search

jittering / traefik-kop

A dynamic docker->redis->traefik discovery agent
MIT License
179 stars 13 forks source link

router tls entry missing: router.tls=true without resolver is ignored #32

Closed mwacker-sms closed 2 months ago

mwacker-sms commented 6 months ago

Hi, i am running traefik version v2.11 (current latest as of writing) in combination with the current traefik-kop version (v0.13.2). So far everything works right out of the box in my simple setup (one docker host with traefik, another one with traefik-kop) and the router configuration is updated on traeffic.

Since i am not using a certresolver but certificate files configured in my main traefik instance i have not configured a cert resolver. I observed a strange behaviour by moving one of my services from the traefik host (where it worked just fine) to the traefik-kop host where it lost the tls configuration.

The labels in use (minimal example):

[...]
ports: 
  - 123...
labels:
  traefik.enable: true
  traefik.http.routers.https_backend.rule: "Host(`hostname.example`) && PathPrefix(`/api`)"
  traefik.http.routers.https_backend.entrypoints: websecure
  traefik.http.routers.https_backend.tls: true
  traefik.http.routers.https_backend.service: service_backend
  traefik.http.services.service_backend.loadbalancer.server.port: 123
  traefik.http.services.service_backend.loadbalancer.server.scheme: https

In the Traefik-Dashboard the router was successfully created, but without any TLS configuration.

In Redis there was no key traefik/http/routers/https_backend/tls set. After i created the key manually with the value true according to the Traefic KV doc the TLS configuration of the router was set as expected.

Since at least i expected the behaviour of traefik-kop to respect the same label tag configuration as traefik itself and the above configuration example is working fine in traefic itself i guess this might be a bug in traefik-kop.

After some time i found a workaround by adding a default certresolver label (traefik.http.routers.https_backend.tls.certresolver:default) which at least worked with my configuration. But since this is not necessary on treafik i consider this behaviour as unexpected.

chetan commented 6 months ago

Try setting the certresolver val as shown in the readme. I believe traefik will use defaults at certain times.

Edit: saw that you did add that later. I believe traefik does require this in some situations but I'm not sure of the exact logic it uses. I had this issue with standalone traefik as well.

mwacker-sms commented 5 months ago

It does work as a workaround, but there are warnings in the traefik log, since I have no certresolver configured traefik is complaining of a missing default certresolver. As i wrote above, the behaviour of traefik-kop is different from traefik in this case and somewhat unexpected. So traefik-kop should support the label traefik.http.routers.https_backend.tls: true and set the correct redis entry traefik/http/routers/https_backend/tls with the value true as mentioned above.

michaelkrieger commented 5 months ago

Also experiencing this.

Working configuration as follows: container

    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.http-echo.rule=Host(`host.mydomain.com`) && PathPrefix(`/http-echo`)'
      - 'traefik.http.routers.http-echo.tls=true'
      - 'traefik.http.services.http-echo.loadBalancer.server.port=1234'

traefik

    labels:
      # Set up Wildcard Certificates for use in other hosts by just specifying tls=true to the router
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=le"
      - "traefik.http.routers.traefik.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.mydomain.com"

This works normally, however with traefik-kop, I need to add:

      - "traefik.http.routers.http-echo.tls.certresolver=le"

to each container to get it to work (where le is my defined provider), rather than rely on the global setting of the configuration.

In theory, traefik-kop should handle this the exact same way the normal traefik provider would, no?

I note, for greater clarity, that it appears once the certificate is defined within the provider, it appears to use it. By defining the 'traefik' router in my docker provider, it appears to simply trigger it to load/generate the certificate with the LE provider and at that point it appears to be default for all of the other hosts which match that hostname.

Ideally, it should use the existing certificate the way Traefik does. At the very least, it should not silently ignore the TLS option and should trigger a warning/error. Just spent a bunch of time figuring out why it wasn't working correctly, and it turns out that TLS wasn't on.

chetan commented 3 months ago

@michaelkrieger wrote:

Ideally, it should use the existing certificate the way Traefik does.

You're right, however thinking about this some more, I believe the issue is that .tls=true without a certresolver tells traefik to use the default. In our case, kop does not know* what your default is and so cannot create the appropriate router config for you. Your traefik service does have this config internally and so inserts it while processing the labels.

At the very least, it should not silently ignore the TLS option and should trigger a warning/error. Just spent a bunch of time figuring out why it wasn't working correctly, and it turns out that TLS wasn't on.

This is a good point, I'll see if I can manage this. I leverage traefik's label->config code so it may already be dropped by the time I see it.

chetan commented 2 months ago

Added a warning like the following:

time="2024-06-30T17:58:20-04:00" level=info msg="publishing http://192.168.100.100:5555" service=hello1@docker service-type=http
time="2024-06-30T17:58:20-04:00" level=warning msg="router hello1@docker has no TLS cert resolver" service=hello1@docker service-type=http