kubernetes - 将 Traefik 更新到 v1.3.6 后创建 TLS 配置时出错

Question

我正在尝试在 Kubernetes 上从 Traefik v1.2.3 更新到 v1.3.6。我将我的 TLS 证书安装在秘密的 pod 内。在 v1.2.3 下，一切都按预期工作。当我尝试应用我的 v1.3.6 部署（仅更改为新的 docker 映像）时，pod 无法以以下消息启动：

time="2017-08-22T20:27:44Z" level=error msg="Error creating TLS config: tls: failed to find any PEM data in key input"
time="2017-08-22T20:27:44Z" level=fatal msg="Error preparing server: tls: failed to find any PEM data in key input"

下面是我的 traefik.toml 文件：

defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
    address = ":443"
      [entryPoints.https.tls]
        [[entryPoints.https.tls.certificates]]
        CertFile = "/ssl/wildcard.foo.mydomain.com.crt"
        KeyFile = "/ssl/wildcard.foo.mydomain.com.key"
        [[entryPoints.https.tls.certificates]]
        CertFile = "/ssl/wildcard.mydomain.com.crt"
        KeyFile = "/ssl/wildcard.mydomain.com.key"
        [[entryPoints.https.tls.certificates]]
        CertFile = "/ssl/wildcard.local.crt"
        KeyFile = "/ssl/wildcard.local.key"
[kubernetes]
  labelselector = "expose=internal"

我对 pod 产生的错误的初步印象是密钥中的密钥无效。但是，我能够对密钥的内容进行 base64 解码，并看到这些值与我在本地存储的证书文件的值相匹配。此外，如果这些实际上是无效的，我希望在任何版本的 Traefik 上看到这个错误。在查看 Traefik 的更改日志时，我看到 SSL 库已更新，但相关 PR 表明这仅添加了密码，并没有删除任何以前支持的密码。

：编辑带附加信息：

Running with--logLevel=DEBUG提供了这些附加信息（如果有帮助，请在下面完整提供）：

[cluster-traefik-2693375319-w67hf] time="2017-08-22T21:41:19Z" level=debug msg="Global configuration loaded {"GraceTimeOut":10000000000,"Debug":false,"CheckNewVersion":true,"AccessLogsFile":"","TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":{"EntryPoint":"https","Regex":"","Replacement":""},"Auth":null,"Compress":false},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":[{"CertFile":"/ssl/wildcard.foo.mydomain.com.crt","KeyFile":"/ssl/wildcard.foo.mydomain.com.key"},{"CertFile":"/ssl/wildcard.mydomain.com.crt","KeyFile":"/ssl/wildcard.mydomain.com.key"},{"CertFile":"/ssl/wildcard.local.crt","KeyFile":"/ssl/wildcard.local.key"}],"ClientCAFiles":null},"Redirect":null,"Auth":null,"Compress":false}},"Cluster":null,"Constraints":[],"ACME":null,"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":180000000000,"InsecureSkipVerify":false,"Retry":null,"HealthCheck":{"Interval":30000000000},"Docker":null,"File":null,"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":{"Prometheus":{"Buckets":[0.1,0.3,1.2,5]}},"Path":"","Auth":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":{"Watch":true,"Filename":"","Constraints":[],"Endpoint":"","Token":"","CertAuthFilePath":"","DisablePassHostHeaders":false,"Namespaces":null,"LabelSelector":"expose=internal"},"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null}"
[cluster-traefik-2693375319-w67hf] time="2017-08-22T21:41:19Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc42060d800 Redirect:<nil> Auth:<nil> Compress:false}"
[cluster-traefik-2693375319-w67hf] time="2017-08-22T21:41:19Z" level=error msg="Error creating TLS config: tls: failed to find any PEM data in key input"
[cluster-traefik-2693375319-w67hf] time="2017-08-22T21:41:19Z" level=fatal msg="Error preparing server: tls: failed to find any PEM data in key input"

Answer 1

这个问题原来是Go 1.8 的 crypto/tls 库中的新验证逻辑。他们现在正在验证证书块在-----哪里结束，就像以前一样。我的一个证书文件的私钥以----（缺少连字符）结尾。添加缺少的字符解决了这个问题。