使用traefik去代理registry仓库时提示没有证书或404，以及怎么根据crd来写apiVersion：后面的这一段

1、案例（之前使用的是ingress-nginx，登录一直都没有出现过问题，但是切换成traefik的ingressroute就出现了404的问题，traefik使用的hostNetwork）

# ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:name: registry-ingressnamespace: kube-systemannotations:traefik.ingress.kubernetes.io/proxy-body-size: "100G" # 允许大镜像推送traefik.ingress.kubernetes.io/backend-protocol: "HTTP" # Registry 服务是 HTTP
spec:entryPoints:- websecuretls:secretName: registry-tls-secretroutes:- kind: Rulematch: Host(`registry.xwk.local`)services:- name: docker-registryport: 5000# 登录镜像仓库
[root@master-11 traefik]# nerdctl login registry.xwk.local -u admin
Enter Password:
ERRO[0002] failed to call tryLoginWithRegHost            error="failed to call rh.Client.Do: Get \"https://registry.xwk.local/v2/\": tls: failed to verify certificate: x509: certificate is valid for c3c8713db2c9b904e81151755d904f4d.50cfbca43d1a9c0ce54387d3417e872a.traefik.default, not registry.xwk.local" i=0
FATA[0002] failed to call rh.Client.Do: Get "https://registry.xwk.local/v2/": tls: failed to verify certificate: x509: certificate is valid for c3c8713db2c9b904e81151755d904f4d.50cfbca43d1a9c0ce54387d3417e872a.traefik.default, not registry.xwk.local# 尝试跳过证书，但是显示了404 
[root@master-11 registry]# nerdctl login --insecure-registry registry.xwk.local -u admin
Enter Password:
WARN[0002] skipping verifying HTTPS certs for "registry.xwk.local"
ERRO[0002] failed to call tryLoginWithRegHost            error="unexpected status code 404" i=0
FATA[0002] unexpected status code 404# 打开traefik的调试日志
[root@master-11 ~]# kubectl edit deployments -n kube-system traefik
...
...- args:- --global.checknewversion- --global.sendanonymoususage- --entryPoints.metrics.address=:9100/tcp- --entryPoints.traefik.address=:8080/tcp- --entryPoints.web.address=:80/tcp- --entryPoints.websecure.address=:443/tcp- --api.dashboard=true- --ping=true- --metrics.prometheus=true- --metrics.prometheus.entrypoint=metrics- --providers.kubernetescrd- --providers.kubernetescrd.allowEmptyServices=true- --providers.kubernetesingress- --providers.kubernetesingress.allowEmptyServices=true- --providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik- --entryPoints.websecure.http.tls=true- --log.level=INFO- --log.level=DEBUG     # 添加进去- --accesslog=true      # 添加进去
...
...# 再看看traefik的日志，显示traefik没有找到我指定的tls，而是使用了自己默认的，导致登录一直是失败的状态，但是证书确实是存在且正确的
2025-08-30T11:20:37Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "registry.xwk.local"
10.0.0.11 - - [30/Aug/2025:11:20:37 +0000] "GET /v2/ HTTP/1.1" 404 19 "-" "-" 1 "-" "-" 0ms

###2、查看自己traefik的版本，还有自己ingressroute的apiVersion是否填写正确
[root@master-11 ~]# kubectl get crd | grep ingressroute          (这里可以看到我的traefik有两个版本，老版本的traefik的crd还遗留在上面，)
ingressroutes.traefik.containo.us            2025-08-17T10:25:27Z
ingressroutes.traefik.io                     2025-08-17T10:19:18Z
ingressroutetcps.traefik.containo.us         2025-08-17T10:25:27Z
ingressroutetcps.traefik.io                  2025-08-17T10:19:18Z
ingressrouteudps.traefik.containo.us         2025-08-17T10:25:27Z
ingressrouteudps.traefik.io                  2025-08-17T10:19:18Z# 再看看自己使用的crd是否正确
[root@master-11 registry]# kubectl get crd ingressroutes.traefik.io -o yaml | grep group -A 10group: traefik.ionames:kind: IngressRoutelistKind: IngressRouteListplural: ingressroutessingular: ingressroutescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:[root@master-11 registry]# cat ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1                      # 可以看到我使用的traefik的crd版本完全是不正确的
kind: IngressRoute
metadata:name: registry-ingressnamespace: kube-systemannotations:traefik.ingress.kubernetes.io/proxy-body-size: "100G" # 允许大镜像推送traefik.ingress.kubernetes.io/backend-protocol: "HTTP" # Registry 服务是 HTTP
spec:entryPoints:- websecuretls:secretName: registry-tls-secretroutes:- kind: Rulematch: Host(`registry.xwk.local`)services:- name: docker-registryport: 5000

###3、修改ingressroute
[root@master-11 registry]# cat ingressroute.yaml
apiVersion: traefik.io/v1alpha1                        # 将traefik的版本改为自己的
kind: IngressRoute
metadata:name: registry-ingressnamespace: kube-systemannotations:traefik.ingress.kubernetes.io/proxy-body-size: "100G" # 允许大镜像推送traefik.ingress.kubernetes.io/backend-protocol: "HTTP" # Registry 服务是 HTTP
spec:entryPoints:- web- websecuretls:secretName: registry-tls-secret # 步骤中创建的 TLS Secretroutes:- kind: Rulematch: Host(`registry.xwk.local`)services:- name: docker-registryport: 5000# apply后再进行测试
[root@master-11 registry]# nerdctl login --insecure-registry registry.xwk.local -u admin
Enter Password:
WARN[0002] skipping verifying HTTPS certs for "registry.xwk.local"
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
[root@master-11 registry]# nerdctl pull registry.xwk.local/wod/nginx
registry.xwk.local/wod/nginx:latest:                                              resolved       |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:104fded227a722e64a0bc8afb5c7993ca58ce790c8259adcc84e20be8de2292f: done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:4cad75abc83d5ca6ee22053d85850676eaef657ee9d723d7bef61179e1e1e485:   done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.1 s现在可以正常访问了                                                                    total:   0.0 B (0.0 B/s)

###4、如何判断自己的apiVersion该怎么填
[root@master-11 registry]# kubectl get crd ingressroutes.traefik.io -o yaml | grep group -A 10      # 关注grep这下面的内容group: traefik.io       # 这个是你的前缀names:kind: IngressRoutelistKind: IngressRouteListplural: ingressroutessingular: ingressroutescope: Namespacedversions:- name: v1alpha1        # 这个是你的后缀schema:openAPIV3Schema:所以apiVersion应该填traefik.io/v1alpha1# 如果是deployment的那种资源
kubectl api-resources | grep deployment（你想查的资源）
[root@master-11 ~]# kubectl api-resources | grep deployment
deployments                        deploy                              apps/v1  # 这个就是你想要的                               true         Deployment