[stable/traefik] Failed to list *v1.{Service/Endpoints/...} x509: certificate has expired or is not yet valid

[zzvara]

Is this a request for help?: Yes.

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

Version of Helm and Kubernetes: v2.13.1 & v1.13.5 installed with Kubespray

Which chart: stable/traefik

What happened: Deployed chart with the following settings:

helm install stable/traefik --name powerful-hammer --namespace kube-system --set ssl.enabled=true,ssl.enforced=true,ssl.permanentRedirect=true,acme.enabled=true,acme.challengeType=tls-alpn-01,acme.email=***,dashboard.enabled=true,metrics.prometheus.enabled=true,deployment.hostPort.httpEnabled=true,deployment.hostPort.httpsEnabled=true,kvprovider.storeAcme=etcd,acme.persistence.storageClass=local,acme.persistence.size=100Mi

Traefik container produces the following logs:

E0331 16:21:40.837951       1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Service: Get https://10.233.0.1:443/api/v1/services?limit=500&resourceVersion=0: x509: certificate has expired or is not yet valid
E0331 16:21:41.840808       1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Endpoints: Get https://10.233.0.1:443/api/v1/endpoints?limit=500&resourceVersion=0: x509: certificate has expired or is not yet valid
E0331 16:21:41.841713       1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1beta1.Ingress: Get https://10.233.0.1:443/apis/extensions/v1beta1/ingresses?limit=500&resourceVersion=0: x509: certificate has expired or is not yet valid
E0331 16:21:41.842864       1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Service: Get https://10.233.0.1:443/api/v1/services?limit=500&resourceVersion=0: x509: certificate has expired or is not yet valid
E0331 16:21:42.844306       1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Endpoints: Get https://10.233.0.1:443/api/v1/endpoints?limit=500&resourceVersion=0: x509: certificate has expired or is not yet valid
E0331 16:21:42.846197       1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1beta1.Ingress: Get https://10.233.0.1:443/apis/extensions/v1beta1/ingresses?limit=500&resourceVersion=0: x509: certificate has expired or is not yet valid

Certificates for the API server has been created for local IP addresses - machine local: 10.1.38.0/24, so externally only accessible through insecure flag provided to kubectl. I guess this is the same problem.

What you expected to happen: Treafik to be able to access Kubernetes ApiServer. The ApiServer is usually on port 6443, but I'm not familiar with Kubernetes enough to stay that it would not be accessible through 10.233.0.1:443. I have also set up stable/openvpn, therefore when I open https://10.233.0.1:443 from my local computer, the Kubernetes ApiServer responds.

How to reproduce it (as minimally and precisely as possible): Bare-metal default installation using Kubespray with Calico network plugin.

Other stuff may be important Containers fail the restart on the node where traefik Pod is deployed. When ssl.enabled is true, suddenly, Pods will not be able to start since the initialization process not able to access the ApiServer on 10.233.0.1:443. It seems that exposing 443 on any host would mess up the network.

[zzvara]

Added to description: Other stuff may be important Containers fail the restart on the node where traefik Pod is deployed. When ssl.enabled is true, suddenly, Pods will not be able to start since the initialization process not able to access the ApiServer on 10.233.0.1:443. It seems that exposing 443 on any host would mess up the network.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[stale[bot]]

This issue is being automatically closed due to inactivity.