Force TLS/SSL on all Docker Swarm discovered services?

Traefik Traefik v2
,
1

Currently we run our 100+ services in Docker Swarm via:

docker service create \
  --name whoami \
  --replicas 3 \
  --network proxy \
  --label 'traefik.enable=true' \
  --label 'traefik.http.routers.whoami.tls=true' \
  --label 'traefik.http.routers.whoami.entrypoints=websecure' \
  --label 'traefik.http.routers.whoami.rule=Host(`whoami.example.com`)' \
  --label 'traefik.http.services.whoami.loadbalancer.server.port=80' \
  traefik/whoami

Is it possible to tell Docker Swarm configuration discovery to always use

  --label 'traefik.http.routers.whoami.tls=true' \
  --label 'traefik.http.routers.whoami.entrypoints=websecure' \

so we don't have to add it to every single service?

2

I'm defining the (small number of) services in a compose file and repeat it, but if I got to 100 services, I would probably look at kapitan to avoid the repetition. Getting started with kapitan can be confusing, but here are my notes to getting started with it. Combined with jsonnet I find it facilitates the maintenance of the config. I've just converted an existing (simple) swarm configuration to kapitan and am happy with it and the possibilities it opens.

3

Just found a related issue to force TLS on Traefik Github:

this option already exists: EntryPoints | Traefik | v2.3

    command:
     # ...
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
     # ...

So you need to set the entrypoint on every services' router, but TLS can be set globally.

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.