search

openfaas / faas

OpenFaaS - Serverless Functions Made Simple
https://www.openfaas.com
MIT License
25.08k stars 1.93k forks source link

Configure Traefik with SSL Support not working #643

Closed simiwe closed 6 years ago

simiwe commented 6 years ago

Thanks for this awesome project.

I was trying to follow Integrate Traefik with your OpenFaaS cluster to add SSL support using LetsEncrypt.

I faced the below issue after Configure Traefik with SSL Support and run $ ./deploy_stack.sh:

$ docker service logs -f func_traefik

func_traefik.1.ytsz71ul5ud8@linuxkit-025000000001    | time="2018-04-13T08:54:27Z" level=info msg="Traefik version v1.3.8 built on 2017-09-07_08:46:19PM"
func_traefik.1.ywe1w5uf3ps5@linuxkit-025000000001    | time="2018-04-13T09:04:18Z" level=info msg="Traefik version v1.3.8 built on 2017-09-07_08:46:19PM"
func_traefik.1.z2xv69hac668@linuxkit-025000000001    | time="2018-04-13T08:56:36Z" level=info msg="Traefik version v1.3.8 built on 2017-09-07_08:46:19PM"
func_traefik.1.z6cskqt1dvit@linuxkit-025000000001    | time="2018-04-13T09:01:29Z" level=info msg="Traefik version v1.3.8 built on 2017-09-07_08:46:19PM"
func_traefik.1.ytsz71ul5ud8@linuxkit-025000000001    | time="2018-04-13T08:54:27Z" level=debug msg="Global configuration loaded {"GraceTimeOut":10000000000,"Debug":true,"CheckNewVersion":true,"AccessLogsFile":"","TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":null,"Auth":null,"Compress":false},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":[],"ClientCAFiles":null},"Redirect":null,"Auth":null,"Compress":false}},"Cluster":null,"Constraints":[],"ACME":{"Email":"ssl@mulantech.com","Domains":[{"Main":"local.mulansoft.com","SANs":["faas.mulansoft.com"]}],"Storage":"/etc/traefik/acme/acme.json","StorageFile":"","OnDemand":true,"OnHostRule":true,"CAServer":"","EntryPoint":"","DNSProvider":"","DelayDontCheckDNS":0,"ACMELogging":false,"TLSConfig":null},"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":180000000000,"InsecureSkipVerify":false,"Retry":null,"HealthCheck":{"Interval":30000000000},"Docker":{"Watch":true,"Filename":"","Constraints":null,"Endpoint":"unix:///var/run/docker.sock","Domain":"traefik","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":true},"File":null,"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"","Auth":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null}"
func_traefik.1.ywe1w5uf3ps5@linuxkit-025000000001    | time="2018-04-13T09:04:18Z" level=debug msg="Global configuration loaded {"GraceTimeOut":10000000000,"Debug":true,"CheckNewVersion":true,"AccessLogsFile":"","TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":null,"Auth":null,"Compress":false},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":[],"ClientCAFiles":null},"Redirect":null,"Auth":null,"Compress":false}},"Cluster":null,"Constraints":[],"ACME":{"Email":"coolman@gmail.com","Domains":[{"Main":"local.traefit.com","SANs":["faas.traefik.com"]}],"Storage":"/etc/traefik/acme/acme.json","StorageFile":"","OnDemand":true,"OnHostRule":true,"CAServer":"","EntryPoint":"","DNSProvider":"","DelayDontCheckDNS":0,"ACMELogging":false,"TLSConfig":null},"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":180000000000,"InsecureSkipVerify":false,"Retry":null,"HealthCheck":{"Interval":30000000000},"Docker":{"Watch":true,"Filename":"","Constraints":null,"Endpoint":"unix:///var/run/docker.sock","Domain":"traefik","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":true},"File":null,"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"","Auth":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null}"
func_traefik.1.ywe1w5uf3ps5@linuxkit-025000000001    | time="2018-04-13T09:04:18Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> Compress:false}"
func_traefik.1.ytsz71ul5ud8@linuxkit-025000000001    | time="2018-04-13T08:54:27Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc42056ecc0 Redirect:<nil> Auth:<nil> Compress:false}"
func_traefik.1.z6cskqt1dvit@linuxkit-025000000001    | time="2018-04-13T09:01:29Z" level=debug msg="Global configuration loaded {"GraceTimeOut":10000000000,"Debug":true,"CheckNewVersion":true,"AccessLogsFile":"","TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":null,"Auth":null,"Compress":false},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":[],"ClientCAFiles":null},"Redirect":null,"Auth":null,"Compress":false}},"Cluster":null,"Constraints":[],"ACME":{"Email":"coolman@gmail.com","Domains":[{"Main":"local.traefit.com","SANs":["faas.traefik.com"]}],"Storage":"/etc/traefik/acme/acme.json","StorageFile":"","OnDemand":true,"OnHostRule":true,"CAServer":"","EntryPoint":"","DNSProvider":"","DelayDontCheckDNS":0,"ACMELogging":false,"TLSConfig":null},"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":180000000000,"InsecureSkipVerify":false,"Retry":null,"HealthCheck":{"Interval":30000000000},"Docker":{"Watch":true,"Filename":"","Constraints":null,"Endpoint":"unix:///var/run/docker.sock","Domain":"traefik","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":true},"File":null,"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"","Auth":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null}"
func_traefik.1.ywe1w5uf3ps5@linuxkit-025000000001    | time="2018-04-13T09:04:18Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc4204d4c60 Redirect:<nil> Auth:<nil> Compress:false}"
func_traefik.1.z2xv69hac668@linuxkit-025000000001    | time="2018-04-13T08:56:36Z" level=debug msg="Global configuration loaded {"GraceTimeOut":10000000000,"Debug":true,"CheckNewVersion":true,"AccessLogsFile":"","TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":null,"Auth":null,"Compress":false},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":[],"ClientCAFiles":null},"Redirect":null,"Auth":null,"Compress":false}},"Cluster":null,"Constraints":[],"ACME":{"Email":"ssl@mulantech.com","Domains":[{"Main":"local.mulansoft.com","SANs":["faas.mulansoft.com"]}],"Storage":"/etc/traefik/acme/acme.json","StorageFile":"","OnDemand":true,"OnHostRule":true,"CAServer":"","EntryPoint":"","DNSProvider":"","DelayDontCheckDNS":0,"ACMELogging":false,"TLSConfig":null},"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":180000000000,"InsecureSkipVerify":false,"Retry":null,"HealthCheck":{"Interval":30000000000},"Docker":{"Watch":true,"Filename":"","Constraints":null,"Endpoint":"unix:///var/run/docker.sock","Domain":"traefik","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":true},"File":null,"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"","Auth":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null}"
func_traefik.1.ytsz71ul5ud8@linuxkit-025000000001    | time="2018-04-13T08:54:27Z" level=error msg="Error creating TLS config: Unknown entrypoint  for ACME configuration"
func_traefik.1.ytsz71ul5ud8@linuxkit-025000000001    | time="2018-04-13T08:54:27Z" level=fatal msg="Error preparing server: Unknown entrypoint  for ACME configuration"
func_traefik.1.z6cskqt1dvit@linuxkit-025000000001    | time="2018-04-13T09:01:29Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc4204544e0 Redirect:<nil> Auth:<nil> Compress:false}"
func_traefik.1.z2xv69hac668@linuxkit-025000000001    | time="2018-04-13T08:56:36Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc420592c00 Redirect:<nil> Auth:<nil> Compress:false}"
func_traefik.1.ywe1w5uf3ps5@linuxkit-025000000001    | time="2018-04-13T09:04:18Z" level=error msg="Error creating TLS config: Unknown entrypoint  for ACME configuration"
func_traefik.1.z2xv69hac668@linuxkit-025000000001    | time="2018-04-13T08:56:36Z" level=error msg="Error creating TLS config: Unknown entrypoint  for ACME configuration"
func_traefik.1.z6cskqt1dvit@linuxkit-025000000001    | time="2018-04-13T09:01:29Z" level=error msg="Error creating TLS config: Unknown entrypoint  for ACME configuration"
func_traefik.1.z6cskqt1dvit@linuxkit-025000000001    | time="2018-04-13T09:01:29Z" level=fatal msg="Error preparing server: Unknown entrypoint  for ACME configuration"
func_traefik.1.z2xv69hac668@linuxkit-025000000001    | time="2018-04-13T08:56:36Z" level=fatal msg="Error preparing server: Unknown entrypoint  for ACME configuration"
func_traefik.1.ywe1w5uf3ps5@linuxkit-025000000001    | time="2018-04-13T09:04:18Z" level=fatal msg="Error preparing server: Unknown entrypoint  for ACME configuration"
func_traefik.1.k2byiv9w2t7w@linuxkit-025000000001    | time="2018-04-13T09:05:48Z" level=info msg="Traefik version v1.3.8 built on 2017-09-07_08:46:19PM"
func_traefik.1.k2byiv9w2t7w@linuxkit-025000000001    | time="2018-04-13T09:05:48Z" level=debug msg="Global configuration loaded {"GraceTimeOut":10000000000,"Debug":true,"CheckNewVersion":true,"AccessLogsFile":"","TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":null,"Auth":null,"Compress":false},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":[],"ClientCAFiles":null},"Redirect":null,"Auth":null,"Compress":false}},"Cluster":null,"Constraints":[],"ACME":{"Email":"coolman@gmail.com","Domains":[{"Main":"local.traefit.com","SANs":["faas.traefik.com"]}],"Storage":"/etc/traefik/acme/acme.json","StorageFile":"","OnDemand":true,"OnHostRule":true,"CAServer":"","EntryPoint":"","DNSProvider":"","DelayDontCheckDNS":0,"ACMELogging":false,"TLSConfig":null},"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":180000000000,"InsecureSkipVerify":false,"Retry":null,"HealthCheck":{"Interval":30000000000},"Docker":{"Watch":true,"Filename":"","Constraints":null,"Endpoint":"unix:///var/run/docker.sock","Domain":"traefik","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":true},"File":null,"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"","Auth":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null}"
func_traefik.1.k2byiv9w2t7w@linuxkit-025000000001    | time="2018-04-13T09:05:48Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc420350f60 Redirect:<nil> Auth:<nil> Compress:false}"
func_traefik.1.k2byiv9w2t7w@linuxkit-025000000001    | time="2018-04-13T09:05:48Z" level=error msg="Error creating TLS config: Unknown entrypoint  for ACME configuration"
func_traefik.1.k2byiv9w2t7w@linuxkit-025000000001    | time="2018-04-13T09:05:48Z" level=fatal msg="Error preparing server: Unknown entrypoint  for ACME configuration"
func_traefik.1.sjxsrngp5yym@linuxkit-025000000001    | time="2018-04-13T09:05:56Z" level=info msg="Traefik version v1.3.8 built on 2017-09-07_08:46:19PM"
func_traefik.1.sjxsrngp5yym@linuxkit-025000000001    | time="2018-04-13T09:05:56Z" level=debug msg="Global configuration loaded {"GraceTimeOut":10000000000,"Debug":true,"CheckNewVersion":true,"AccessLogsFile":"","TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":null,"Auth":null,"Compress":false},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":[],"ClientCAFiles":null},"Redirect":null,"Auth":null,"Compress":false}},"Cluster":null,"Constraints":[],"ACME":{"Email":"coolman@gmail.com","Domains":[{"Main":"local.traefit.com","SANs":["faas.traefik.com"]}],"Storage":"/etc/traefik/acme/acme.json","StorageFile":"","OnDemand":true,"OnHostRule":true,"CAServer":"","EntryPoint":"","DNSProvider":"","DelayDontCheckDNS":0,"ACMELogging":false,"TLSConfig":null},"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":180000000000,"InsecureSkipVerify":false,"Retry":null,"HealthCheck":{"Interval":30000000000},"Docker":{"Watch":true,"Filename":"","Constraints":null,"Endpoint":"unix:///var/run/docker.sock","Domain":"traefik","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":true},"File":null,"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"","Auth":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null}"
func_traefik.1.sjxsrngp5yym@linuxkit-025000000001    | time="2018-04-13T09:05:56Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc420510480 Redirect:<nil> Auth:<nil> Compress:false}"
func_traefik.1.sjxsrngp5yym@linuxkit-025000000001    | time="2018-04-13T09:05:56Z" level=error msg="Error creating TLS config: Unknown entrypoint  for ACME configuration"
func_traefik.1.sjxsrngp5yym@linuxkit-025000000001    | time="2018-04-13T09:05:56Z" level=fatal msg="Error preparing server: Unknown entrypoint  for ACME configuration"

Expected Behaviour

$ curl -u user:password -X POST https://your-domain.com/function/func_echoit -d "hello OpenFaaS"
hello OpenFaaS
$curl -X POST https://your-domain.com/function/func_echoit -d "hello OpenFaaS"
401 Unauthorized

Current Behaviour

traefik container exited after run $ ./deploy_stack.sh

$ docker ps -a

CONTAINER ID        IMAGE                              COMMAND                  CREATED                  STATUS                          PORTS                NAMES
d636de921401        traefik:v1.3                       "/traefik -c --docke…"   Less than a second ago   Created                                              func_traefik.1.pecpecwz8gkywl1zkqljo5a5s
99c367754540        traefik:v1.3                       "/traefik -c --docke…"   6 seconds ago            Exited (1) About a minute ago                        func_traefik.1.zauk2vhpq24jb8q2g0h4wksxo
413f47a06155        traefik:v1.3                       "/traefik -c --docke…"   3 minutes ago            Exited (1) 4 minutes ago                             func_traefik.1.zgzrcccxl5bwk8xacnxagkb23
0471b5bdfa2b        traefik:v1.3                       "/traefik -c --docke…"   4 minutes ago            Exited (1) 5 minutes ago                             func_traefik.1.z9ypkrugelw8t5ako7z8tklex
6b7f26395c88        traefik:v1.3                       "/traefik -c --docke…"   21 minutes ago           Exited (1) 22 minutes ago                            func_traefik.1.z6cskqt1dvit8zqsz63hiyb8y
dfef648848b9        stefanprodan/faas-grafana:4.6.3    "/etc/grafana/docker…"   37 minutes ago           Up 39 minutes                   3000/tcp             func_grafana.1.kuh08y5dd14gihcntzxiqyp3t
c4f667a801b8        functions/faas-swarm:0.2.3         "./faas-swarm"           38 minutes ago           Up 39 minutes                   8080/tcp             func_faas-swarm.1.y1nr8e8fzxkoxvq1hgn792ou6
71603e5f3404        functions/hubstats:latest          "/usr/bin/fwatchdog"     38 minutes ago           Up 39 minutes (healthy)                              func_hubstats.1.4afze138bl8mdwisuuoumj72u
ad152254270e        prom/alertmanager:v0.15.0-rc.0     "/bin/alertmanager -…"   38 minutes ago           Up 39 minutes                   9093/tcp             func_alertmanager.1.3ofc9kmgl5qr2xmn0nrga7o54
8d14346e77ac        functions/alpine:latest            "fwatchdog"              38 minutes ago           Up 39 minutes (healthy)                              func_echoit.1.hzn087xc18uld09js1h436grr
dcf16c89e325        functions/alpine:latest            "fwatchdog"              38 minutes ago           Up 39 minutes (healthy)                              func_base64.1.9tqz37ioj5mil1oecqxvauujb
9f20c5571d8e        prom/prometheus:v2.2.0             "/bin/prometheus --c…"   38 minutes ago           Up 39 minutes                   9090/tcp             func_prometheus.1.qjfifb98zsdi0dp822y828uy3
16239d386e6f        functions/alpine:latest            "fwatchdog"              38 minutes ago           Up 39 minutes (healthy)                              func_wordcount.1.xkpy81numgk0o8keylgjgyj68
3ab59e77d89c        functions/markdown-render:latest   "/usr/bin/fwatchdog"     39 minutes ago           Up 40 minutes                                        func_markdown.1.ewjssy9vr6xrtvuzkbwx5pudx
cb7c312a80a2        functions/nodeinfo:latest          "fwatchdog"              39 minutes ago           Up 40 minutes (healthy)                              func_nodeinfo.1.f0j8qtdc42hlxd4vfv3pii6fr
8d9b3374f81c        functions/queue-worker:0.4.3       "./app"                  39 minutes ago           Up 40 minutes                   8080/tcp             func_queue-worker.1.h9qfljh916kzn2qcxsoporef7
6ce22eb5a5b1        nats-streaming:0.6.0               "/nats-streaming-ser…"   39 minutes ago           Up 40 minutes                   4222/tcp, 8222/tcp   func_nats.1.xstxmftln5ki5l4ifao2s66b5
b076afabefd4        functions/gateway:0.7.9            "./gateway"              39 minutes ago           Up 40 minutes                   8080/tcp             func_gateway.1.x15yvnpxh4vp33dn645f33t4c
c940d18dabea        functions/queue-worker:0.4.3       "./app"                  39 minutes ago           Exited (1) 40 minutes ago                            func_queue-worker.1.5n40kzu8wvmvq9930vcy7jt8l
858c56d92eec        functions/gateway:0.7.9            "./gateway"              39 minutes ago           Exited (1) 40 minutes ago                            func_gateway.1.xetrrtbxp8bscy8aj8qlph7cm
7a13f44cf282        functions/queue-worker:0.4.3       "./app"                  40 minutes ago           Exited (1) 40 minutes ago                            func_queue-worker.1.kiu02uj580oqnmt7fnuhdcjaa
fcf2948a677c        functions/queue-worker:0.4.3       "./app"                  40 minutes ago           Exited (1) 41 minutes ago                            func_queue-worker.1.i0gtckna63wu2fzprf8fjbt0j
774e30af19d1        functions/queue-worker:0.4.3       "./app"                  40 minutes ago           Exited (1) 41 minutes ago                            func_queue-worker.1.4qzemgcbpxovmzdm0qlqiyafh

Possible Solution

I edit the docker-compose.yml follow Traefik - Can't connect via https , and traefik service can run but still Can't connect via https

Steps to Reproduce (for bugs)

  1. setup with Docker Swarm: 
    
$ docker swarm init --advertise-addr eth0

$ git clone https://github.com/alexellis/faas $ cd faas $ ./deploy_stack.sh

> Note: `docker swarm init --advertise-add $(hostname -i)` doesn't work in my mac

2. Edit `docker-compose.yml` like this:

version: "3.3" services: traefik: image: traefik:v1.3 command: -c --docker=true --docker.swarmmode=true --docker.domain=traefik --docker.watch=true --web=true --debug=true --defaultEntryPoints='http,https' --acme=true --acme.domains='local.traefit.com,faas.traefik.com' --acme.email=coolman@gmail.com --acme.ondemand=true --acme.onhostrule=true --acme.storage=/etc/traefik/acme/acme.json --entryPoints='Name:https Address::443 TLS' --entryPoints='Name:http Address::80' ports:

configs: prometheus_config: file: ./prometheus/prometheus.yml prometheus_rules: file: ./prometheus/alert.rules.yml alertmanager_config: file: ./prometheus/alertmanager.yml

networks: functions: driver: overlay attachable: true labels:

volumes: acme:

3. Deploy the OpenFaaS service

$ ./deploy_stack.sh


## Your Environment
<!--- Include as many relevant details about the environment you experienced the bug in -->
* Docker version `docker version`:

Client: Version: 18.03.0-ce API version: 1.37 Go version: go1.9.4 Git commit: 0520e24 Built: Wed Mar 21 23:06:22 2018 OS/Arch: darwin/amd64 Experimental: false Orchestrator: swarm

Server: Engine: Version: 18.03.0-ce API version: 1.37 (minimum version 1.12) Go version: go1.9.4 Git commit: 0520e24 Built: Wed Mar 21 23:14:32 2018 OS/Arch: linux/amd64 Experimental: true



* Are you using Docker Swarm or Kubernetes (FaaS-netes)?
Docker Swarm

* Operating System and version (e.g. Linux, Windows, MacOS):
MacOS 10.12.6
ericstoekl commented 6 years ago

I am unable to repro this issue. I deployed Traefik and got it to work using the guide linked in the issue (https://github.com/openfaas/faas/blob/master/guide/traefik_integration.md).

@simi-- I would recommend that you reduce this issue down to just the parts that describe the issue to us -- please cut the docker service logs -f func_traefik output to just what we need. Also please reduce the size of the copy-pasted docker-compose.yml file -- we don't need all the extra details.

simiwe commented 6 years ago

@ericstoekl now I use the docker-compose.yml 

version: "3.3"
services:
    traefik:
        image: traefik:v1.3
        command: -c --docker=true
            --docker.swarmmode=true
            --docker.domain=traefik
            --docker.watch=true
            --web=true
            --debug=true
            --defaultEntryPoints=https,http
            --acme=true
            --acme.domains='local.traefik.com'
            --acme.email=ssl@mulantech.com
            --acme.ondemand=true
            --acme.onhostrule=true
            --acme.storage=/etc/traefik/acme/acme.json
            --entryPoints=Name:https Address::443 TLS
            --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
        ports:
            - 80:80
            - 8080:8080
            - 443:443
        volumes:
            - "/var/run/docker.sock:/var/run/docker.sock"
            - "acme:/etc/traefik/acme"
        networks:
            - functions
        deploy:
            labels:
                - traefik.port=8080
                - traefik.frontend.rule=PathPrefix:/ui,/system,/function
                - traefik.frontend.auth.basic=user:$$apr1$$B0dhdzez$$x/CVSO5OykseXnSSARQMy0
            restart_policy:
                condition: on-failure
                delay: 5s
                max_attempts: 20
                window: 380s
            placement:
                constraints: [node.role == manager]
    gateway:
#        ports:
#            - 8080:8080
        image: functions/gateway:0.7.9
        networks:
            - functions
        environment:
            functions_provider_url: "http://faas-swarm:8080/"
            read_timeout:  "25s"        # Maximum time to read HTTP request
            write_timeout: "25s"        # Maximum time to write HTTP response
            upstream_timeout: "20s"     # Maximum duration of upstream function call - should be more than read_timeout and write_timeout
            dnsrr: "true"               # Temporarily use dnsrr in place of VIP while issue persists on PWD
            faas_nats_address: "nats"
            faas_nats_port: 4222
            direct_functions: "true"    # Functions are invoked directly over the overlay network
            direct_functions_suffix: ""
        deploy:
            labels:
                - traefik.port=8080
                - traefik.frontend.rule=PathPrefix:/ui,/system,/function
                - traefik.frontend.auth.basic=user:$$apr1$$B0dhdzez$$x/CVSO5OykseXnSSARQMy0 #copy/paste the contents of password.txt here
            resources:
                # limits:   # Enable if you want to limit memory usage
                #     memory: 200M
                reservations:
                    memory: 100M
            restart_policy:
                condition: on-failure
                delay: 5s
                max_attempts: 20
                window: 380s
            placement:
                constraints:
                    - 'node.platform.os == linux'

    # Docker Swarm provider
    faas-swarm:
        volumes:
            - "/var/run/docker.sock:/var/run/docker.sock"
        # ports:
            # - 8081:8080
        image:  functions/faas-swarm:0.2.3
        networks:
            - functions
        environment:
            read_timeout:  "25s"   # set both here, and on your functions
            write_timeout: "25s"   # set both here, and on your functions
            DOCKER_API_VERSION: "1.30"
        deploy:
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'
            resources:
                # limits:   # Enable if you want to limit memory usage
                #     memory: 100M
                reservations:
                    memory: 100M
            restart_policy:
                condition: on-failure
                delay: 5s
                max_attempts: 20
                window: 380s

    nats:
        image: nats-streaming:0.6.0
        # Uncomment the following port mappings if you wish to expose the
        # NATS client and/or management ports
        # ports:
        #     - 4222:4222
        #     - 8222:8222
        command: "--store memory --cluster_id faas-cluster"
        networks:
            - functions
        deploy:
            resources:
                limits:
                    memory: 125M
                reservations:
                    memory: 50M
            placement:
                constraints:
                    - 'node.platform.os == linux'

    queue-worker:
        image: functions/queue-worker:0.4.3
        networks:
            - functions
        environment:
            max_inflight: "1"
            ack_timeout: "30s"    # Max duration of any async task / request
        deploy:
            resources:
                limits:
                    memory: 50M
                reservations:
                    memory: 20M
            restart_policy:
                condition: on-failure
                delay: 5s
                max_attempts: 20
                window: 380s
            placement:
                constraints:
                    - 'node.platform.os == linux'
    # End services

    # Start monitoring

    prometheus:
        image: prom/prometheus:v2.2.0
        environment:
            no_proxy: "gateway"
        configs:
          - source: prometheus_config
            target: /etc/prometheus/prometheus.yml
          - source: prometheus_rules
            target: /etc/prometheus/alert.rules.yml
        command:
          - '--config.file=/etc/prometheus/prometheus.yml'
        #   - '-storage.local.path=/prometheus'
        ports:
            - 9090:9090
        networks:
            - functions
        deploy:
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'
            resources:
                limits:
                    memory: 500M
                reservations:
                    memory: 200M

    alertmanager:
        image: prom/alertmanager:v0.15.0-rc.0
        environment:
            no_proxy: "gateway"
        command:
            - '--config.file=/alertmanager.yml'
            - '--storage.path=/alertmanager'
        networks:
            - functions
        # Uncomment the following port mapping if you wish to expose the Prometheus
        # Alertmanager UI.
        # ports:
        #     - 9093:9093
        deploy:
            resources:
                limits:
                    memory: 50M
                reservations:
                    memory: 20M
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'
        configs:
            - source: alertmanager_config
              target: /alertmanager.yml

    # Uses `cat` to echo back response, fastest function to execute.
    echoit:
        image: functions/alpine:latest
        labels:
            function: "true"
        networks:
            - functions
        environment:
            fprocess: "cat"
            no_proxy: "gateway"
            https_proxy: $https_proxy
        deploy:
            placement:
                constraints:
                    - 'node.platform.os == linux'

configs:
     prometheus_config:
         file: ./prometheus/prometheus.yml
     prometheus_rules:
         file: ./prometheus/alert.rules.yml
     alertmanager_config:
         file: ./prometheus/alertmanager.yml

networks:
    functions:
        driver: overlay
        attachable: true
        labels:
          - "openfaas=true"

volumes:
    acme:

the Traefik can run but still Can't connect via https

$ curl -u user:password -X POST http://local.traefik.com/function/func_echoit -d "hello"
hello

$ curl -u user:password -X POST https://local.traefik.com/function/func_echoit -d "hello"
curl: (35) Server aborted the SSL handshake
simiwe commented 6 years ago

@ericstoekl I use traefik:1.5 instead of traefit:1.3, it work well, now visit http://local.traefik.com/ui/ it will auto redirect to https://local.traefik.com/ui/

docker-compose.yml like this:

version: "3.4"
services:
    traefik_init:
      image: traefik:1.5
      command:
        - "storeconfig"
        - "--api"
        - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
        - "--entrypoints=Name:https Address::443 TLS"
        - "--defaultentrypoints=http,https"
        - "--acme"
        - "--acme.storage=traefik/acme/account"
        - "--acme.entryPoint=https"
        - "--acme.httpChallenge.entryPoint=http"
        - "--acme.OnHostRule=true"
        - "--acme.onDemand=false"
        - "--acme.email=coolman@gmail.com"
        - "--docker"
        - "--docker.swarmmode"
        - "--docker.domain=local.traefit.com,faas.traefik.com"
        - "--docker.watch"
        - "--consul"
        - "--consul.endpoint=consul:8500"
        - "--consul.prefix=traefik"
      networks:
        - traefik
      deploy:
        restart_policy:
          condition: on-failure
      depends_on:
        - consul
    traefik:
      image: traefik:1.5
      depends_on:
        - traefik_init
        - consul
      command:
        - "--consul"
        - "--consul.endpoint=consul:8500"
        - "--consul.prefix=traefik"
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
      networks:
        - functions
        - traefik
      ports:
        - 80:80
        - 8080:8080
        - 443:443
      deploy:
        labels:
          - traefik.port=8080
          - traefik.frontend.rule=PathPrefix:/ui,/system,/function
          - traefik.frontend.auth.basic=user:$$apr1$$B0dhdzez$$x/CVSO5OykseXnSSARQMy0
        mode: global
        placement:
          constraints:
            - node.role == manager
        update_config:
          parallelism: 1
          delay: 10s
        restart_policy:
          condition: on-failure

    consul:
      image: consul
      command: agent -server -bootstrap-expect=1
      environment:
        - CONSUL_LOCAL_CONFIG={"datacenter":"us_east2","server":true}
        - CONSUL_BIND_INTERFACE=eth0
        - CONSUL_CLIENT_INTERFACE=eth0
      deploy:
        replicas: 1
        placement:
          constraints:
            - node.role == manager
        restart_policy:
          condition: on-failure
      networks:
        - traefik

    gateway:
#        ports:
#            - 8080:8080
        image: functions/gateway:0.7.9
        networks:
            - functions
        environment:
            functions_provider_url: "http://faas-swarm:8080/"
            read_timeout:  "25s"        # Maximum time to read HTTP request
            write_timeout: "25s"        # Maximum time to write HTTP response
            upstream_timeout: "20s"     # Maximum duration of upstream function call - should be more than read_timeout and write_timeout
            dnsrr: "true"               # Temporarily use dnsrr in place of VIP while issue persists on PWD
            faas_nats_address: "nats"
            faas_nats_port: 4222
            direct_functions: "true"    # Functions are invoked directly over the overlay network
            direct_functions_suffix: ""
        deploy:
            labels:
                - traefik.port=8080
                - traefik.frontend.rule=PathPrefix:/ui,/system,/function
                - traefik.frontend.auth.basic=user:$$apr1$$B0dhdzez$$x/CVSO5OykseXnSSARQMy0 #copy/paste the contents of password.txt here
            resources:
                # limits:   # Enable if you want to limit memory usage
                #     memory: 200M
                reservations:
                    memory: 100M
            restart_policy:
                condition: on-failure
                delay: 5s
                max_attempts: 20
                window: 380s
            placement:
                constraints:
                    - 'node.platform.os == linux'

    # Docker Swarm provider
    faas-swarm:
        volumes:
            - "/var/run/docker.sock:/var/run/docker.sock"
        # ports:
            # - 8081:8080
        image:  functions/faas-swarm:0.2.3
        networks:
            - functions
        environment:
            read_timeout:  "25s"   # set both here, and on your functions
            write_timeout: "25s"   # set both here, and on your functions
            DOCKER_API_VERSION: "1.30"
        deploy:
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'
            resources:
                # limits:   # Enable if you want to limit memory usage
                #     memory: 100M
                reservations:
                    memory: 100M
            restart_policy:
                condition: on-failure
                delay: 5s
                max_attempts: 20
                window: 380s

    nats:
        image: nats-streaming:0.6.0
        # Uncomment the following port mappings if you wish to expose the
        # NATS client and/or management ports
        # ports:
        #     - 4222:4222
        #     - 8222:8222
        command: "--store memory --cluster_id faas-cluster"
        networks:
            - functions
        deploy:
            resources:
                limits:
                    memory: 125M
                reservations:
                    memory: 50M
            placement:
                constraints:
                    - 'node.platform.os == linux'

    queue-worker:
        image: functions/queue-worker:0.4.3
        networks:
            - functions
        environment:
            max_inflight: "1"
            ack_timeout: "30s"    # Max duration of any async task / request
        deploy:
            resources:
                limits:
                    memory: 50M
                reservations:
                    memory: 20M
            restart_policy:
                condition: on-failure
                delay: 5s
                max_attempts: 20
                window: 380s
            placement:
                constraints:
                    - 'node.platform.os == linux'
    # End services

    # Start monitoring
    prometheus:
        image: prom/prometheus:v2.2.0
        environment:
            no_proxy: "gateway"
        configs:
          - source: prometheus_config
            target: /etc/prometheus/prometheus.yml
          - source: prometheus_rules
            target: /etc/prometheus/alert.rules.yml
        command:
          - '--config.file=/etc/prometheus/prometheus.yml'
        ports:
            - 9090:9090
        networks:
            - functions
        deploy:
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'
            resources:
                limits:
                    memory: 500M
                reservations:
                    memory: 200M

    alertmanager:
        image: prom/alertmanager:v0.15.0-rc.0
        environment:
            no_proxy: "gateway"
        command:
            - '--config.file=/alertmanager.yml'
            - '--storage.path=/alertmanager'
        networks:
            - functions
        # Uncomment the following port mapping if you wish to expose the Prometheus
        # Alertmanager UI.
        # ports:
        #     - 9093:9093
        deploy:
            resources:
                limits:
                    memory: 50M
                reservations:
                    memory: 20M
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'
        configs:
            - source: alertmanager_config
              target: /alertmanager.yml

    # Uses `cat` to echo back response, fastest function to execute.
    echoit:
        image: functions/alpine:latest
        labels:
            function: "true"
        networks:
            - functions
        environment:
            fprocess: "cat"
            no_proxy: "gateway"
            https_proxy: $https_proxy
        deploy:
            placement:
                constraints:
                    - 'node.platform.os == linux'

configs:
     prometheus_config:
         file: ./prometheus/prometheus.yml
     prometheus_rules:
         file: ./prometheus/alert.rules.yml
     alertmanager_config:
         file: ./prometheus/alertmanager.yml

networks:
    functions:
        driver: overlay
        attachable: true
        labels:
          - "openfaas=true"
    traefik:
        driver: overlay

image

ericstoekl commented 6 years ago

Derek close

Thanks for trying out the project Simi -- glad this issue is now resolved.