Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for docker labels #109

Open
seanfarley opened this issue Jun 5, 2020 · 3 comments
Open

Support for docker labels #109

seanfarley opened this issue Jun 5, 2020 · 3 comments

Comments

@seanfarley
Copy link

Thanks for this project! I use it and have been really happy with it so far :-)

I was wondering if support could be added for autorestart to restart containers that contain a particular label? Hardcoding a list of containers is a bit fragile sometimes and I think it'd be a bit more robust in terms of implementation.

(this is basically exactly what traefik does)
@adferrand
Copy link
Owner

Hello @seanfarley. Yes, this is definitely a good idea, and in fact it could be a part of a more general feature that I would add. You mention traefik and it is in fact one of the very good projects from which I would like to find some inspirations. Specifically here I am thinking of a way to define parts of DNSroboCert configuration as labels directly on the dockers. I was thinking of a per Docker certificate configuration, and automated injection of the certificates as volumes, but autorestart/autocmd features would be great.

I do not know when I will have the time to do it,but it is on my wishlist.

@seanfarley
Copy link
Author

Ah, yeah, that'd be really cool. I'm not sure how to implement the grander feature but I could probably take a stab at the simple version (autorestart.label which takes a single label) this weekend.

@dazinator
Copy link

In my secenario we run docker swarm and traefik, but we don't want to use traefik for manging the certs.
This utility looks perfect for this aspect thank you.
To make things smoother for our scenario I am considering developing something to address these issues:

  • I don't want to have to manually update the config yaml file each time a swarm service with an SSL cert requirement is deployed.
  • I don't want to have to reconfigure traefik config yaml each time a new SSL cert is available - i.e traefik has to be configured with the available certs so it can handle ingress traefik

I am considering developing something like:

  • An "agent" container running along side dnsrobocert will
    • mount robocerts config yaml.
    • mount traefiks configuration directory
    • listen for new swarm service deployments and inspect the labels.
      • If there are dnsrobocert labels, it will use them to update the robocert config yaml specifically maintaining a named certificate entry in the certificates section - perhaps with a name matching that of the service for ease of mapping.
    • update a traefik config file in traefiks configuration directory to list the new cert
      • this means traefik must be able to see the certs and keys so its assumed the same volume mounted into dnsrobocert lets encrypt directory will also be mounted into traefik.

Here is what the traefik config file output needs to look like:

# Dynamic configuration
tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key
    - certFile: /path/to/other-domain.cert
      keyFile: /path/to/other-domain.key

Traefik can be configured to watch a config directory for its dynamic config, rather than a single config file and in which case it might be possible to output multiple individual traefik config yaml files, per individual cert and traefik would merge this config together. e.g in traefik static config you tell it to watch a folder for dynamic config

 providers:
   file:
     directory: /path/to/dynamic/conf
     watch: true

Now, asuming this config directory is backed by a volume (like a docker cifs volume / file share) mounted into traefik
and assuming this same docker volume is mounted into the agent
then the agent can output traefik config files into it, e.g a file like [certificate-name].yml for each individual certificate managed by dnsrobocert

e.g certificate-one.yml

# Dynamic configuration
tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key

If this works this would make the agents job a bit easier as it doesn't have to update within a traefik config, it can just locate the traefik config in this directory by certificate name - create it if it doesn't exist and overwrite it if it does.

Traefik watches these files for changes. So in theory the flow would be:

  1. A swarm service is deployed / updated
  2. Agent detects the change and inspects docker labels
  3. Agent sees service has dnsrobocert labels and uses those to add / update certificate section in config yaml.
  • the certificate name that it appends to the config could be prefixed like traefik- which helps with identifying which certs need to be configured for traefik in next steps
  1. Agent monitors a dnsrobocert lets encrypt directory and for each cert with prefix traefik-
    6.ensures a traefik dynamic config file is present in traefik config directory matching the name of the cert and pointing to its key and path within the mounted certs volume. The same volume is mounted in traefik such that the paths align.

If anyone has done any work on this kind of thing or has any ideas please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@seanfarley @dazinator @adferrand