I know this topic has been discussed previously:
- Traefik docker config for tls options - #2 by cakiwi
- Docker dynamic settings for TLS not docummented · Issue #6489 · traefik/traefik · GitHub
TLS parameters from more dynamic providers and a default path for a no-config setup · Issue #5507 · traefik/traefik · GitHub
... and probably in many other posts.
I think I understand that TLS options cannot be defined through the docker provider (they can only be set to something defined elsewhere).
I also know how to configure mTLS on my service container by properly referencing an existing set of TLS options already defined in the traefik container's dynamic configuration.
My question is about the actual reliability of setting the TLS options through docker labels.
Take the following docker-compose labels:
someservice: labels: - "traefik.http.routers.gatekeeper_whoamisecure.tls=true" - "traefik.http.routers.gatekeeper_whoamisecure.tls.certresolver=someresolver" - "traefik.http.routers.gatekeeper_whoamisecure.tls.options=someoptions@file"
If for some reason "
someoptions@file" does not exist anywhere. Treafik only seems to report it as a debug message:
time="2022-04-03T12:47:28Z" level=debug msg="unknown TLS options: someoptions@file" entryPointName=websecure routerName=someservice@docker
Then the service starts and is served through TLS (hopefully) but it will NOT be configured as expected.
Let say that "
someoptions@file" used to be a very strong mTLS configuration with client authentication... but it got reworked / renamed in the traefik container configuration...
... and we forgot to update each and every service container that depend on it. Shame on us but unfortunately I believe it is a quite common situation.
- The service is exposed no matter what even though it is not properly configured.
- Depending on the default configuration then the service gets exposed to every one while we expected it to be only available to mutually authenticated clients !
- Last but not least: We do not get notified that the mTLS options were not found (and merely ignored).
Indeed: The "DEBUG" log level is not really reflecting that we face a major problem here...
Well clearly, I'd expect that either:
The service is not served at all when a configuration is wrong.
This would be equivalent as re-configuring this service container as if it had defined "
Clearly and loudly log this ERROR in a proper log with an apropriate* log level.
*appropriate = ERROR _(or WARNING at a bare minimum).
Can someone help me find out the rationale behind the current Traefik behaviour ?
Why is it behaving like this ?
Is it worth submitting a bug/feature request or is it me who is completely out of line here ?
Thanx for you help !