1、案例(之前使用的是ingress-nginx,登录一直都没有出现过问题,但是切换成traefik的ingressroute就出现了404的问题,traefik使用的hostNetwork)
# ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: registry-ingress
namespace: kube-system
annotations:
traefik.ingress.kubernetes.io/proxy-body-size: "100G" # 允许大镜像推送
traefik.ingress.kubernetes.io/backend-protocol: "HTTP" # Registry 服务是 HTTP
spec:
entryPoints:
- websecure
tls:
secretName: registry-tls-secret
routes:
- kind: Rule
match: Host(`registry.xwk.local`)
services:
- name: docker-registry
port: 5000
# 登录镜像仓库
[root@master-11 traefik]# nerdctl login registry.xwk.local -u admin
Enter Password:
ERRO[0002] failed to call tryLoginWithRegHost error="failed to call rh.Client.Do: Get \"https://registry.xwk.local/v2/\": tls: failed to verify certificate: x509: certificate is valid for c3c8713db2c9b904e81151755d904f4d.50cfbca43d1a9c0ce54387d3417e872a.traefik.default, not registry.xwk.local" i=0
FATA[0002] failed to call rh.Client.Do: Get "https://registry.xwk.local/v2/": tls: failed to verify certificate: x509: certificate is valid for c3c8713db2c9b904e81151755d904f4d.50cfbca43d1a9c0ce54387d3417e872a.traefik.default, not registry.xwk.local
# 尝试跳过证书,但是显示了404
[root@master-11 registry]# nerdctl login --insecure-registry registry.xwk.local -u admin
Enter Password:
WARN[0002] skipping verifying HTTPS certs for "registry.xwk.local"
ERRO[0002] failed to call tryLoginWithRegHost error="unexpected status code 404" i=0
FATA[0002] unexpected status code 404
# 打开traefik的调试日志
[root@master-11 ~]# kubectl edit deployments -n kube-system traefik
...
...
- args:
- --global.checknewversion
- --global.sendanonymoususage
- --entryPoints.metrics.address=:9100/tcp
- --entryPoints.traefik.address=:8080/tcp
- --entryPoints.web.address=:80/tcp
- --entryPoints.websecure.address=:443/tcp
- --api.dashboard=true
- --ping=true
- --metrics.prometheus=true
- --metrics.prometheus.entrypoint=metrics
- --providers.kubernetescrd
- --providers.kubernetescrd.allowEmptyServices=true
- --providers.kubernetesingress
- --providers.kubernetesingress.allowEmptyServices=true
- --providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik
- --entryPoints.websecure.http.tls=true
- --log.level=INFO
- --log.level=DEBUG # 添加进去
- --accesslog=true # 添加进去
...
...
# 再看看traefik的日志,显示traefik没有找到我指定的tls,而是使用了自己默认的,导致登录一直是失败的状态,但是证书确实是存在且正确的
2025-08-30T11:20:37Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "registry.xwk.local"
10.0.0.11 - - [30/Aug/2025:11:20:37 +0000] "GET /v2/ HTTP/1.1" 404 19 "-" "-" 1 "-" "-" 0ms
###2、查看自己traefik的版本,还有自己ingressroute的apiVersion是否填写正确
[root@master-11 ~]# kubectl get crd | grep ingressroute (这里可以看到我的traefik有两个版本,老版本的traefik的crd还遗留在上面,)
ingressroutes.traefik.containo.us 2025-08-17T10:25:27Z
ingressroutes.traefik.io 2025-08-17T10:19:18Z
ingressroutetcps.traefik.containo.us 2025-08-17T10:25:27Z
ingressroutetcps.traefik.io 2025-08-17T10:19:18Z
ingressrouteudps.traefik.containo.us 2025-08-17T10:25:27Z
ingressrouteudps.traefik.io 2025-08-17T10:19:18Z
# 再看看自己使用的crd是否正确
[root@master-11 registry]# kubectl get crd ingressroutes.traefik.io -o yaml | grep group -A 10
group: traefik.io
names:
kind: IngressRoute
listKind: IngressRouteList
plural: ingressroutes
singular: ingressroute
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
[root@master-11 registry]# cat ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1 # 可以看到我使用的traefik的crd版本完全是不正确的
kind: IngressRoute
metadata:
name: registry-ingress
namespace: kube-system
annotations:
traefik.ingress.kubernetes.io/proxy-body-size: "100G" # 允许大镜像推送
traefik.ingress.kubernetes.io/backend-protocol: "HTTP" # Registry 服务是 HTTP
spec:
entryPoints:
- websecure
tls:
secretName: registry-tls-secret
routes:
- kind: Rule
match: Host(`registry.xwk.local`)
services:
- name: docker-registry
port: 5000
###3、修改ingressroute
[root@master-11 registry]# cat ingressroute.yaml
apiVersion: traefik.io/v1alpha1 # 将traefik的版本改为自己的
kind: IngressRoute
metadata:
name: registry-ingress
namespace: kube-system
annotations:
traefik.ingress.kubernetes.io/proxy-body-size: "100G" # 允许大镜像推送
traefik.ingress.kubernetes.io/backend-protocol: "HTTP" # Registry 服务是 HTTP
spec:
entryPoints:
- web
- websecure
tls:
secretName: registry-tls-secret # 步骤中创建的 TLS Secret
routes:
- kind: Rule
match: Host(`registry.xwk.local`)
services:
- name: docker-registry
port: 5000
# apply后再进行测试
[root@master-11 registry]# nerdctl login --insecure-registry registry.xwk.local -u admin
Enter Password:
WARN[0002] skipping verifying HTTPS certs for "registry.xwk.local"
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@master-11 registry]# nerdctl pull registry.xwk.local/wod/nginx
registry.xwk.local/wod/nginx:latest: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:104fded227a722e64a0bc8afb5c7993ca58ce790c8259adcc84e20be8de2292f: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:4cad75abc83d5ca6ee22053d85850676eaef657ee9d723d7bef61179e1e1e485: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.1 s
现在可以正常访问了 total: 0.0 B (0.0 B/s)
###4、如何判断自己的apiVersion该怎么填
[root@master-11 registry]# kubectl get crd ingressroutes.traefik.io -o yaml | grep group -A 10 # 关注grep这下面的内容
group: traefik.io # 这个是你的前缀
names:
kind: IngressRoute
listKind: IngressRouteList
plural: ingressroutes
singular: ingressroute
scope: Namespaced
versions:
- name: v1alpha1 # 这个是你的后缀
schema:
openAPIV3Schema:
所以apiVersion应该填traefik.io/v1alpha1
# 如果是deployment的那种资源
kubectl api-resources | grep deployment(你想查的资源)
[root@master-11 ~]# kubectl api-resources | grep deployment
deployments deploy apps/v1 # 这个就是你想要的 true Deployment
浙公网安备 33010602011771号