I'm hoping someone could help with just a smidge of confusion I have. The documentation used to have really good complete versions of yml files for deployment and the v3 seems to not have that anymore. Instead just offering bits and pieces on this page here which I have been working off of to deploy Traefik into our Docker cluster in swarm mode.
One of the things that is confusing me and isn't clear in that documentation is that apparently Traefik has to live on just a single dedicated node where the volume for the certificates is. But the whole point of building the cluster is to work around the single point of failure like that. I don't really need low latency failover HA or anything so I'm perfectly happy with a failure state where by the Traefik container is just reinstantiated on another management node.
In that model, is it fine then to just use something like an NFS mount for the /certificates path? Or even another set of containers hosting a glusterfs or something similar? There is a TON of disagreeing documentation out on there about this and I was hoping to get some official recommendation that included something other than "buy EE".
Traefik CE (Community Edition) is not enabled for distributed LetsEncrypt. That means when you run multiple instances in parallel, every instance needs to get its own TLS cert from LetsEncrypt via dnsChallenge.
Watch the LetsEncrypt limit of 5 certs per domain per week, store them accordingly.
Or you run an external tool like certbot and supply the certs manually or via API (proof-of-concept).
With Docker Swarm you can run a single instance with a shared folder. If one node dies, another starts Traefik and can access the existing TLS certs. If the certs are not available, it may take some seconds or minutes to re-create, depending on the number of domains. But you can use easier httpChallenge or tlsChallenge.
In both cases you need a load balancer in front, so domains don’t resolve to an IP that may be just out of service.
I've already resolved the IP connectivity problem with keepalived. The VIP will follow the Traefik container. So, you said "shared folder". Tell me what you mean by that? I asked about an NFS mount or a local bind mount on GlusterFS. Is that what you mean?