I'm new to traefik and am sure I'm asking questions that many of you may think dumb. I have traefik routing to the whoami service.
Do I have to manually edit the traefik compose file to add in all the networks I build my hosts on or can I do that automatically somehow?
I will be building services that should be isolated from those of another customer. Traditionally the non-swarm default network will do that. But in a swarm, I'm building external networks that I'm having to add to the traefik container.
I have 3 nodes in my swarm, swarm1, swarm2 and swarm3.
version: '3'
services:
reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.4
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker --providers.docker.swarmMode=true --accesslog=true --log.level=DEBUG --log.format=json
network_mode: host
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
deploy:
labels:
traefik.enable: "False"
placement:
constraints:
- node.role == manager
networks:
- whoami
networks:
whoami:
external: true
Yes you do. Traefik enterprise can do it automatically.
Only a compose created $project_default network. The actual default bride, while it does not support lookup by container name can interconnect with other containers.
When I add a network to my traefik compose I need to update the container. This restarts it and will cause disruption. I guess this means I must use at least two replicas to prevent downtime and set my update delay accordingly.
I can't avoid down-time with replicas as traefik must run on a manager node. Does this mean I need to have more managers? It looks that in a production environment I should have 3, but right now this is a lab test.
Technically it just requires a connection to the docker socket(tcp or unix socket) of a manager.
If you're using letsencrypt for your certificates then you can only run one traefik as Traefik CE does not co-ordinate certificates, they did that in the Traefik EE. Other than that I don't know if there is anything preventing you from using multiple or an upgrade strategy of start-first.
I do note that you are using host networking, is there a LB or GTM in front of each node that will run traefik?
Right now I haven't got anything in front of the lab setup. In fact, that's my next thought about how to present this to the world.
The Let's Encrypt bit is going to be a limiting factor for sure with CE. In the world of Nginx, a simple rsync helps with that. If I'm limiting the termination of SSL then it doesn't position itself very well for us as providing a front-end service. A load balancer in front of traefik that terminates the SSL may be an option.
I'd certainly be interested in knowing how others position traefik on their infrastructure.
Thanks, the start-first is probably a sensible precaution too.
The more I read the less of a problem CE and TLS may be. It seems it stores the certificates in acme.json on a Docker volume. To maintain that volume I'd place it onto a NFS share or even replicated around the swarm nodes with rsync. Any failure would mean traefik restarts with access to the certificates and should carry on. Albeit with the delay time of the fail over.
All I need to do with the load balancer is ensure it points to all the nodes. The config on the LB stays minimal, accept the traffic and pass it to the swarm.
More testing required, but it's growing on me.
Ok, looks like traefik v1 is acme.json, v2 has standard crt/key/pem files I can replicate in a similar fashion.
That seems to be the trouble everyone has, read something useful and then find it's the wrong cversion you're reading about
