bump to traefik:1.7.8-alpine

pascalandy · pascalandy · commit 7b495cc98bb8 · 2019-02-01T11:29:51.000-05:00
diff --git a/traefik_stack5/toolproxy-global.yml b/traefik_stack5/toolproxy-global.yml
@@ -0,0 +1,156 @@
+# this traefik reverse proxy has a bunch of features:
+# - reverse proxy all 80/443 ingress traffic on a swarm
+# - dynamic config via each app's swarm service labels
+# - HA multi-container design for traefik
+# - runs traefik on host NIC directly, to improve performance
+#    and capture client IP's
+# - uses consul to store static config for startup
+# - uses haproxy to allow offloading traefik to worker nodes
+# - store consul data in a volume on cloud storage with rexray
+
+# TODO improvements
+# make consul HA
+# properly handle service restarts if init container config changes
+# use envvars for email and default domain settings
+
+version: '3.7'
+
+x-default-opts: 
+  &default-opts
+  logging:
+    options:
+      max-size: "1m" 
+  # driver: "gelf"
+  # options:
+  #   gelf-address: "udp://127.0.0.1:5000"
+
+services:
+
+  traefik-init:
+    <<: *default-opts
+    image: traefik:1.7-alpine
+    networks:
+      - traefik-consul
+    command:
+      # Use your favourite settings here, but add:
+      - storeconfig
+      - --api
+      # NOTE: you'll want to lower this logLevel for real word stuff
+      - --logLevel="DEBUG"
+      # NOTE: you'll want to disable this for anything of signifant traffic, or route logs outside stdout
+      - --accessLog
+      - --docker
+      - --docker.endPoint=http://dockersocket:2375
+      - --docker.swarmMode
+      - --docker.domain=traefik
+      - --docker.watch
+      - --consul
+      - --consul.endpoint=consul:8500
+      - --consul.prefix=traefik
+      - --defaultentrypoints=http,https
+      - --entryPoints=Name:https Address::443 TLS
+      - --entryPoints=Name:http Address::80
+      # - --acme
+      # - --acme.email=${TRAEFIK_ACME_EMAIL}
+      #   # TODO: envvar for email and default domain
+      # - --acme.httpchallenge
+      # - --acme.httpchallenge.entrypoint=http
+      # - --acme.onhostrule=true
+      # - --acme.entrypoint=https
+      # - --acme.storage=my/key
+      # - --acme.acmelogging
+      # - --acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+      # - --acme.caserver=https://acme-v02.api.letsencrypt.org/directory
+    deploy:
+      restart_policy:
+        condition: on-failure
+
+  traefik:
+    <<: *default-opts
+    image: traefik:1.7-alpine
+    networks:
+      - proxy
+      - traefik-consul
+      - traefik-docker
+    ports:
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
+      - target: 8080
+        published: 8080
+        protocol: tcp
+        mode: ingress # traefik dashboard
+    command:
+      - --consul
+      - --consul.endpoint=consul:8500
+      - --consul.prefix=traefik
+    deploy:
+      mode: global
+      # if you have enough servers, make this only run on workers, maybe in a public DMZ
+      # placement:
+        # constraints: [node.role == worker]
+
+  consul:
+    <<: *default-opts
+    image: consul
+    command: agent -server -bootstrap-expect=1
+    networks:
+      - traefik-consul
+    volumes:
+      - consul:/consul/data
+    environment:
+      - CONSUL_LOCAL_CONFIG={"server":true}
+      - CONSUL_BIND_INTERFACE=eth0
+      - CONSUL_CLIENT_INTERFACE=eth0
+
+# this custom haproxy allows us to move traefik to worker nodes
+# while this container listens on managers and only allows
+# traefik to connect, read-only, to limited docker api calls
+# https://github.com/Tecnativa/docker-socket-proxy
+  dockersocket:
+    <<: *default-opts
+    image: tecnativa/docker-socket-proxy
+    networks:
+      - traefik-docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      # CONTAINERS: 1
+      NETWORKS: 1
+      SERVICES: 1
+      # SWARM: 1
+      TASKS: 1
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.role == manager]
+
+volumes:
+  consul:
+    driver: ${DOCKER_VOL_DRIVER:-local}
+    # for example set DOCKER_VOL_DRIVER="rexray/dobs"
+    driver_opts:
+      size: 1
+
+networks:
+  ntw_front:
+    driver: overlay
+    driver_opts:
+      encrypted: 'true'
+
+  traefik-consul:
+    driver: overlay
+    driver_opts:
+      encrypted: 'true'
+      # since we're passing SSL certs over TCP, lets IPSec
+
+  traefik-docker:
+    driver: overlay
+    driver_opts:
+      encrypted: 'true'
+      # since we're passing docker socket stuff over TCP, lets IPSec
diff --git a/traefik_stack5/toolproxy.yml b/traefik_stack5/toolproxy.yml
@@ -46,7 +46,7 @@ services:
 
   traefik:
     <<: *default-opts
-    image: traefik:1.7.7-alpine
+    image: traefik:1.7.8-alpine
     ports:
     - target: 80
       protocol: tcp
