Traefik on Swarm deploy

[thewhipster]

I've successfully done a swarm deploy and found it curious that while traefik gets pushed out as a proxy image in the deploy, I couldn't reach the app until i added another Traefik stack following the dockerrocks process. (which is great btw). Is that redundant, or does the app use the proxy to internally route to the public Traefik stack?

[tiangolo]

Cool!

---

There are two Traefik instances. One global, for the whole Docker Swarm cluster that handles all the HTTPS. And one local for the stack, that redirects the communication to the backend or frontend, depending on the path.

[thewhipster]

Makes sense actually :) Thought I'd share some fixes to the traefik docker compose for anyone deploying to a swarm. There's a good amount of unresolved issues with consul in a swarm, notable this open issue Generally caused when a new leader is elected, or more frequently when containers reboot.

The below has two fixes that so far have stabilized consul. Switching from -bootstrap (murmors of this being deprecated but it's still in the docs) to -bootstrap-expect using the env variable for consul replicas. And some additional consul config values to resolve issues with recovery when containers are restarted with different IPs (common in docker swarm environment). I'm not a consul expert so credit for the latter goes to this SO answer:

`version: '3.3'

services: consul-leader: image: consul command: agent -server -client=0.0.0.0 -bootstrap-expect ${CONSUL_REPLICAS:-3} -ui volumes:

• consul-data-leader:/consul/data environment:
• CONSUL_BIND_INTERFACE=eth0
• 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true, "skip_leave_on_interrupt": true, "disable_update_check": true, "autopilot": {"cleanup_dead_servers": true, "last_contact_threshold": "1s"}}' networks:
• default
• traefik-public deploy: labels:
  • traefik.frontend.rule=Host:consul.${DOMAIN}
  • traefik.enable=true
  • traefik.port=8500
  • traefik.tags=${TRAEFIK_PUBLIC_TAG:-traefik-public}
  • traefik.docker.network=traefik-public

    Traefik service that listens to HTTP

  • traefik.redirectorservice.frontend.entryPoints=http
  • traefik.redirectorservice.frontend.redirect.entryPoint=https

    Traefik service that listens to HTTPS

  • traefik.webservice.frontend.entryPoints=https
  • traefik.frontend.auth.basic.users=${USERNAME}:${HASHED_PASSWORD} consul-replica: image: consul command: agent -server -client=0.0.0.0 -retry-join="consul-leader" volumes:
• consul-data-replica:/consul/data environment:
• CONSUL_BIND_INTERFACE=eth0
• 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true}' networks:
• default
• traefik-public deploy: replicas: ${CONSUL_REPLICAS:-3} placement: preferences:
  • spread: node.id traefik: image: traefik:v1.7 ports:
• 80:80
• 443:443 deploy: replicas: ${TRAEFIK_REPLICAS:-3} placement: constraints:
  • node.role == manager preferences:
  • spread: node.id labels:
    • traefik.frontend.rule=Host:traefik.${DOMAIN}
    • traefik.enable=true
    • traefik.port=8080
    • traefik.tags=traefik-public
    • traefik.docker.network=traefik-public

      Traefik service that listens to HTTP

    • traefik.redirectorservice.frontend.entryPoints=http
    • traefik.redirectorservice.frontend.redirect.entryPoint=https

      Traefik service that listens to HTTPS

    • traefik.webservice.frontend.entryPoints=https
    • traefik.frontend.auth.basic.users=${USERNAME}:${HASHED_PASSWORD} volumes:
• /var/run/docker.sock:/var/run/docker.sock command: > --docker --docker.swarmmode --docker.watch --docker.exposedbydefault=false --constraints=tag==traefik-public --entrypoints='Name:http Address::80' --entrypoints='Name:https Address::443 TLS' --consul --consul.endpoint="consul-leader:8500" --acme --acme.email=${EMAIL} --acme.storage="traefik/acme/account" --acme.entryPoint=https --acme.httpChallenge.entryPoint=http --acme.onhostrule=true --acme.acmelogging=true --logLevel=INFO --accessLog --api networks:
• default
• traefik-public depends_on:
• consul-leader

volumes: consul-data-leader: consul-data-replica:

networks: traefik-public: external: true`

[tiangolo]

Thanks! The problem with expect is that it won't start until those replicas are ready. And if you lost an entire node, Consul might not start at all.

There are a couple of issues in Traefik related to Consul. It seems it is not being able to generate new certificates after some time because it's not being able to acquire the lock. For the time being, I suggest using a single Traefik instance while that is fixed (I have to update that in the docs).

[tiangolo]

Hi @thewhipster , I'll assume you were able to solve your problem and I'll close this issue now.

---

If you are still using this project, I suggest you check the equivalent project generator for FastAPI that solves the same use cases in a much better way.

Because of that, this Flask-based project generator is now going to be deprecated. You are still free to use it, but it won't receive any new features, changes, or bug fixes.