coop-cloud/traefik
coop-cloud
/
traefik
5
0
Fork 6
Code Issues 7 Pull Requests Releases Wiki Activity

Add support for externally-sourced wildcard certificates #45

Merged
decentral1se merged 6 commits from wolcen/traefik:master into master 2024-01-12 20:48:03 +00:00
Conversation 3 Commits 6 Files Changed 6 +38 -5
wolcen commented 2023-12-10 04:31:44 +00:00
Member
Copy Link
  • This works as is, but I recommend setting the LETS_ENCRYPT_ENV=staging as the resolver has not been actively disabled here!
  • Traefik is at v2.10.7 for my testing, wasn't sure how to format the version and my brain is barely working now...
- This works as is, but I recommend setting the `LETS_ENCRYPT_ENV=staging` as the resolver has not been actively disabled here! - Traefik is at v2.10.7 for my testing, wasn't sure how to format the version and my brain is barely working now...
wolcen added 4 commits 2023-12-10 04:31:44 +00:00
continuous-integration/drone/pr Build is failing Details
5e7e16a707 Correct secret insertion examples
decentral1se reviewed 2023-12-11 10:57:56 +00:00
decentral1se left a comment
Owner
Copy Link

Looking good, tysm for working on this!

Looking good, tysm for working on this!
compose.wildcard.yml Outdated
@ -0,0 +9,4 @@
secrets:
ssl_cert:
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
decentral1se commented 2023-12-11 10:57:04 +00:00
Owner
Copy Link

${STACK_NAME}_ssl_cert_${SECRET_SSL_CERT_VERSION}

I think you need to make a specific env var for this in the .env.sample also?

`${STACK_NAME}_ssl_cert_${SECRET_SSL_CERT_VERSION}` I think you need to make a specific env var for this in the `.env.sample` also?
wolcen commented 2023-12-12 01:52:59 +00:00
Author
Member
Copy Link

If I understand you correctly, you are asking to have two version vars? I already included SECRET_WILDCARD_CERT_VERSION, used for both as typically both change for me at the same time.

I guess in theory you could reuse the pwd/key, is that correct, or is it just "best practice" to allow a version var per variable, regardless of anything else?

If I understand you correctly, you are asking to have two version vars? I already included SECRET_WILDCARD_CERT_VERSION, used for both as typically both change for me at the same time. I guess in theory you could reuse the pwd/key, is that correct, or is it just "best practice" to allow a version var per variable, regardless of anything else?
decentral1se commented 2023-12-12 16:52:34 +00:00
Owner
Copy Link

Generally it's env var per secret, yep. So more convention at this point. But if you feel strongly against, please then document and sure just move on 👍

Generally it's env var per secret, yep. So more convention at this point. But if you feel strongly against, please then document and sure just move on 👍
decentral1se marked this conversation as resolved
compose.wildcard.yml Outdated
@ -0,0 +12,4 @@
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
external: true
ssl_key:
name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_CERT_VERSION}
decentral1se commented 2023-12-11 10:57:22 +00:00
Owner
Copy Link

name: ${STACK_NAME}_ssl_key_${SECRET_SSL_KEY_VERSION}

I think you need to make a specific env var for this in the .env.sample also?

`name: ${STACK_NAME}_ssl_key_${SECRET_SSL_KEY_VERSION}` I think you need to make a specific env var for this in the `.env.sample` also?
decentral1se marked this conversation as resolved
file-provider.yml.tmpl Outdated
@ -25,7 +25,6 @@ http:
security:
headers:
frameDeny: true
sslRedirect: true
decentral1se commented 2023-12-11 10:57:41 +00:00
Owner
Copy Link

Does this break some expectations?

Does this break some expectations?
wolcen commented 2023-12-12 01:54:12 +00:00
Author
Member
Copy Link

My understanding is that the already existing:

  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: web-secure

is the correct method to use/all that is needed. I'm pretty new to traefik still however, so ...🧂

My understanding is that the already existing: ```yaml web: address: ":80" http: redirections: entryPoint: to: web-secure ``` is the correct method to use/all that is needed. I'm pretty new to traefik still however, so ...🧂
wolcen commented 2023-12-12 01:55:40 +00:00
Author
Member
Copy Link

For reference, this is the message I was getting:

level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead."

For reference, this is the message I was getting: `level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead."`
decentral1se commented 2023-12-12 16:50:09 +00:00
Owner
Copy Link

Great stuff, let's drop that and hope 🏄‍♀️

Great stuff, let's drop that and hope 🏄‍♀️
decentral1se marked this conversation as resolved
wolcen force-pushed master from 5e7e16a707 to e3c1df83fa 2024-01-12 02:48:29 +00:00 Compare
wolcen changed title from WIP: Add support for externally-sourced wildcard certificates to Add support for externally-sourced wildcard certificates 2024-01-12 02:51:05 +00:00
decentral1se approved these changes 2024-01-12 15:02:39 +00:00
decentral1se left a comment
Owner
Copy Link

LGTM, looks safe to merge, shall we? Thanks!

LGTM, looks safe to merge, shall we? Thanks!
wolcen commented 2024-01-12 16:50:06 +00:00
Author
Member
Copy Link

If you were asking me: yes, I think it's good. Always nice to get a thumbs up from CI, but I'm guessing that's currently broken (or maybe won't load vars against a PR)?

If you were asking me: yes, I think it's good. Always nice to get a thumbs up from CI, but I'm guessing that's currently broken (or maybe won't load vars against a PR)?
decentral1se merged commit a0e70f33be into master 2024-01-12 20:48:03 +00:00
javielico commented 2024-01-14 16:15:31 +00:00
Member
Copy Link

I've checked on my end too your changes @wolcen and they look good 👍

I've checked on my end too your changes @wolcen and they look good 👍
3wordchant commented 2024-01-14 16:15:47 +00:00
Owner
Copy Link

or maybe won't load vars against a PR

Indeed it's this ☝️

For "security" reasons, otherwise PRs (which could come from anyone, including people who log in via Gitlab / Github) could exfiltrate secrets, including SSH keys for the test server, and login credentials to publish Gitea packages.

> or maybe won't load vars against a PR Indeed it's this ☝️ For "security" reasons, otherwise PRs (which could come from anyone, including people who log in via Gitlab / Github) could exfiltrate secrets, including SSH keys for the test server, and login credentials to publish Gitea packages.
👍 1
Sign in to join this conversation.
Reviewers
No reviewers
decentral1se
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/traefik#45
No description provided.
Delete Branch "wolcen/traefik:master"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?