Major: Traefik manage certs via ACME (squash)

Author: pascalandy

Dockerfile

@@ -4,8 +4,8 @@
 ###################################
 
 ARG APP_NAME="docker-stack-this"
-ARG VERSION="3.1.2"
-ARG RELEASE="3.1.2"
+ARG VERSION="4.0.0"
+ARG RELEASE="4.0.0"
 ARG GITHUB_USER="pascalandy"
 
 ###################################

traefik_stack5/stack-proxy.yml

@@ -57,7 +57,7 @@ services:
   #    and capture client IP's
   traefik:
     <<: *default-opts
-    image: traefik:1.7.24
+    image: traefik:1.7.26
     ports:
     - target: 80
       protocol: tcp

traefik_stack6/README.md

@@ -1,180 +1,3 @@
-## WORK IN PROGRESS
-
-2019-12-31
-
-This README is from https://github.com/pascalandy/docker-stack-this/tree/master/traefik_stack5
-
----
-
-## What is this?
-
-Using a **one-liner**, this docker stack will run many services (Traefik (with auth), Socat, Portainer, Nginx, Caddy, Whoami) in a straightforward copy-paste command.
-
-You may also refer the [README](https://github.com/pascalandy/docker-stack-this/blob/master/README.md) at the root of this repo.
-
-## Start here
-1. Go to http://labs.play-with-docker.com/ 
-2. Create **one** instance
-3. Copy-paste this one-liner:
-
-#### Stable setup (recommended)
-
-```
-ENV_BRANCH="master"
-ENV_MONOREPO="traefik_stack6"
-
-# On play-with-docker, install common apps
-apk update && apk upgrade && apk add --no-cache               \
-    nano bash git curl wget unzip openssl tar ca-certificates && \
-rm -rf /var/cache/apk/* /tmp*                                 && \
-docker swarm init --advertise-addr $(hostname -i)             && \
-git clone https://github.com/pascalandy/docker-stack-this.git && \
-cd docker-stack-this                                          && \
-git checkout ${ENV_BRANCH}                                    && \
-cd ${ENV_MONOREPO}                                            && \
-./runup.sh;
-```
-
-#### Edge setup (NOT recommended)
-
-```
-ENV_BRANCH="edge"
-ENV_MONOREPO="traefik_stack6"
-
-# On play-with-docker, install common apps
-apk update && apk upgrade && apk add --no-cache               \
-    nano bash git curl wget unzip openssl tar ca-certificates && \
-rm -rf /var/cache/apk/* /tmp*                                 && \
-docker swarm init --advertise-addr $(hostname -i)             && \
-git clone https://github.com/pascalandy/docker-stack-this.git && \
-cd docker-stack-this                                          && \
-git checkout ${ENV_BRANCH}                                    && \
-cd ${ENV_MONOREPO}                                            && \
-./runup.sh;
-```
-
-These scripts will do the hard of deploying the stacks for us.
-
-#### example
-
-![2019-08-01_16h56](https://user-images.githubusercontent.com/6694151/62326965-5ca8f880-b47d-11e9-9416-2139d514fc64.gif)
-
-## See your stacks
-
-```
-$ docker stack ls
-
-NAME                SERVICES            ORCHESTRATOR
-toolgui             2                   Swarm
-toolproxy           2                   Swarm
-toolwebapp          4                   Swarm
-```
-
-
-## See your services
-
-```
-$ docker service ls
-
-ID                  NAME                MODE                REPLICAS            IMAGE                   PORTS
-xjdsq3gxd59y        toolgui_agent       global              1/1                 portainer/agent:latest
-0h375hmmnelo        toolgui_portainer   replicated          1/1                 portainer/portainer:latest
-xim07ahqctsp        toolproxy_socat     replicated          1/1                 devmtl/socatproxy:1.2
-y249kaecel8e        toolproxy_traefik   replicated          1/1                 traefik:1.7.12          *:80->80/tcp, *:443->443/tcp, *:8080->8080/tcp
-s0061fdhvv6o        toolwebapp_home     replicated          1/1                 abiosoft/caddy:1.0.1-no-stats
-ocpk5l6yg2gt        toolwebapp_who1     replicated          1/1                 nginx:1.15-alpine
-raq5czrlhrmb        toolwebapp_who2     replicated          1/1                 emilevauge/whoami:latest
-66b1rduru5k9        toolwebapp_who3     replicated          1/1                 emilevauge/whoami:latest
-```
-
-## Confirm that your services (containers) are running
-
-1. When you see that all services are deployed, click on `80` to see the static landing page.
-2. From the same URL generated by play-with-docker, in the address bar of your browser, add `/who1` or `/who2` or `/who3` or `/portainer` to access other services.
-
-
-#### Full URL example
-
-```
-http://pwd10-0-7-3-80.host1.labs.play-with-docker.com/
-http://pwd10-0-7-3-80.host1.labs.play-with-docker.com/who1
-http://pwd10-0-7-3-80.host1.labs.play-with-docker.com/who2
-http://pwd10-0-7-3-80.host1.labs.play-with-docker.com/who3
-http://pwd10-0-7-3-80.host1.labs.play-with-docker.com/portainer
-```
-
-The container for the first URL is named `home`.
-
-
-#### Web apps details:
-- **/** = [caddy](https://github.com/pascalandy/caddy-securityheader)
-- **/who1** = [caddy](https://github.com/pascalandy/caddy-securityheader)
-- **/who2** = [whoami](https://hub.docker.com/r/emilevauge/whoami/)
-- **/portainer** = [portainer](https://hub.docker.com/r/portainer/portainer/)
-
-For /who1 and /who2 you will see the container's Ids (5fe91baf7a3a & 78a0c7287df1) in this example
-
-```
-$ docker ps | grep whoami
-5fe91baf7a3a        emilevauge/whoami:latest         "/whoamI"                About a minute ago   Up About a minute   80/tcp                      toolwebapp_who3.1.9zk09prm85gnl0ieuuncynhxh
-78a0c7287df1        emilevauge/whoami:latest         "/whoamI"                About a minute ago   Up About a minute   80/tcp                      toolwebapp_who2.1.wj7vf83ag91ft7jgdy3gwejp4
-```
-
-
-## How to access Traefik
-
-![traefik](https://user-images.githubusercontent.com/6694151/50121682-86334d80-0227-11e9-8f25-93dd8714d306.jpg)
-
-
-#### Traefik password
-
-**user**: admin / **pass**: changethispass
-
-This password is encrypted in our configs `.configs/traefik.toml`
-
-To quickly generate yours with htpasswd, use my container:
-
-```
-docker run --rm -it devmtl/alpinefire:3.8-D sh -c 'htpasswd -Bbn admin changethispass'  
-``` 
-
-This will display:
-
-``` 
-admin:$2y$05$pAfipn3.brdHMI2eWGnYH.84XYqLozp1sUPi36/l54UAwv.zGLtNC
-```
-
-Insert this string in your `.configs/traefik.toml`.
-
-#### What is Traefik?
-
-[Traefik](https://docs.traefik.io/configuration/backends/docker/) is a powerful layer 7 reverse proxy. Once running, the proxy will give you access to many web apps. I think this is a substantial use case to understand how this reverse-proxy works.
-
-#### Traefik version 
-
-In `toolproxy.yml` look for something like `traefik:1.7.19`.
-
-#### Other stuff to know?
-
-- This stack does not use ACME (https://). ACME is a pain while developing … reaching limits, etc.
-- If you don’t want to use socat, check out the monorepo `traefik-manager-noacme`
-
-## Screenshots
-
-![docker-stack-this-stack5_11](https://user-images.githubusercontent.com/6694151/34073735-76c60ae2-e26e-11e7-85a1-755a7177b3f2.jpg)
-![docker-stack-this-stack5_12](https://user-images.githubusercontent.com/6694151/34073736-76d461c8-e26e-11e7-9aea-c8dbc049a383.jpg)
-![docker-stack-this-stack5_13](https://user-images.githubusercontent.com/6694151/34073737-76e1d998-e26e-11e7-8b7c-c619e91adadd.jpg)
-![docker-stack-this-stack5_14](https://user-images.githubusercontent.com/6694151/34073738-76f163ae-e26e-11e7-86d7-27ea62ae3284.jpg)
-![docker-stack-this-stack5_15](https://user-images.githubusercontent.com/6694151/34073739-77006d4a-e26e-11e7-8f2e-cbd4268ea403.jpg)
-![docker-stack-this-stack5_16](https://user-images.githubusercontent.com/6694151/49540846-158f4700-f89f-11e8-8e14-ceca2ff2b910.jpg)
-
-![docker-stack-this-stack5_17](https://user-images.githubusercontent.com/6694151/49540848-1922ce00-f89f-11e8-9fdc-b6fce70825c8.jpg)
-
-## All commands
-In the active path, just execute those bash-scripts:
-
-- `./runup.sh`
-- `./rundown.sh`
-
-**Bonus!** `./runctop.sh` is not a stack but a simple `docker run` to see the memory consumed by each container.
+Based on `traefik_stack5`. It adds the ability to generate certificates using ACME by https://letsencrypt.org/.
 
+You must understand how `traefik_stack5` runs. Then, it will be easy for you to run `traefik_stack6` on your own infra. I didn't test this on play-with-docker as ACME as rate limits.

traefik_stack6/stack-proxy.yml

@@ -0,0 +1,134 @@
+version: '3.7'
+
+x-default-opts: 
+  &default-opts
+  logging:
+    options:
+      max-size: "10m" 
+
+networks:
+  ntw_front:
+    external: true
+  ntw_proxy:
+    external: true
+
+services:
+
+  # this custom haproxy allows us to move traefik to worker nodes (if needed)
+  # while this container listens on managers and only allows
+  # traefik to connect, read-only, to limited docker api calls
+  # https://github.com/Tecnativa/docker-socket-proxy
+  # image: devmtl/proxysocket:1.9.10 (with wget for heathcheck)
+  # image: tecnativa/docker-socket-proxy
+  proxysocket:
+    <<: *default-opts
+    image: devmtl/proxysocket:1.9.13
+    networks:
+      - ntw_proxy
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      # specific to 'docker stack deploy'
+      NETWORKS: 1
+      SERVICES: 1
+      TASKS: 1
+      SWARM: 1
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.role == manager]
+      restart_policy:
+        condition: on-failure
+      resources:
+        limits:
+          cpus: '0.20'
+          memory: 8M
+        reservations:
+          cpus: '0.10'
+          memory: 4M
+
+  # Traefik reverse proxy has a bunch of features:
+  # - reverse proxy all 80/443 ingress traffic on a swarm
+  # - dynamic config via each app's swarm service labels
+  # - HA multi-container design for traefik
+  # - runs traefik on host NIC directly, to improve performance
+  #    and capture client IP's
+  #
+      #- --debug=true
+      #
+      # OPTION A) Select STAGING or PROD letsencrypt server
+      # https://acme-v02.api.letsencrypt.org/directory
+      # https://acme-staging-v02.api.letsencrypt.org/directory
+      #
+      # OPTION B)
+      #- --entryPoints=Name:http Address::80                            # don't force HTTPS
+      #- --entryPoints=Name:http Address::80 Redirect.EntryPoint:https  # force HTTPS
+      #
+      # If not using proxysocket
+      #- --docker.endpoint=unix:///var/run/docker.sock
+  traefik:
+    <<: *default-opts
+    image: traefik:1.7.26-alpine
+    ports:
+    - target: 80
+      protocol: tcp
+      published: 80
+      mode: ingress
+    - target: 443
+      protocol: tcp
+      published: 443
+      mode: ingress
+    - target: 8080
+      protocol: tcp
+      published: 8080
+      mode: ingress
+    networks:
+      - ntw_front
+      - ntw_proxy
+    volumes:
+      - /mnt/DeployGRP/tooldata/traefik/traefik_stack6/acme.json:/etc/traefik/acme/acme.json
+    command:
+      - --docker
+      - --docker.domain=traefik
+      - --docker.swarmMode
+      - --docker.watch
+      - --docker.exposedbydefault=false
+      - --docker.endpoint=tcp://proxysocket:2375
+      - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
+      - --entryPoints=Name:https Address::443 TLS
+      - --defaultentrypoints=http,https
+      - --acme
+      - [email protected]
+      - --acme.httpchallenge
+      - --acme.httpchallenge.entrypoint=http
+      - --acme.entryPoint=https
+      - --acme.onhostrule=true
+      - --acme.storage=/etc/traefik/acme/acme.json
+      - --acme.caserver=https://acme-v02.api.letsencrypt.org/directory
+      - --acme.acmelogging=true
+      - --logLevel=ERROR
+      - --api=true
+    deploy:
+      mode: replicated
+      replicas: 1
+      update_config:
+        delay: 2s
+      placement:
+        constraints: [node.labels.nodeid==1]
+      restart_policy:
+        condition: on-failure
+        max_attempts: 20
+      resources:
+        limits:
+          cpus: '0.33'
+          memory: 96M
+        reservations:
+          cpus: '0.05'
+          memory: 48M
+      labels:
+        - traefik.frontend.rule=Host:traefik.firepress.link
+        - traefik.docker.network=ntw_front
+        - traefik.enable=true
+        - traefik.port=8080
+
+# https://github.com/pascalandy/docker-stack-this, inspired by https://github.com/BretFisher/dogvscat