coop-cloud/traefik
6
1
Fork 12
Code Issues 11 Pull Requests 1 Releases Wiki Activity

Add support for externally-sourced wildcard certificates #45

Merged
decentral1se merged 6 commits from wolcen/traefik:master into master 2024-01-12 20:48:03 +00:00
Conversation 5 Commits 6 Files Changed 6 +38 -5
6 changed files with 38 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.env.sample
View File

@ -46,6 +46,19 @@ COMPOSE_FILE="compose.yml"
#GANDI_ENABLED=1
#SECRET_GANDIV5_API_KEY_VERSION=v1
#####################################################################
# Manual wildcard certificate insertion #
#####################################################################
# Set wildcards = 1, and uncomment compose_file to enable.
# Create your certs elsewhere and add them like:
# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
#WILDCARDS_ENABLED=1
#SECRET_WILDCARD_CERT_VERSION=v1
#SECRET_WILDCARD_KEY_VERSION=v1
#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
#####################################################################
# Keycloak log-in #
#####################################################################

4
abra.sh
View File

@ -1,3 +1,3 @@
export TRAEFIK_YML_VERSION=v17
export FILE_PROVIDER_YML_VERSION=v8
export TRAEFIK_YML_VERSION=v18
export FILE_PROVIDER_YML_VERSION=v9
export ENTRYPOINT_VERSION=v2

16
compose.wildcard.yml Normal file
View File

@ -0,0 +1,16 @@
---
version: "3.8"
services:
app:
secrets:
- ssl_cert
- ssl_key
secrets:
ssl_cert:
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
decentral1se marked this conversation as resolved Outdated
decentral1se commented 2023-12-11 10:57:04 +00:00
Outdated
Review
Copy Link

${STACK_NAME}_ssl_cert_${SECRET_SSL_CERT_VERSION}

I think you need to make a specific env var for this in the .env.sample also?

`${STACK_NAME}_ssl_cert_${SECRET_SSL_CERT_VERSION}` I think you need to make a specific env var for this in the `.env.sample` also?
wolcen commented 2023-12-12 01:52:59 +00:00
Outdated
Review
Copy Link

If I understand you correctly, you are asking to have two version vars? I already included SECRET_WILDCARD_CERT_VERSION, used for both as typically both change for me at the same time.

I guess in theory you could reuse the pwd/key, is that correct, or is it just "best practice" to allow a version var per variable, regardless of anything else?

If I understand you correctly, you are asking to have two version vars? I already included SECRET_WILDCARD_CERT_VERSION, used for both as typically both change for me at the same time. I guess in theory you could reuse the pwd/key, is that correct, or is it just "best practice" to allow a version var per variable, regardless of anything else?
decentral1se commented 2023-12-12 16:52:34 +00:00
Outdated
Review
Copy Link

Generally it's env var per secret, yep. So more convention at this point. But if you feel strongly against, please then document and sure just move on 👍

Generally it's env var per secret, yep. So more convention at this point. But if you feel strongly against, please then document and sure just move on 👍
external: true
ssl_key:
name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
decentral1se marked this conversation as resolved Outdated
decentral1se commented 2023-12-11 10:57:22 +00:00
Outdated
Review
Copy Link

name: ${STACK_NAME}_ssl_key_${SECRET_SSL_KEY_VERSION}

I think you need to make a specific env var for this in the .env.sample also?

`name: ${STACK_NAME}_ssl_key_${SECRET_SSL_KEY_VERSION}` I think you need to make a specific env var for this in the `.env.sample` also?
external: true

2
compose.yml
View File

@ -3,7 +3,7 @@ version: "3.8"
services:
app:
image: "traefik:v2.10.5"
image: "traefik:v2.10.7"
# Note(decentral1se): *please do not* add any additional ports here.
# Doing so could break new installs with port conflicts. Please use
# the usual `compose.$app.yml` approach for any additional ports

6
file-provider.yml.tmpl
View File

@ -25,7 +25,6 @@ http:
security:
headers:
frameDeny: true
sslRedirect: true
decentral1se marked this conversation as resolved Outdated
decentral1se commented 2023-12-11 10:57:41 +00:00
Outdated
Review
Copy Link

Does this break some expectations?

Does this break some expectations?
wolcen commented 2023-12-12 01:54:12 +00:00
Outdated
Review
Copy Link

My understanding is that the already existing:

  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: web-secure

is the correct method to use/all that is needed. I'm pretty new to traefik still however, so ...🧂

My understanding is that the already existing: ```yaml web: address: ":80" http: redirections: entryPoint: to: web-secure ``` is the correct method to use/all that is needed. I'm pretty new to traefik still however, so ...🧂
wolcen commented 2023-12-12 01:55:40 +00:00
Outdated
Review
Copy Link

For reference, this is the message I was getting:

level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead."

For reference, this is the message I was getting: `level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead."`
decentral1se commented 2023-12-12 16:50:09 +00:00
Outdated
Review
Copy Link

Great stuff, let's drop that and hope 🏄‍♀️

Great stuff, let's drop that and hope 🏄‍♀️
browserXssFilter: true
contentTypeNosniff: true
stsIncludeSubdomains: true
@ -45,3 +44,8 @@ tls:
- CurveP521
- CurveP384
sniStrict: true
{{ if eq (env "WILDCARDS_ENABLED") "1" }}
certificates:
- certFile: /run/secrets/ssl_cert
keyFile: /run/secrets/ssl_key
{{ end }}