Inconsistent provider marker `@file`

Given this configuration:

docker-compose.yml
version: '3.8'
services:
  traefik:
    image: traefik:v2.3.1
    container_name: "traefik"
    restart: unless-stopped
    networks:
      - http_network
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./traefik.toml:/traefik.toml:ro"
      - "./file.toml:/file.toml:ro"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=http_network"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.rule=Host(`traefik.home`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.options=default"
  test1:
    image: traefik/whoami:v1.6.0
    container_name: test1
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=http_network"
      - "traefik.http.routers.test1.entrypoints=websecure"
      - "traefik.http.routers.test1.rule=Host(`test1.home`)"
      - "traefik.http.routers.test1.tls=true"
      # testing this line
      - "traefik.http.routers.test1.tls.options=default"
    networks:
      - http_network
  test2:
    image: traefik/whoami:v1.6.0
    container_name: test2
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=http_network"
      - "traefik.http.routers.test2.entrypoints=websecure"
      - "traefik.http.routers.test2.rule=Host(`test2.home`)"
      - "traefik.http.routers.test2.tls=true"
      # testing this line
      - "traefik.http.routers.test2.tls.options=default@file"
    networks:
      - http_network
  test3:
    image: traefik/whoami:v1.6.0
    container_name: test3
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=http_network"
      - "traefik.http.routers.test3.entrypoints=websecure"
      - "traefik.http.routers.test3.rule=Host(`test3.home`)"
      - "traefik.http.routers.test3.tls=true"
      # testing this line
      - "traefik.http.routers.test3.tls.options=alternative"
    networks:
      - http_network
  test4:
    image: traefik/whoami:v1.6.0
    container_name: test4
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=http_network"
      - "traefik.http.routers.test4.entrypoints=websecure"
      - "traefik.http.routers.test4.rule=Host(`test4.home`)"
      - "traefik.http.routers.test4.tls=true"
      # testing this line
      - "traefik.http.routers.test4.tls.options=alternative@file"
    networks:
      - http_network
networks:
  http_network:
    external: true
file.toml
# Those are "better" TLS defaults
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
  "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
]
[tls.options.alternative]
minVersion = "VersionTLS12"
cipherSuites = [
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
  "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
]
traefik.toml
## static configuration

[entryPoints.websecure]
address = ":443"

[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"

[providers.docker]
exposedByDefault=false

[providers.file]
filename = "/file.toml"


[log]
# Uncomment for debug log
level = "DEBUG"

# Uncomment for access log
#[accessLog]

# Comment out if dashboard is not needed
[api]
# Uncomment for insecure dashboard
#insecure = true

We have this log: https://gist.github.com/AndrewSav/e7e8f6c456d0fc991b9beaadc3735629

We create two tls options in file.toml:

  • default
  • alternative

We are trying to reference these options from routers like this:

      - "traefik.http.routers.test1.tls.options=default"
      - "traefik.http.routers.test2.tls.options=default@file"
      - "traefik.http.routers.test3.tls.options=alternative"
      - "traefik.http.routers.test4.tls.options=alternative@file"

In the logs we get:

"unknown TLS options: alternative@docker" routerName=test3@docker entryPointName=websecure
"unknown TLS options: default@file" entryPointName=websecure routerName=test2@docker

It seems that @file marker is required with alternative but must NOT be specified with default.

It appears that default option is treated differently from the rest, but this is not mentioned anywhere in the documentation.

Can some one please clarify the intention here, how is this supposed to work and why?

An unrelated question, that we also get this line in the logs:

"Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"

Is this {{ normalize .Name }} suppose to end up in the log, it looks like a go template to me that was not processes as intended. Can someone clarify please?

I'm happy to raise issues on github if appropriate, just wanted to triage here first.

May be adding something at the top of the TLS Options will do:

The default option is special. When no tls options are specified in a tls router, the default option is used. When specifying the default option explicitly, make sure not to specify provider namespace as the default option does not have one. Conversely, for cross-provider references, for example, when referencing the file provider from a docker label, you must specify the provider namespace, for example: "traefik.http.routers.myrouter.tls.options=myoptions@file"

What do you think?

I also find a bit strange that "Provider Namespace" topic is located under Middlewares heading. This concept is not limited to Middlewares, we can also see it used with Services, TLSOptions, and ServersTransports. Should we move that from Middlewares Overview to Configuration Discovery? We can replace text in Middlewares Overview with:

Important: be aware of the concept of Providers Namespace described in the Configuration Discovery section. It also applies to Middlewares.

When moving the section we might reword the text so that it is no longer Middleware specific. For example:

When you declare certain objects, in Traefik dynamic configuration, such as middleware, service, tls options or servers transport, they live in its provider's namespace. For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.

If you use multiple providers and wish to reference such an object declared in another provider (aka referencing a cross-provider object, e.g. middleware), then you'll have to append the @ separator, followed by the provider name to the object name.

As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace" with the "kubernetes namespace" of a resource when in the context of a cross-provider usage. In this case, since the definition of a traefik dynamic configuration object is not in kubernetes, specifying a "kubernetes namespace" when referring to the resource does not make any sense, and therefore this specification would be ignored even if present. On the other hand, if you, say, declare a middleware as a Custom Resource in Kubernetes and use the non-crd Ingress objects, you'll have to add the kubernetes namespace of the middleware to the annotation like this <middleware-namespace>-<middleware-name>@kubernetescrd .

Referencing a Traedik dynamic configuration object from Another Provider

The rest of the text in the section can go without changes.

Seems right, I think that you can open a PR and we will talk about the content in this PR.

@ldez, thanks, what about {{ normalize .Name }} ?

This is the real default defaultRule value, it's expected because the default rule can only be evaluated in the dynamic configuration.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.