Closed mrmachine closed 8 years ago
tifayuki
commented
8 years ago @mrmachine
Currently, there is no plan to monitor the cert files and reload haproxy automatically.
As you mentioned you use container volume to store the certificates, you can the monitor the certificates inside the volume container and invoke /reload.sh in the haproxy container whenever there is a file change.
mrmachine
commented
8 years ago @tifayuki I don't understand what you are suggesting. How might I invoke /reload.sh in the HAproxy container, when the process that is monitoring the certs volume for changes is in a different container?
tifayuki
commented
8 years ago in you volume container, you can mount docker.sock and then do docker exec <haproxy_container_name> /reload.sh
mrmachine
commented
8 years ago @tifayuki Am I right in understanding then that this will only work when the two containers are deployed to the same node? I am using Docker Cloud, so this might not always be the case, and I thought that mounting the docker socket was only required when not deploying to Docker Cloud?
tifayuki
commented
8 years ago @mrmachine
When you use volume_from, it implies that the two containers are already on the same node. Mounting docker.sock should work w/ and w/o Docker Cloud
In the case of Docke rCloud, you can give the global role to the volume container and install docker cloud cli in it. Then you can do docker-cloud exec <haproxy_container_name> /reload.sh
mrmachine
commented
8 years ago @tifayuki Thanks! This sounds good.
I have implemented this in a fork of
dockercloud/haproxyalready (https://github.com/ixc/letsencrypt-dockercloud-haproxy), and this has allowed me to add a companionletsencryptservice to my Docker Cloud stack file to automatically create/renew certificates.It would be great if
dockercloud/haproxyitself usedinotify-toolsto watch for changes in$CERT_FOLDERand restarted itself when changes are detected. Then I wouldn't need to maintain a fork, and anyone could easily implement their own letsencrypt companion services (or other automated certificate implementations, likeStartEncrypt).All anyone would need to do is mount
volumes_from: fooand setenvironment: CERT_FOLDER: /foo, and have thefooservice expose a/foovolume and install combined certificates into it whenever it needs to.