Traefik¶
One component which we often use on our dev environment is Traefik as reverse proxy.
It allows us to run dockerized projects and access them in our browser using project.test as DNS for example.
The feature does not install traefik or handle the configuration of your host to map the DNS entry to the IP, but it handles the generation of traefik configuration file for your project if there is certificates for HTTPS access.
Feature configuration (prefixed with traefik.)
| Property | Type | Description |
|---|---|---|
disabled |
booleanfalse |
Should this feature be disabled ? |
extra_services |
dict[string, ExtraService][] |
A dict of ExtraService configuration. |
| Property | Type | Description |
|---|---|---|
certs_directory |
string${core.path.home}/certs |
Custom certificates location. |
mapped_certs_directory |
string${core.path.home}/certs |
Traefik container custom certificates location. |
config_directory |
string${core.path.home}/traefik/config |
Traefik configuration directory. |
ssl_config_template |
string<Jinja template> |
The Jinja template for the traefik configuration file registering CFSSL SSL certificates. This template can be a template string, or a link to a file containing the template, prefixed with http(s):// for web files, or file:// for local ones. |
extra_services_config_template |
string<Jinja template> |
The Jinja template for extra-services configuration file. This template can be a template string, or a link to a file containing the template, prefixed with http(s):// for web files, or file:// for local ones. |
ExtraService configuration (used in traefik.extra_services)
| Property | Type | Description |
|---|---|---|
domain |
string* | Domain to use for SSL certificate generation. |
url |
string* | URL to access the service to proxy from traefik container. |
https |
boolean | Use http and/or https to expose the service. If None, it is exposed with both http and https. |
redirect_to_https |
boolean${docker.reverse_proxy.redirect_to_https} |
If https is None and redirect_to_https is True, requesting the http url of the service will reply with a temporary redirect to https. |
| Property | Type | Description |
|---|---|---|
path_prefix |
string | The traefik prefix path. You should customize it only if you have to support sub folder on the domain. |
redirect_to_path_prefix |
boolean | The traefik prefix path. You should customize it only if you have to support sub folder on the domain. |
rule |
stringHost(`{{_local.domain}}`) |
Custom certificates location. |
Include a service running outside of docker compose¶
If you need to register an external service into your docker network, you should define an external_service entry.
It can be used when a service is running outside the docker network, like on another Machine or on the developer host.
Declared extra services make them join the docker network so it behaves like a docker compose service and brings all traefik reverse-proxy features (SSL support, domain name, ...).
Jinja templating is available for url, domain and rule fields, with the usual configuration as data context,
and additional _local dict containing the extra_service entry configuration.
Bring back a dockerized service inside your IDE
Running the server component inside the developer editor may more convenient in some cases.
If the application is running on port 8080 right on the host, you can write this kind of configuration:
traefik:
extra_services:
api:
domain: api.{{core.domain.sub}}.{{core.domain.ext}}
url: http://{{docker.debug.host}}:8080
It will expose the server component throw the traefik docker network, with the domain name and HTTPS support.
Custom certificates feature¶
If your project have certificates for SSL access, Traefik needs a bit a configuration in order to use them.
This is done on ddb configure command. For instance, if your have set docker.reverse-proxy.certresolver with null
value in your docker-compose.yml.jsonnet (check feature jsonnet for more details),
it will create a label ddb.emit.certs:generate: <domain>.
This label emit a certs:generate for given domain, and it is processed by certs feature to generate a
custom SSL certificate.
Then, certs:available event is triggered and handled by traefik feature to install this certificate in the
traefik configuration for given domain.
For some reason, you might want to remove HTTPS on your project and move back to HTTP.
This is done on ddb configure command.
If you define docker.reverse-proxy.certresolver value to 'letsencrypt', or set traefik.https to False, it is
detected that you removed it.
The certs:remove event is then triggered and handled by certs feature to remove it.
Then, certs:removed event is triggered and handler by traefik feature to uninstall this certificate from traefik
configuration, so there's no more certificate defined for the given domain.