Traefik Networking

I'm new to traefik and am sure I'm asking questions that many of you may think dumb. I have traefik routing to the whoami service.

Do I have to manually edit the traefik compose file to add in all the networks I build my hosts on or can I do that automatically somehow?

I will be building services that should be isolated from those of another customer. Traditionally the non-swarm default network will do that. But in a swarm, I'm building external networks that I'm having to add to the traefik container.

I have 3 nodes in my swarm, swarm1, swarm2 and swarm3.

Here's my service (yes the whoami example):

version: '3.2'

services:
  whoami:
    image: containous/whoami
    deploy:
      replicas: 3
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami`)"
      - "traefik.http.routers.whoami.entrypoints=http"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
      - "traefik.docker.network=whoami"
    ports:
    - "9980:80"
    networks:
      - whoami
      
networks:
  whoami:
    external: true

My traefik is installed in the swarm stack using:

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.4
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker --providers.docker.swarmMode=true --accesslog=true --log.level=DEBUG --log.format=json
    network_mode: host
    ports:
      # The HTTP port
      - "80:80"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
    deploy:
      labels:
        traefik.enable: "False"
      placement:
        constraints:
          - node.role == manager
    networks:
      - whoami
          
networks:
  whoami:
    external: true

Yes you do. Traefik enterprise can do it automatically.

Only a compose created $project_default network. The actual default bride, while it does not support lookup by container name can interconnect with other containers.

Many thanks for the reply.

When I add a network to my traefik compose I need to update the container. This restarts it and will cause disruption. I guess this means I must use at least two replicas to prevent downtime and set my update delay accordingly.

I can't avoid down-time with replicas as traefik must run on a manager node. Does this mean I need to have more managers? It looks that in a production environment I should have 3, but right now this is a lab test.

Technically it just requires a connection to the docker socket(tcp or unix socket) of a manager.

If you're using letsencrypt for your certificates then you can only run one traefik as Traefik CE does not co-ordinate certificates, they did that in the Traefik EE. Other than that I don't know if there is anything preventing you from using multiple or an upgrade strategy of start-first.

I do note that you are using host networking, is there a LB or GTM in front of each node that will run traefik?

:+1:

Right now I haven't got anything in front of the lab setup. In fact, that's my next thought about how to present this to the world.

The Let's Encrypt bit is going to be a limiting factor for sure with CE. In the world of Nginx, a simple rsync helps with that. If I'm limiting the termination of SSL then it doesn't position itself very well for us as providing a front-end service. A load balancer in front of traefik that terminates the SSL may be an option.

I'd certainly be interested in knowing how others position traefik on their infrastructure.

Thanks, the start-first is probably a sensible precaution too.

I've gone with TEE for these reasons. LB in front. TLS Terminated on Traefik.

Not yet using the automatic network joining but I know it is there.

Interesting thank you.

The more I read the less of a problem CE and TLS may be. It seems it stores the certificates in acme.json on a Docker volume. To maintain that volume I'd place it onto a NFS share or even replicated around the swarm nodes with rsync. Any failure would mean traefik restarts with access to the certificates and should carry on. Albeit with the delay time of the fail over.

All I need to do with the load balancer is ensure it points to all the nodes. The config on the LB stays minimal, accept the traffic and pass it to the swarm.

More testing required, but it's growing on me.

  • Ok, looks like traefik v1 is acme.json, v2 has standard crt/key/pem files I can replicate in a similar fashion.

That seems to be the trouble everyone has, read something useful and then find it's the wrong cversion you're reading about :slight_smile:

No, it is still a json file.

https://doc.traefik.io/traefik/https/acme/#storage

NFS might work. Or another replicated volume driver.

Thanks for taking the time to give me some pointers it really was invaluable.

I've managed to get a proper container setup up and running with acme TLS and with the session stickiness needed for one of the apps.

I positioned Nginx in front as a load balancer, but didn't terminate the certificate there by using streaming:

stream {
    upstream dev-container-tls {
        server swarm1:443 weight=1 fail_timeout=30s;
        server swarm2:443 weight=1 fail_timeout=30s;
        server swarm3:443 weight=1 fail_timeout=30s;
    }

    server {
        listen      443;
        proxy_pass  dev-container-tls;
        ssl_preread on;
    }
}

This way I let traefik deal with acme and get the certs. Which as you said sit-in acme.json and are on a shared resource (NFS for now).

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.