traefik: traefik cannot find secrets, errors as 'doesnt exist'
Do you want to request a feature or report a bug?
Bug
What did you do?
created traefik ingress controller via helm/stable/traefik.
I installed default/cheese ingress. traefik errored at accessing its secrets.
Error configuring TLS for ingress default/cheese: secret default/traefik-cert does not exist
Unfortunately, it shows error while accessing the secrets.
$ kubectl get secret dex-tls -oyaml --as gem-lb-traefik
Error from server (Forbidden): secrets "dex-tls" is forbidden: User "gem-lb-traefik" cannot get secrets in the namespace "default"
$ kubectl describe clusterrolebinding gem-lb-traefik
Name: gem-lb-traefik
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: gem-lb-traefik
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount gem-lb-traefik default
$ kubectl describe clusterrole gem-lb-traefik
Name: gem-lb-traefik
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
endpoints [] [] [get list watch]
pods [] [] [get list watch]
secrets [] [] [get list watch]
services [] [] [get list watch]
ingresses.extensions [] [] [get list watch]
kubectl auth can-i get secrets --namespace default --as system:serviceaccount:default:gem-lb-traefik
yes
Discussion on slack channel below: https://traefik.slack.com/archives/C0CDT22PJ/p1527504010000220
traefik deployment: / kubectl get deployment gem-lb-traefik -oyaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: 2018-05-28T10:13:59Z
generation: 1
labels:
app: traefik
chart: traefik-1.31.1
heritage: Tiller
release: gem-lb
name: gem-lb-traefik
namespace: default
resourceVersion: "2861633"
selfLink: /apis/extensions/v1beta1/namespaces/default/deployments/gem-lb-traefik
uid: d695eb90-625f-11e8-8747-dc4a3e6bd0d7
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: traefik
release: gem-lb
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
checksum/config: f89e10ab419c8f18994f55f7e8255175c845386c0d3adc7ac386e2bf024f4289
creationTimestamp: null
labels:
app: traefik
chart: traefik-1.31.1
heritage: Tiller
release: gem-lb
spec:
containers:
- args:
- --configfile=/config/traefik.toml
image: traefik:1.6.2
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 80
timeoutSeconds: 2
name: gem-lb-traefik
ports:
- containerPort: 80
hostPort: 80
name: http
protocol: TCP
- containerPort: 8880
name: httpn
protocol: TCP
- containerPort: 443
hostPort: 443
name: https
protocol: TCP
- containerPort: 8080
hostPort: 8080
name: dash
protocol: TCP
readinessProbe:
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 80
timeoutSeconds: 2
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /config
name: config
- mountPath: /ssl
name: ssl
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: gem-lb-traefik
serviceAccountName: gem-lb-traefik
terminationGracePeriodSeconds: 60
volumes:
- configMap:
defaultMode: 420
name: gem-lb-traefik
name: config
- name: ssl
secret:
defaultMode: 420
secretName: gem-lb-traefik-default-cert
status:
availableReplicas: 1
conditions:
- lastTransitionTime: 2018-05-28T10:13:59Z
lastUpdateTime: 2018-05-28T10:13:59Z
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: 2018-05-28T10:13:59Z
lastUpdateTime: 2018-05-28T10:14:20Z
message: ReplicaSet "gem-lb-traefik-54bc87db7b" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 1
readyReplicas: 1
replicas: 1
updatedReplicas: 1
What did you expect to see?
Expected the controller to get the secrets.
What did you see instead?
Error from server (Forbidden): secrets “dex-tls” is forbidden: User “gem-lb-traefik” cannot get secrets in the namespace “default”
Output of traefik version: (What version of Traefik are you using?)
1.6.2
What is your environment & configuration (arguments, toml, provider, platform, …)?
# traefik.toml
logLevel = "INFO"
InsecureSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
[kubernetes]
[web]
address = ":8080"
[web.auth.basic]
users = ["k8s-lb:Gemini@123",]
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 26
As @w1ndy alluded to in a prior post, this may have something to do with the order of entrypoints in the config. On a hunch from their message, I moved the https entrypoint section to be first in the config file, above the http entrypoint section, and ACME worked. I’d have a hard time believing that this was the real fix and am suspect that maybe a restart was the actual fix, but for what its worth, if other people are having this issue (especially those using the helm deploy of traefik), try editing the configmap (
kubectl edit configmap traefik -n <traefik-namespace>) and move the entrypoints.https section so that it is the first one in the entrypoints list and see if that helps.@w1ndy’s comment was to make sure the defaultEntryPoints has https first, but as you can see in my config, I left it at http, https, reordered the entrypoints and it started working (again, it really smells like the restart was the magic sauce, not the changing of the configs) either way, edit the configmap and fiddle with defaultEntryPoints or the order of entries in the entryPoints section of the toml, and may the odds be ever in your favor.
Excerpt from my configmap:
Hello all,
I have been reviewing this issue for a while now, and there are 3 cases that I see occurring:
We have the original case, which I have been unable to reproduce.
We have a case where there are log messages about missing secrets, but everything works as intended. This case has an issue filed already (https://github.com/containous/traefik/issues/3667).
Other cases that may or may not be related, but are getting confused with the previous two cases.
I will be closing this issue due to deviation from the original unreproducible issue.
If you are using 1.7-RC4+ and are still experiencing issues (OUTSIDE OF LOGGING ISSUES), then we encourage you to open a new issue. If your issue is with logging, feel free to post on #3667.
If you have any further comments or concerns, please feel free to reach out to us on slack: traefik.slack.com
Thanks!
Is your traefik crashing due to this?
I’ve managed to resolve it by increasing
resources.limits.memoryI’m having the same issue; utilizing traefik 1.6.3 on Google 1.10.2-gke.3
Possibly smells like #3128
For me however, it’s a basic auth secret that’s having the same problems.