coop-cloud/traefik
coop-cloud
/
traefik
5
0
Fork 6
Code Issues 7 Pull Requests Releases Wiki Activity

Add support for externally-sourced wildcard certificates #45

Merged
decentral1se merged 6 commits from wolcen/traefik:master into master 2024-01-12 20:48:03 +00:00
Conversation 3 Commits 6 Files Changed 6 +33 -1
4 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 3c5333ba71 - Show all commits

11
.env.sample
View File

@ -46,6 +46,17 @@ COMPOSE_FILE="compose.yml"
#GANDI_ENABLED=1
#SECRET_GANDIV5_API_KEY_VERSION=v1
#####################################################################
# Manual wildcard certificate insertion #
#####################################################################
# Set wildcards = 1, and uncomment compose_file to enable.
# Create your certs elsewhere and add them like:
# abra app secrets insert v1 {myapp.example.coop} ssl_cert "$(cat /path/to/fullchain.pem)"
# abra app secrets insert v1 {myapp.example.coop} ssl_key "$(cat /path/to/privkey.pem)"
#WILDCARDS_ENABLED=1
#SECRET_WILDCARD_CERT_VERSION=v1
#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
#####################################################################
# Keycloak log-in #
#####################################################################

16
compose.wildcard.yml Normal file
View File

@ -0,0 +1,16 @@
---
version: "3.8"
services:
app:
secrets:
- ssl_cert
- ssl_key
secrets:
ssl_cert:
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
decentral1se marked this conversation as resolved Outdated
decentral1se commented 2023-12-11 10:57:04 +00:00
Outdated
Review
Copy Link

${STACK_NAME}_ssl_cert_${SECRET_SSL_CERT_VERSION}

I think you need to make a specific env var for this in the .env.sample also?

`${STACK_NAME}_ssl_cert_${SECRET_SSL_CERT_VERSION}` I think you need to make a specific env var for this in the `.env.sample` also?
wolcen commented 2023-12-12 01:52:59 +00:00
Outdated
Review
Copy Link

If I understand you correctly, you are asking to have two version vars? I already included SECRET_WILDCARD_CERT_VERSION, used for both as typically both change for me at the same time.

I guess in theory you could reuse the pwd/key, is that correct, or is it just "best practice" to allow a version var per variable, regardless of anything else?

If I understand you correctly, you are asking to have two version vars? I already included SECRET_WILDCARD_CERT_VERSION, used for both as typically both change for me at the same time. I guess in theory you could reuse the pwd/key, is that correct, or is it just "best practice" to allow a version var per variable, regardless of anything else?
decentral1se commented 2023-12-12 16:52:34 +00:00
Outdated
Review
Copy Link

Generally it's env var per secret, yep. So more convention at this point. But if you feel strongly against, please then document and sure just move on 👍

Generally it's env var per secret, yep. So more convention at this point. But if you feel strongly against, please then document and sure just move on 👍
external: true
ssl_key:
name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_CERT_VERSION}
decentral1se marked this conversation as resolved Outdated
decentral1se commented 2023-12-11 10:57:22 +00:00
Outdated
Review
Copy Link

name: ${STACK_NAME}_ssl_key_${SECRET_SSL_KEY_VERSION}

I think you need to make a specific env var for this in the .env.sample also?

`name: ${STACK_NAME}_ssl_key_${SECRET_SSL_KEY_VERSION}` I think you need to make a specific env var for this in the `.env.sample` also?
external: true

5
file-provider.yml.tmpl
View File

@ -45,3 +45,8 @@ tls:
- CurveP521
- CurveP384
sniStrict: true
{{ if eq (env "WILDCARDS_ENABLED") "1" }}
certificates:
- certFile: /run/secrets/ssl_cert
keyFile: /run/secrets/ssl_key
{{ end }}

2
traefik.yml.tmpl
View File

@ -114,4 +114,4 @@ certificatesResolvers:
resolvers:
- "1.1.1.1:53"
- "9.9.9.9:53"
{{ end }}
{{ end }}