What is required host Swarmpit behind Traefik 2.x

Issue Abstract

So I'm struggling to understand what in the below configuration to a docker swarm of Traefik, docker-socket-proxy, and Swarmpit. The Træfik panel is routing successfully through itself to the internet however Swarmpit configured roughly the same is failing I'm not sure what I'm doing wrong.

Is there a one size fits all clump of docker labels that can be applied to most https based endpoint web apps? In Træfik 1.7 I could simply slap some variant of this section of labels into a docker stack file (docker-compose) and it would work 99% of the time without hiccup.

    deploy:
      replicas: 1
      placement:
        constraints:
          - node.labels.web == true
#        preferences:
#          - spread: node.id
      labels:
        - traefik.backend=app
        - traefik.backend.loadbalancer.swarm=true
        - traefik.backend.loadbalancer.stickiness=false
        - "traefik.frontend.rule=Host:app.example.com"
        - traefik.enable=true
        - traefik.port=7777
        - traefik.tags=traefik
        - traefik.docker.network=traefik
        # Traefik service that listens to HTTP
        - traefik.redirectorservice.frontend.entryPoints=http
        - traefik.redirectorservice.frontend.redirect.entryPoint=https
        # Traefik service that listens to HTTPS
        - traefik.webservice.frontend.entryPoints=https
        - traefik.frontend.auth.basic.users=REDACTED:REDACTED

My test environment.


Traefik 2.X configurations

traefik.yml [docker-compose.yml]

create networks

docker network create --driver=overlay traefik
docker network create --driver=overlay docker-socket

create and deploy dockersocket proxy

docker stack deploy -c dockersocket.yml dockersocket

Deploy Traefik 2.x

docker stack deploy -c traefik.yml traefik

version: "3.7"
services:
  traefik:
    image: traefik:v2.3.4
    command:
      # Docker swarm configuration
#      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.endpoint=http://dockersocket:2375"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik"
      # Configure entrypoint
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      # SSL configuration
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencryptresolver.acme.email=admin@example.com"
      - "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
      # Global HTTP -> HTTPS
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      # Enable dashboard
      - "--api.dashboard=true"
    ports:
      - target: 80
        published: 80
        protocol: tcp
#        mode: host
      - target: 443
        published: 443
        protocol: tcp
#        mode: host
    volumes:
      # To persist certificates
      - /root/traefik/conf:/letsencrypt
      # So that Traefik can listen to the Docker events
#      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik
#      - docker-socket
    deploy:
      placement:
        constraints:
          - node.labels.role == web
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefik.tls=true"
        - "traefik.http.services.traefik.loadbalancer.server.port=888" # required by swarm but not used.
        - "traefik.http.routers.traefik.rule=Host(`monitor.example.com`)"
        - "traefik.http.routers.traefik.entrypoints=websecure"
        - "traefik.http.routers.traefik.tls.certresolver=letsencryptresolver"
        - "traefik.http.routers.traefik.service=api@internal"
#        - "traefik.http.routers.traefik.middlewares=traefik-auth"
#        - "traefik.http.middlewares.traefik-auth.basicauth.users=REDACTED:REDACTED"
    logging:
      driver: "gelf"
      options:
        gelf-address: "udp://log.example.com:12201"
        tag: "traefik_traefik"

# docker network create --driver=overlay traefik
networks:
  traefik:
    external: true
    name: traefik
  docker-socket:
    external: true

traefik.yml [Traefik Config]

entryPoints:
  web:
    address: ":80"
api:
  dashboard: true
providers:
  docker:
    swarmMode: true
    exposedByDefault: false
    endpoint: 'http://dockersocket:2375'
log:
  level: INFO
  filePath: /opt/traefik/logs/traefik.log
accessLog:
  filePath: /opt/traefik/logs/access.log

Swarmpit

Deploy swarmpit to docker swarm

docker stack deploy -c swarmpit.yml swarmpit

swarmpit.yml [docker-compose.yml]

version: '3.7'
services:
  app:
    image: swarmpit/swarmpit:latest
    environment:
      - SWARMPIT_DB=http://db:5984
      - SWARMPIT_INFLUXDB=http://influxdb:8086
      - SWAMPIT_DOCKER_SOCK=http://dockersocket:2375
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 888:8080
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080"]
      interval: 60s
      timeout: 10s
      retries: 3
    networks:
      - net
    deploy:
      labels:
        ## Traefik 2.x
        - "traefik.enable=true"
        - "traefik.http.routers.swarmpit.tls=true"
        - "traefik.http.services.swarmpit.loadbalancer.server.port=8080"
        - "traefik.http.routers.swarmpit.rule=Host(`swarmpit.example.com`)"
        - "traefik.http.routers.swarmpit.entrypoints=websecure"
        - "traefik.http.routers.swarmpit.tls.certresolver=letsencryptresolver"
        - "traefik.http.routers.swarmpit.service=swarmpit"
#        - "traefik.http.routers.swarmpit.middlewares=swarmpit-header"
#        - "traefik.http.middlewares.swarmpit-header.headers.customresponseheaders.X-swarmpit-Server-URL=https://swarmpit.example.com/"
        - "traefik.docker.network=traefik"
      resources:
        limits:
          cpus: '0.50'
          memory: 1024M
        reservations:
          cpus: '0.25'
          memory: 512M
      placement:
        constraints:
          - node.role == manager

  db:
    image: couchdb:2.3.0
    volumes:
      - db-data:/opt/couchdb/data
    networks:
      - net
    deploy:
      resources:
        limits:
          cpus: '0.30'
          memory: 256M
        reservations:
          cpus: '0.15'
          memory: 128M

  influxdb:
    image: influxdb:1.7
    volumes:
      - influx-data:/var/lib/influxdb
    networks:
      - net
    deploy:
      resources:
        limits:
          cpus: '0.60'
          memory: 512M
        reservations:
          cpus: '0.30'
          memory: 128M

  agent:
    image: swarmpit/agent:latest
    environment:
      - DOCKER_API_VERSION=1.35
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - net
    deploy:
      mode: global
      labels:
        swarmpit.agent: 'true'
      resources:
        limits:
          cpus: '0.10'
          memory: 64M
        reservations:
          cpus: '0.05'
          memory: 32M

networks:
  net:
    driver: overlay
  traefik:
    external: true
  docker-socket:
    external: true
volumes:
  db-data:
    driver: local
  influx-data:
    driver: local

Docker Socket Proxy

dockersocket.yml [docker-socket-proxy]

version: "3.7"
services:
  dockersocket:
    image: tecnativa/docker-socket-proxy
    networks:
      - docker-socket
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - NETWORKS=1
      - SERVICES=1
      - TASKS=1
    deploy:
      placement:
        constraints:
          - node.role == manager

# docker network create --driver=overlay docker-socket
networks:
  docker-socket:
    driver: overlay
    external: true
    driver_opts:
      encrypted: 'true'