-app: traefik-ingress-lb
       name: traefik-ingress-lb
   spec:
     serviceAccountName: traefik-ingress-controller
     terminationGracePeriodSeconds: 60
     containers:
     - image: traefik:1.7.10-alpine
       name: traefik-ingress-lb
       imagePullPolicy: Always
       ports:
       - name: http
         containerPort: 80
         hostPort: 80
       - name: admin
         containerPort: 8080
       securityContext:
         capabilities:
           drop:
           - ALL
           add:
           - NET_BIND_SERVICE
       resources:
         limits:
           cpu: 200m
         requests:
           cpu: 200m
       volumeMounts:
       - mountPath: "/config"
         name: config
       args:
       - --configfile=/config/traefik.toml
       - --api
       - --kubernetes
       - --logLevel=INFO
     volumes:
     - name: config
       configMap:
         name: traefik-config

我的服务帐户：

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: my-namespace
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: my-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: my-namespace

我现在遇到的是Traefik记录了一条语句，指出它找不到已配置的身份验证机密；

apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: my-namespace

访问URL时，会弹出基本身份验证框，但是输入正确的用户名和密码，似乎什么也没发生...

Answer 1

Treafik入口控制器旨在仅从运行控制器的名称空间中读取机密。因此找不到您的秘密。

有关更多信息，请参见this github issue。