I would like to run Traefik via Docker Swarm on multiple servers.
Currently I declare a Docker Swarm stack deploy file:
traefik_ssl_dashboard.yml
version: '3.8'
services:
traefik:
image: traefik:v2.4.9
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
command:
- --providers.docker.swarmMode=true
- --providers.docker.exposedByDefault=false
- --providers.docker.network=proxy
- --providers.file.filename=/data/traefik/config.yml
- --providers.file.watch=true
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.proxyProtocol.trustedIPs=1.2.3.4
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.proxyProtocol.trustedIPs=1.2.3.4
- --log.level=INFO
- --log.filepath=/data/traefik/logs/traefik.log
- --accesslog.filepath=/data/traefik/logs/access.log
- --accesslog.bufferingsize=10
- --accesslog.format=json
- --accesslog.fields.defaultmode=keep
- --accesslog.fields.headers.defaultmode=keep
- --api.dashboard=true
environment:
- TZ=Europe/Berlin
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /data/traefik:/data/traefik
networks:
- proxy
deploy:
mode: global
placement:
constraints:
- node.role == manager
labels:
- traefik.enable=true
- traefik.http.services.dashboard.loadbalancer.server.port=888 # required, not used
- traefik.http.routers.dashboard.rule=Host(`dashboard.mydomain.tld`)
- traefik.http.routers.dashboard.entrypoints=websecure
- traefik.http.routers.dashboard.tls=true
- traefik.http.routers.dashboard.service=api@internal
- traefik.http.routers.dashboard.middlewares=dashboard-auth
- "traefik.http.middlewares.dashboard-auth.basicauth.users=user:pass"
networks:
proxy:
external: true
The challenge I am facing is that I can not include the SSL configuration in the declaration. Currently I need to make sure that every server has the config.yml SSL configuration in a seperate file:
tls:
certificates:
- certFile: /data/traefik/certs/mydomain.tld.crt
keyFile: /data/traefik/certs/mydomain.tld.key
stores:
default:
defaultCertificate:
certFile: /data/traefik/certs/mydomain.tld.crt
keyFile: /data/traefik/certs/mydomain.tld.key
So with Docker Swarm I can scale out Traefik without an issue, control it from a central point. But at the same time I need to manually make sure that the SSL configuration file and the SSL certificates themselves are present on each of the servers, that makes life complicated.
Horror story: of course we forgot to update the SSL config file one time, it took a day to find the sudden issue with broken SSL connections.
Is there a way to get the SSL configuration inline with the Docker Swarm deploy file?