Open tsh356 opened 4 years ago
In a similar position looking to deploy and get certs for HTTPS. +1
You'd need both. The discussion in issue #116 might help especially starting with @tiangolo's comment
Do I have to create traefik service(as in https://dockerswarm.rocks/traefik/) in docker-compose.yml
or do I have to modify the proxy in docker-compose.override.yml
?
Do I have to create traefik service(as in https://dockerswarm.rocks/traefik/) in
docker-compose.yml
or do I have to modify the proxy indocker-compose.override.yml
?
You need both.
@tsh356 Were you able to resolve this? I can't get this SSL certs to work properly.
Yes, I resolved this. You need both Traefik services, traefik.yml is deployed to its own stack and then this project is deployed to a separate stack. Essentially just follow the steps here https://dockerswarm.rocks/ and then here https://dockerswarm.rocks/traefik/ sequentially. Here's was the confusing part for me:
Create the public network:
sudo docker network create --driver=overlay traefik-public
export NODE_ID=$(sudo docker info -f '{{.Swarm.NodeID}}')
sudo docker node update --label-add traefik-public.traefik-public-certificates-live=true $NODE_ID
Then deploy stack #1, the public facing Traefik (note: this DOMAIN is the domain for the traefik web app, not your app domain):
curl -L dockerswarm.rocks/traefik.yml -o traefik.yml
export EMAIL=you@example.com && export DOMAIN=traefik.example.com && export USERNAME=admin && export PASSWORD=xxxxxx && export HASHED_PASSWORD=$(openssl passwd -apr1 $PASSWORD)
docker stack deploy -c traefik.yml traefik
You can then deploy your app stack which contains the second Traefik service (proxy) as well as all the other services contained in docker-compose.yml using scripts/build.sh and scripts/deploy.sh
@tsh356 I didn't realize there were deploy scripts. I think I am hung up where you were on the DOMAIN env variable. So the two different stacks are using the same env variable name, DOMAIN but with different values The values change from the script / build order do. Is that correct?
@tsh356 thanks for clarification.
thanks to everybody in this thread, I hadn't understood at all that one is supposed to have two nested traefik containers. I'm not sure where in the docs this would fit, but I think it should be explained more explicitly/verbosely somewhere.
(I NOW SOLVED THIS, see edit below) The theory is now clear (or so it seemed), however I'm only able to reach the dashboard of the public facing traefik container and none of the services. I've set DNS records for both traefik.sys.mydomain.com
and mydomain.com
to my server's ip, used the former as DOMAIN
when creating the outer traefik service and the latter as DOMAIN
when running scripts/deploy.sh.
Going to mydomain.com
and mydomain.com/docs
shows a 404 error (the logs of the public facing traefik show the GET request but no error), while pgadmin.mydomain.com
shows the browser's "Page not found" error (and nothing shows up in the logs of either traefik container). In the dashboard at traefik.sys.mydomain.com
I see services sname-pgadmin
, sname-flower
and sname-proxy
alongside their routers (where sname
is the value I set for STACK_NAME
when deploying the stack), but nothing about backend... I noticed that pgadmin, flower and proxy have the label
deploy:
labels:
- traefik.constraint-label=${TRAEFIK_PUBLIC_TAG?Variable not set}
while the backend has
deploy:
labels:
- traefik.constraint-label-stack=${TRAEFIK_TAG?Variable not set}
So then is the idea to have pgadmin, flower and proxy exposed (and anyway, why can't I reach them)? And have backend reachable only through proxy, so it would show up theoretically in the dashboard of the "inner" traefik (i.e. proxy service) but not in the public facing one? Why not make also pgadmin and flower go through the proxy then?
EDIT: I'm embarassed to admit, after going with a comb through all the files... I had misspelled my domain when deploying the stack 😔 Now everything works as expected.
I'm also trying to get this working and was surprised to find out that two Traefiks are necessary. The dockerswarm.rocks docs state:
But doing it in a way that allows you to have other Traefik services inside each stack without interfering with each other, to redirect based on path in the same stack (e.g. one container handles / for a web frontend and another handles /api for an API under the same domain), or to redirect from HTTP to HTTPS selectively.
...which makes it sound like having two is really for if you want to run multiple stacks. But if you just want to run a single stack would it be possible to get everything done with a single Traefik instance?
+1 for a more detailed explanation/documentation 😓 (a diagram would be awesome)
I was imagining the 1 traefik public instance would listen/handle all services in the different nodes; not sure I quite get the need for a second internal traefik nor do I understand why some 'internal' services are exposed in the external traefik rather than in the internal stack traefik (e.g. pgadmin, flower)
the idea for different stacks is for different env versions of the same app stack (staging, production), or different applications altogether ?
Is it necessary to copy all project files / clone repo to server? Or maybe is it possible to deploy from local computer to server directly?
Edit: it is necessary. I will probably automate it somehow with pyinfra or ci/cd.
I have a question about deployment using the ideas from dockerswarm.rocks.
Is the Traefik service found here: https://dockerswarm.rocks/traefik/
meant to replace/merge with the “proxy” service in docker-compose.yml below? Or do we need both? If we need both, what is their purpose?