From 8fe122ffbde40cc4d740a53e6cb85f9da9f6bb42 Mon Sep 17 00:00:00 2001 From: Jose Diaz-Gonzalez Date: Wed, 10 Aug 2022 04:17:50 -0400 Subject: [PATCH] feat: implement the traefik plugin This plugin uses a docker-compose based Traefik installation in conjunction with injected container labels to route requests. It only exposes the minimal necessary for routing traffic to docker containers. Users wishing to customize further labels may explore using the docker-options plugin to attach additional labels during the 'deploy' phase. --- debian/control | 2 +- docs/networking/proxies/traefik.md | 229 ++++++++++++++++++ docs/template.html | 1 + dokku | 3 + plugins/traefik-vhosts/command-functions | 146 +++++++++++ plugins/traefik-vhosts/commands | 16 ++ plugins/traefik-vhosts/core-post-deploy | 19 ++ .../traefik-vhosts/docker-args-process-deploy | 121 +++++++++ plugins/traefik-vhosts/help-functions | 36 +++ plugins/traefik-vhosts/install | 17 ++ plugins/traefik-vhosts/internal-functions | 89 +++++++ plugins/traefik-vhosts/plugin.toml | 4 + plugins/traefik-vhosts/subcommands/default | 6 + plugins/traefik-vhosts/subcommands/logs | 6 + plugins/traefik-vhosts/subcommands/report | 6 + plugins/traefik-vhosts/subcommands/set | 37 +++ .../traefik-vhosts/subcommands/show-config | 7 + plugins/traefik-vhosts/subcommands/start | 6 + plugins/traefik-vhosts/subcommands/stop | 6 + .../templates/compose.yml.sigil | 54 +++++ 20 files changed, 810 insertions(+), 1 deletion(-) create mode 100644 docs/networking/proxies/traefik.md create mode 100755 plugins/traefik-vhosts/command-functions create mode 100755 plugins/traefik-vhosts/commands create mode 100755 plugins/traefik-vhosts/core-post-deploy create mode 100755 plugins/traefik-vhosts/docker-args-process-deploy create mode 100755 plugins/traefik-vhosts/help-functions create mode 100755 plugins/traefik-vhosts/install create mode 100755 plugins/traefik-vhosts/internal-functions create mode 100644 plugins/traefik-vhosts/plugin.toml create mode 100755 plugins/traefik-vhosts/subcommands/default create mode 100755 plugins/traefik-vhosts/subcommands/logs create mode 100755 plugins/traefik-vhosts/subcommands/report create mode 100755 plugins/traefik-vhosts/subcommands/set create mode 100755 plugins/traefik-vhosts/subcommands/show-config create mode 100755 plugins/traefik-vhosts/subcommands/start create mode 100755 plugins/traefik-vhosts/subcommands/stop create mode 100644 plugins/traefik-vhosts/templates/compose.yml.sigil diff --git a/debian/control b/debian/control index 6f21771cf..aea46e2cf 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Version: 0.27.10 Section: web Priority: optional Architecture: amd64 -Depends: locales, git, cpio, curl, man-db, netcat, sshcommand (>= 0.12.0), docker-engine-cs (>= 17.05.0) | docker-engine (>= 17.05.0) | docker-io (>= 17.05.0) | docker.io (>= 17.05.0) | docker-ce (>= 17.05.0) | docker-ee (>= 17.05.0) | moby-engine, docker-image-labeler (>= 0.2.2), lambda-builder, net-tools, netrc, software-properties-common, parallel, procfile-util (>= 0.11.0), python-software-properties | python3-software-properties, rsync, rsyslog, dos2unix, jq, unzip +Depends: apache2-utils, locales, git, cpio, curl, man-db, netcat, sshcommand (>= 0.12.0), docker-engine-cs (>= 17.05.0) | docker-engine (>= 17.05.0) | docker-io (>= 17.05.0) | docker.io (>= 17.05.0) | docker-ce (>= 17.05.0) | docker-ee (>= 17.05.0) | moby-engine, docker-image-labeler (>= 0.2.2), lambda-builder, net-tools, netrc, software-properties-common, parallel, procfile-util (>= 0.11.0), python-software-properties | python3-software-properties, rsync, rsyslog, dos2unix, jq, unzip Recommends: herokuish (>= 0.3.4), bash-completion, dokku-update, dokku-event-listener Pre-Depends: gliderlabs-sigil, nginx (>= 1.8.0) | openresty, dnsutils, cgroupfs-mount | cgroup-lite, plugn (>= 0.3.0), sudo, python3, debconf Maintainer: Jose Diaz-Gonzalez diff --git a/docs/networking/proxies/traefik.md b/docs/networking/proxies/traefik.md new file mode 100644 index 000000000..220c11755 --- /dev/null +++ b/docs/networking/proxies/traefik.md @@ -0,0 +1,229 @@ +# Traefik Configuration + +Dokku provides integration with the [Traefik](https://traefik.io/) proxy service by utilizing the Docker label-based integration implemented by Traefik. + +``` +traefik:report [] [] # Displays a traefik report for one or more apps +traefik:logs [--num num] [--tail] # Display traefik log output +traefik:set () # Set or clear an traefik property for an app +traefik:show-config # Display traefik compose config +traefik:start # Starts the traefik server +traefik:stop # Stops the traefik server +``` + +## Usage + +> Warning: As using multiple proxy plugins on a single Dokku installation can lead to issues routing requests to apps, doing so should be avoided. As the default proxy implementation is nginx, users are encouraged to stop the nginx service before switching to Traefik. + +The Traefik plugin has specific rules for routing requests: + +- Traefik integration is exposed via docker labels attached to containers. Changes in labels require either app deploys or rebuilds. +- While Traefik will respect labels associated with other containers, only `web` containers have Traefik labels injected by the plugin. +- Only `http:80` and `https:443` port mappings are supported. +- If no `http:80` mapping is found, the first `http` port mapping is used for http requests. +- If no `https:443` mapping is found, the first `https` port mapping is used for http requests. +- If no `https` mapping is found, the container port from `http:80` will be used for https requests. + +### Switching to Traefik + +To use the Traefik plugin, use the `proxy:set` command for the app in question: + +```shell +dokku proxy:set node-js-app traefik +``` + +This will enable the docker label-based Traefik integration. All future deploys will inject the correct labels for Traefik to read and route requests to containers. Due to the docker label-based integration used by Traefik, a single deploy or rebuild will be required before requests will route successfully. + +```shell +dokku ps:rebuild node-js-app +``` + +Any changes to domains or port mappings will also require either a deploy or rebuild. + +### Starting Traefik container + +Traefik can be started via the `traefik:start` command. This will start a Traefik container via the `docker compose up` command. + +```shell +dokku traefik:start +``` + +### Stopping the Traefik container + +Traefik may be stopped via the `traefik:stop` command. + +```shell +dokku traefik:stop +``` + +The Traefik container will be stopped and removed from the system. If the container is not running, this command will do nothing. + +### Showing the Traefik compose config + +For debugging purposes, it may be useful to show the Traefik compose config. This can be achieved via the `traefik:show-config` command. + +```shell +dokku traefik:show-config +``` + +### Customizing the Traefik container image + +While the default Traefik image is hardcoded, users may specify an alternative by setting the `image` property with the `--global` flag: + +```shell +dokku traefik:set --global image traefik:v2.8 +``` + +#### Checking the Traefik container's logs + +It may be necessary to check the Traefik container's logs to ensure that Traefik is operating as expected. This can be performed with the `traefik:logs` command. + +```shell +dokku traefik:logs +``` + +This command also supports the following modifiers: + +```shell +--num NUM # the number of lines to display +--tail # continually stream logs +``` + +You can use these modifiers as follows: + +```shell +dokku traefik:logs --tail --num 10 +``` + +The above command will show logs continually from the vector container, with an initial history of 10 log lines + +### Changing the Traefik log level + +Traefik log output is set to `ERROR` by default. It may be changed by setting the `log-level` property with the `--global` flag: + +```shell +dokku traefik:set --global log-level DEBUG +``` + +After modifying, the Traefik container will need to be restarted. + +### Enabling letsencrypt integration + +By default, letsencrypt is disabled and https port mappings are ignored. To enable, set the `letsencrypt-email` property with the `--global` flag: + +```shell +dokku traefik:set --global letsencrypt-email automated@dokku.sh +``` + +After enabling, apps will need to be rebuilt and the Traefik container will need to be restarted. All http requests will then be redirected to https. + +### API Access + +Traefik exposes an API and Dashboard, which Dokku disables by default for security reasons. It can be exposed and customized as described below. + +#### Enabling the api + +> Warning: Users enabling the dashboard should also enable api basic auth. + +By default, the api is disabled. To enable, set the `api` property with the `--global` flag: + +```shell +dokku traefik:set --global api true +``` + +After enabling, the Traefik container will need to be restarted. + +#### Enabling the dashboard + +> Warning: Users enabling the dashboard should also enable api basic auth. + +By default, the dashboard is disabled. To enable, set the `dashboard` property with the `--global` flag: + +```shell +dokku traefik:set --global dashboard true +``` + +After enabling, the Traefik container will need to be restarted. + +#### Enabling api basic auth + +Users enabling either the api or dashboard are encouraged to enable basic auth. This will apply _only_ to the api/dashboard, and not to apps. To enable, set the `basic-auth-username` and `basic-auth-password` properties with the `--global` flag:. Both must be set or basic auth will not be enabled. + +```shell +dokku traefik:set --global basic-auth-username username +dokku traefik:set --global basic-auth-password password +``` + +After enabling, the Traefik container will need to be restarted. + +#### Customizing the api hostname + +The hostname used for the api and dashboard is set to `traefik.dokku.me` by default. It can be customized by setting the `api-vhost` property with the `--global` flag: + +```shell +dokku traefik:set --global api-vhost lb.dokku.me +``` + +After enabling, the Traefik container will need to be restarted. + +## Displaying Traefik reports for an app + +You can get a report about the app's Traefik config using the `traefik:report` command: + +```shell +dokku traefik:report +``` + +``` +=====> node-js-app traefik information + Traefik api enabled: false + Traefik api vhost: traefik.dokku.me + Traefik basic auth password: password + Traefik basic auth username: user + Traefik dashboard enabled: false + Traefik image: traefik:v2.8 + Traefik letsencrypt email: + Traefik log level: ERROR +=====> python-app traefik information + Traefik api enabled: false + Traefik api vhost: traefik.dokku.me + Traefik basic auth password: password + Traefik basic auth username: user + Traefik dashboard enabled: false + Traefik image: traefik:v2.8 + Traefik letsencrypt email: + Traefik log level: ERROR +=====> ruby-app traefik information + Traefik api enabled: false + Traefik api vhost: traefik.dokku.me + Traefik basic auth password: password + Traefik basic auth username: user + Traefik dashboard enabled: false + Traefik image: traefik:v2.8 + Traefik letsencrypt email: + Traefik log level: ERROR +``` + +You can run the command for a specific app also. + +```shell +dokku traefik:report node-js-app +``` + +``` +=====> node-js-app traefik information + Traefik api enabled: false + Traefik api vhost: traefik.dokku.me + Traefik basic auth password: password + Traefik basic auth username: user + Traefik dashboard enabled: false + Traefik image: traefik:v2.8 + Traefik letsencrypt email: + Traefik log level: ERROR +``` + +You can pass flags which will output only the value of the specific information you want. For example: + +```shell +dokku traefik:report node-js-app --traefik-api-enabled +``` diff --git a/docs/template.html b/docs/template.html index a06763b71..c310ab426 100644 --- a/docs/template.html +++ b/docs/template.html @@ -176,6 +176,7 @@ Proxy Management Nginx Proxy + Traefik Proxy Advanced Usage diff --git a/dokku b/dokku index 54c0d5823..c0e369f49 100755 --- a/dokku +++ b/dokku @@ -141,6 +141,9 @@ execute_dokku_cmd() { nginx | nginx:*) local PLUGIN_NAME=${PLUGIN_NAME/nginx/nginx-vhosts} ;; + traefik | traefik:*) + local PLUGIN_NAME=${PLUGIN_NAME/traefik/traefik-vhosts} + ;; deploy | cleanup | url | urls | report) local PLUGIN_NAME="00_dokku-standard" ;; diff --git a/plugins/traefik-vhosts/command-functions b/plugins/traefik-vhosts/command-functions new file mode 100755 index 000000000..0f827421d --- /dev/null +++ b/plugins/traefik-vhosts/command-functions @@ -0,0 +1,146 @@ +#!/usr/bin/env bash +source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions" +source "$PLUGIN_AVAILABLE_PATH/traefik-vhosts/internal-functions" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x + +cmd-traefik-report() { + declare desc="displays a traefik report for one or more apps" + declare cmd="traefik:report" + [[ "$1" == "$cmd" ]] && shift 1 + declare APP="$1" INFO_FLAG="$2" + + if [[ -n "$APP" ]] && [[ "$APP" == --* ]]; then + INFO_FLAG="$APP" + APP="" + fi + + if [[ -z "$APP" ]] && [[ -z "$INFO_FLAG" ]]; then + INFO_FLAG="true" + fi + + if [[ -z "$APP" ]]; then + for app in $(dokku_apps); do + cmd-traefik-report-single "$app" "$INFO_FLAG" | tee || true + done + else + cmd-traefik-report-single "$APP" "$INFO_FLAG" + fi +} + +cmd-traefik-report-single() { + declare APP="$1" INFO_FLAG="$2" + if [[ "$INFO_FLAG" == "true" ]]; then + INFO_FLAG="" + fi + verify_app_name "$APP" + local flag_map=( + "--traefik-api-enabled: $(fn-traefik-api-enabled)" + "--traefik-api-vhost: $(fn-traefik-api-vhost)" + "--traefik-basic-auth-password: $(fn-traefik-basic-auth-password)" + "--traefik-basic-auth-username: $(fn-traefik-basic-auth-username)" + "--traefik-dashboard-enabled: $(fn-traefik-dashboard-enabled)" + "--traefik-image: $(fn-traefik-image)" + "--traefik-letsencrypt-email: $(fn-traefik-letsencrypt-email)" + "--traefik-log-level: $(fn-traefik-log-level)" + ) + + if [[ -z "$INFO_FLAG" ]]; then + dokku_log_info2_quiet "${APP} traefik information" + for flag in "${flag_map[@]}"; do + key="$(echo "${flag#--}" | cut -f1 -d' ' | tr - ' ')" + dokku_log_verbose "$(printf "%-30s %-25s" "${key^}" "${flag#*: }")" + done + else + local match=false + local value_exists=false + for flag in "${flag_map[@]}"; do + valid_flags="${valid_flags} $(echo "$flag" | cut -d':' -f1)" + if [[ "$flag" == "${INFO_FLAG}:"* ]]; then + value=${flag#*: } + size="${#value}" + if [[ "$size" -ne 0 ]]; then + echo "$value" && match=true && value_exists=true + else + match=true + fi + fi + done + [[ "$match" == "true" ]] || dokku_log_fail "Invalid flag passed, valid flags:${valid_flags}" + fi +} + +cmd-traefik-logs() { + declare desc="display traefik logs from command line" + declare cmd="traefik:logs" + [[ "$1" == "$cmd" ]] && shift 1 + local NUM="100" TAIL=false + + local TEMP=$(getopt -o htn: --long help,tail,num: -n 'dokku traefik:logs' -- "$@") + local EXIT_CODE="$?" + if [[ "$EXIT_CODE" != 0 ]]; then + fn-traefik-logs-usage >&2 + exit 1 + fi + eval set -- "$TEMP" + + while true; do + case "$1" in + -t | --tail) + local TAIL=true + shift + ;; + -n | --num) + local NUM="$2" + shift 2 + ;; + --) + shift + break + ;; + *) dokku_log_fail "Internal error" ;; + esac + done + + fn-traefik-logs "$TAIL" "$NUM" +} + +cmd-traefik-show-config() { + declare desc="display traefik config" + declare cmd="traefik:show-config" + [[ "$1" == "$cmd" ]] && shift 1 + + local TMP_COMPOSE_FILE=$(mktemp "/tmp/dokku-${DOKKU_PID}-${FUNCNAME[0]}.XXXXXX") + trap "rm -rf '$TMP_COMPOSE_FILE' >/dev/null" RETURN INT TERM EXIT + + fn-traefik-template-compose-file "$TMP_COMPOSE_FILE" + cat "$TMP_COMPOSE_FILE" +} + +cmd-traefik-start() { + declare desc="Starts the traefik server" + declare cmd="traefik:start" + [[ "$1" == "$cmd" ]] && shift 1 + + local TMP_COMPOSE_FILE=$(mktemp "/tmp/dokku-${DOKKU_PID}-${FUNCNAME[0]}.XXXXXX") + trap "rm -rf '$TMP_COMPOSE_FILE' >/dev/null" RETURN INT TERM EXIT + + touch "${DOKKU_LIB_ROOT}/data/traefik/traefik-acme.json" + chmod 600 "${DOKKU_LIB_ROOT}/data/traefik/traefik-acme.json" + fn-traefik-template-compose-file "$TMP_COMPOSE_FILE" + "$DOCKER_BIN" compose -f "$TMP_COMPOSE_FILE" -p traefik up -d --quiet-pull +} + +cmd-traefik-stop() { + declare desc="Starts the traefik server" + declare cmd="traefik:start" + [[ "$1" == "$cmd" ]] && shift 1 + + local TMP_COMPOSE_FILE=$(mktemp "/tmp/dokku-${DOKKU_PID}-${FUNCNAME[0]}.XXXXXX") + trap "rm -rf '$TMP_COMPOSE_FILE' >/dev/null" RETURN INT TERM EXIT + + touch "${DOKKU_LIB_ROOT}/data/traefik/traefik-acme.json" + chmod 600 "${DOKKU_LIB_ROOT}/data/traefik/traefik-acme.json" + fn-traefik-template-compose-file "$TMP_COMPOSE_FILE" + "$DOCKER_BIN" compose -f "$TMP_COMPOSE_FILE" -p traefik down --remove-orphans +} diff --git a/plugins/traefik-vhosts/commands b/plugins/traefik-vhosts/commands new file mode 100755 index 000000000..1916be8c6 --- /dev/null +++ b/plugins/traefik-vhosts/commands @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +[[ " traefik:help help " == *" $1 "* ]] || exit "$DOKKU_NOT_IMPLEMENTED_EXIT" +source "$PLUGIN_AVAILABLE_PATH/traefik-vhosts/help-functions" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x + +case "$1" in +help | traefik:help) + cmd-traefik-help "$@" + ;; + +*) + exit "$DOKKU_NOT_IMPLEMENTED_EXIT" + ;; + +esac diff --git a/plugins/traefik-vhosts/core-post-deploy b/plugins/traefik-vhosts/core-post-deploy new file mode 100755 index 000000000..cc5e55f47 --- /dev/null +++ b/plugins/traefik-vhosts/core-post-deploy @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x + +trigger-traefik-vhosts-core-post-deploy() { + declare desc="traefik-vhosts core-post-deploy plugin trigger" + declare trigger="core-post-deploy" + declare APP="$1" + local HAS_NETWORK_CONFIG + + if [[ "$(plugn trigger proxy-type "$APP")" != "traefik" ]]; then + return + fi + + dokku_log_info1 "Routing app via traefik" +} + +trigger-traefik-vhosts-core-post-deploy "$@" diff --git a/plugins/traefik-vhosts/docker-args-process-deploy b/plugins/traefik-vhosts/docker-args-process-deploy new file mode 100755 index 000000000..e63a45a21 --- /dev/null +++ b/plugins/traefik-vhosts/docker-args-process-deploy @@ -0,0 +1,121 @@ +#!/usr/bin/env bash +source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x + +trigger-traefik-vhosts-docker-args-process-deploy() { + declare desc="nginx-vhosts core-post-deploy plugin trigger" + declare trigger="docker-args-process-deploy" + declare APP="$1" IMAGE_SOURCE_TYPE="$2" IMAGE_TAG="$3" PROC_TYPE="$4" CONTAINER_INDEX="$5" + local app_domains is_app_listening output proxy_container_port proxy_host_port port_map proxy_port_map proxy_scheme proxy_schemes traefik_domains + local proxy_container_http_port proxy_container_http_port_candidate proxy_host_http_port_candidate + local proxy_container_https_port proxy_container_https_port_candidate proxy_host_https_port_candidate + local app_urls_path="$DOKKU_ROOT/$APP/URLS" + local STDIN=$(cat) + + if [[ "$PROC_TYPE" != "web" ]]; then + return + fi + + if [[ "$(plugn trigger proxy-type "$APP")" != "traefik" ]]; then + return + fi + + if [[ "$(plugn trigger proxy-is-enabled "$APP")" != "true" ]]; then + return + fi + + if ! plugn trigger domains-vhost-enabled "$APP" 2>/dev/null; then + return + fi + + # run this silently or the output will be set as a label + plugn trigger domains-setup "$APP" >/dev/null + + # ensure we have a port mapping + plugn trigger proxy-configure-ports "$APP" + + # gather port mapping information + # we only support proxying a single port for http and https listeners + # so this block parses the port mappings and tries to find the correct + # mapping to expose + is_app_listening="false" + proxy_port_map="$(plugn trigger config-get "$APP" DOKKU_PROXY_PORT_MAP)" + for port_map in $proxy_port_map; do + proxy_scheme="$(awk -F ':' '{ print $1 }' <<<"$port_map")" + proxy_host_port="$(awk -F ':' '{ print $2 }' <<<"$port_map")" + proxy_container_port="$(awk -F ':' '{ print $3 }' <<<"$port_map")" + + if [[ "$proxy_scheme" == "http" ]]; then + is_app_listening="true" + if [[ -z "$proxy_container_http_port_candidate" ]]; then + proxy_container_http_port_candidate="$proxy_container_port" + proxy_host_http_port_candidate="$proxy_host_port" + fi + + if [[ "$proxy_host_port" == "80" ]] && [[ -z "$proxy_container_http_port" ]]; then + proxy_container_http_port="$proxy_container_port" + fi + fi + + if [[ "$proxy_scheme" == "https" ]]; then + is_app_listening="true" + if [[ -z "$proxy_container_https_port_candidate" ]]; then + proxy_container_https_port_candidate="$proxy_container_port" + proxy_host_https_port_candidate="$proxy_host_port" + fi + + if [[ "$proxy_host_port" == "443" ]] && [[ -z "$proxy_container_https_port" ]]; then + proxy_container_https_port="$proxy_container_port" + fi + fi + done + + # add the labels for traefik here + # any `http:80` port mapping is treated as a `web` traefik entrypoint + # any `https:443` port mapping is treated as a `websecure` traefik entrypoint + if [[ -n "$is_app_listening" ]]; then + app_domains="$(plugn trigger domains-list "$APP")" + if [[ -n "$app_domains" ]]; then + traefik_domains="$(echo "$app_domains" | xargs)" + traefik_domains="${traefik_domains// /\\\`,\\\`}" + fi + + output="--label traefik.enable=true" + if [[ -n "$proxy_container_http_port" ]] || [[ -n "$proxy_container_http_port_candidate" ]]; then + if [[ -z "$proxy_container_http_port" ]]; then + dokku_log_warn "Warning: http:80 port mapping not found" + dokku_log_warn "Utilizing first http port mapping, http:$proxy_host_http_port_candidate:$proxy_container_http_port_candidate" + proxy_container_http_port="$proxy_container_http_port_candidate" + fi + + output="$output --label traefik.http.services.$APP-$PROC_TYPE.loadbalancer.server.port=$proxy_container_http_port" + output="$output --label traefik.http.routers.$APP-$PROC_TYPE.entrypoints=web" + if [[ -n "$traefik_domains" ]]; then + output="$output --label \"traefik.http.routers.$APP-$PROC_TYPE.rule=Host(\\\`$traefik_domains\\\`)\"" + echo "# THIS FILE IS GENERATED BY DOKKU - DO NOT EDIT, YOUR CHANGES WILL BE OVERWRITTEN" >"$app_urls_path" + xargs -I{} echo "http://{}" <<<"$(echo "${app_domains}" | tr ' ' '\n' | sort -u)" >>"$app_urls_path" + fi + fi + + if [[ -n "$proxy_container_https_port" ]] || [[ -n "$proxy_container_https_port_candidate" ]]; then + if [[ -z "$proxy_container_https_port" ]]; then + dokku_log_warn "Warning: https:443 port mapping not found" + dokku_log_warn "Utilizing first https port mapping, http:$proxy_host_https_port_candidate:$proxy_container_https_port_candidate" + proxy_container_https_port="$proxy_container_https_port_candidate" + fi + + output="$output --label traefik.http.services.$APP-$PROC_TYPE-secure.loadbalancer.server.port=$proxy_container_https_port" + output="$output --label traefik.http.routers.$APP-$PROC_TYPE-secure.entrypoints=websecure" + if [[ -n "$traefik_domains" ]]; then + output="$output --label \"traefik.http.routers.$APP-$PROC_TYPE-secure.rule=Host(\\\`$traefik_domains\\\`)\"" + echo "# THIS FILE IS GENERATED BY DOKKU - DO NOT EDIT, YOUR CHANGES WILL BE OVERWRITTEN" >"$app_urls_path" + xargs -I{} echo "https://{}" <<<"$(echo "${app_domains}" | tr ' ' '\n' | sort -u)" >>"$app_urls_path" + fi + fi + fi + + echo -n "$STDIN$output" +} + +trigger-traefik-vhosts-docker-args-process-deploy "$@" diff --git a/plugins/traefik-vhosts/help-functions b/plugins/traefik-vhosts/help-functions new file mode 100755 index 000000000..838b0b960 --- /dev/null +++ b/plugins/traefik-vhosts/help-functions @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x + +cmd-traefik-help() { + declare desc="help command" + declare CMD="$1" + local plugin_name="traefik" + local plugin_description="Manage mounted volumes" + + if [[ "$CMD" == "${plugin_name}:help" ]]; then + echo -e "Usage: dokku ${plugin_name}[:COMMAND]" + echo '' + echo "$plugin_description" + echo '' + echo 'Additional commands:' + fn-help-content | sort | column -c2 -t -s, + elif [[ $(ps -o command= $PPID) == *"--all"* ]]; then + fn-help-content + else + cat <] [], Displays an traefik report for one or more apps + traefik:set (), Set or clear an traefik property for an app + traefik:show-config , Display traefik compose config + traefik:start, Starts the traefik server + traefik:stop, Stops the traefik server +help_content +} diff --git a/plugins/traefik-vhosts/install b/plugins/traefik-vhosts/install new file mode 100755 index 000000000..19c618621 --- /dev/null +++ b/plugins/traefik-vhosts/install @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions" +source "$PLUGIN_CORE_AVAILABLE_PATH/common/property-functions" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x + +trigger-traefik-install() { + declare desc="installs the traefik plugin" + declare trigger="install" + + mkdir -p "${DOKKU_LIB_ROOT}/data/traefik" + chown -R "${DOKKU_SYSTEM_USER}:${DOKKU_SYSTEM_GROUP}" "${DOKKU_LIB_ROOT}/data/traefik" + + fn-plugin-property-setup "traefik" +} + +trigger-traefik-install "$@" diff --git a/plugins/traefik-vhosts/internal-functions b/plugins/traefik-vhosts/internal-functions new file mode 100755 index 000000000..4103d764f --- /dev/null +++ b/plugins/traefik-vhosts/internal-functions @@ -0,0 +1,89 @@ +#!/usr/bin/env bash +source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions" +source "$PLUGIN_CORE_AVAILABLE_PATH/common/property-functions" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x + +fn-traefik-logs() { + declare desc="shows the logs for the traefik container" + declare TAIL="$1" NUM="$2" + local dokku_logs_args=("--tail" "$NUM") + + if [[ "$TAIL" == "true" ]]; then + dokku_logs_args+=("--follow") + fi + + "$DOCKER_BIN" logs traefik-traefik-1 "${dokku_logs_args[@]}" +} + +fn-traefik-logs-usage() { + declare desc="logs specific usage" + echo "Usage: dokku traefik:logs" + echo " display recent traefik log output" + echo "" + echo " -n, --num NUM # the number of lines to display" + echo " -t, --tail # continually stream logs" +} + +fn-traefik-template-compose-file() { + declare desc="templates out the compose file" + declare OUTPUT_PATH="$1" + local COMPOSE_TEMPLATE="$PLUGIN_AVAILABLE_PATH/traefik-vhosts/templates/compose.yml.sigil" + local basic_auth basic_auth_password basic_auth_username + + CUSTOM_COMPOSE_TEMPLATE="$(plugn trigger traefik-template-source "$APP")" + if [[ -n "$CUSTOM_COMPOSE_TEMPLATE" ]]; then + COMPOSE_TEMPLATE="$CUSTOM_COMPOSE_TEMPLATE" + fi + + basic_auth_password="$(fn-traefik-basic-auth-password)" + basic_auth_username="$(fn-traefik-basic-auth-username)" + if [[ -n "$basic_auth_password" ]] && [[ -n "$basic_auth_username" ]]; then + basic_auth="$(htpasswd -nb "$basic_auth_username" "$basic_auth_password" | sed -e s/\\$/\\$\\$/g)" + fi + + local SIGIL_PARAMS=(TRAEFIK_API_ENABLED="$(fn-traefik-api-enabled)" + TRAEFIK_API_VHOST="$(fn-traefik-api-vhost)" + TRAEFIK_BASIC_AUTH="$basic_auth" + TRAEFIK_DASHBOARD_ENABLED="$(fn-traefik-dashboard-enabled)" + TRAEFIK_DATA_DIR="${DOKKU_LIB_ROOT}/data/traefik" + TRAEFIK_IMAGE="$(fn-traefik-image)" + TRAEFIK_LETSENCRYPT_EMAIL="$(fn-traefik-letsencrypt-email)" + TRAEFIK_LOG_LEVEL="$(fn-traefik-log-level)") + + sigil -f "$COMPOSE_TEMPLATE" "${SIGIL_PARAMS[@]}" | cat -s >"$OUTPUT_PATH" +} + +fn-traefik-api-enabled() { + fn-plugin-property-get-default "traefik" "--global" "api-enabled" "false" +} + +fn-traefik-api-vhost() { + fn-plugin-property-get-default "traefik" "--global" "api-vhost" "traefik.dokku.me" +} + +fn-traefik-basic-auth-password() { + fn-plugin-property-get-default "traefik" "--global" "basic-auth-password" "" +} + +fn-traefik-basic-auth-username() { + fn-plugin-property-get-default "traefik" "--global" "basic-auth-username" "" +} + +fn-traefik-dashboard-enabled() { + fn-plugin-property-get-default "traefik" "--global" "dashboard-enabled" "false" +} + +fn-traefik-image() { + fn-plugin-property-get-default "traefik" "--global" "image" "traefik:v2.8" +} + +fn-traefik-letsencrypt-email() { + fn-plugin-property-get-default "traefik" "--global" "letsencrypt-email" "" +} + +fn-traefik-log-level() { + local log_level + log_level="$(fn-plugin-property-get-default "traefik" "--global" "log-level" "ERROR")" + echo "${log_level^^}" +} diff --git a/plugins/traefik-vhosts/plugin.toml b/plugins/traefik-vhosts/plugin.toml new file mode 100644 index 000000000..40119ce85 --- /dev/null +++ b/plugins/traefik-vhosts/plugin.toml @@ -0,0 +1,4 @@ +[plugin] +description = "dokku core traefik-vhosts plugin" +version = "0.27.10" +[plugin.config] diff --git a/plugins/traefik-vhosts/subcommands/default b/plugins/traefik-vhosts/subcommands/default new file mode 100755 index 000000000..20578a79f --- /dev/null +++ b/plugins/traefik-vhosts/subcommands/default @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x +source "$PLUGIN_AVAILABLE_PATH/traefik-vhosts/help-functions" + +cmd-traefik-help "traefik:help" diff --git a/plugins/traefik-vhosts/subcommands/logs b/plugins/traefik-vhosts/subcommands/logs new file mode 100755 index 000000000..98a1a8a2c --- /dev/null +++ b/plugins/traefik-vhosts/subcommands/logs @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +source "$PLUGIN_AVAILABLE_PATH/traefik-vhosts/command-functions" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x + +cmd-traefik-logs "$@" diff --git a/plugins/traefik-vhosts/subcommands/report b/plugins/traefik-vhosts/subcommands/report new file mode 100755 index 000000000..1f020013b --- /dev/null +++ b/plugins/traefik-vhosts/subcommands/report @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +source "$PLUGIN_AVAILABLE_PATH/traefik-vhosts/command-functions" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x + +cmd-traefik-report "$@" diff --git a/plugins/traefik-vhosts/subcommands/set b/plugins/traefik-vhosts/subcommands/set new file mode 100755 index 000000000..2adfbd2a0 --- /dev/null +++ b/plugins/traefik-vhosts/subcommands/set @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions" +source "$PLUGIN_CORE_AVAILABLE_PATH/common/property-functions" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x + +cmd-traefik-set() { + declare desc="set or clear an traefik property for an app" + declare cmd="traefik:set" + [[ "$1" == "$cmd" ]] && shift 1 + declare APP="$1" KEY="$2" VALUE="$3" + local VALID_KEYS=("api-enabled" "api-vhost" "dashboard-enabled" "basic-auth-username" "basic-auth-password" "image" "letsencrypt-email" "log-level") + local GLOBAL_KEYS=("api-enabled" "api-vhost" "dashboard"-enabled "basic-auth-username" "basic-auth-password" "image" "letsencrypt-email" "log-level") + + [[ -z "$KEY" ]] && dokku_log_fail "No key specified" + + if ! fn-in-array "$KEY" "${VALID_KEYS[@]}"; then + dokku_log_fail "Invalid key specified, valid keys include: api-enabled api-vhost dashboard-enabled basic-auth-username basic-auth-password image letsencrypt-email log-level" + fi + + if ! fn-in-array "$KEY" "${GLOBAL_KEYS[@]}"; then + if [[ "$APP" == "--global" ]]; then + dokku_log_fail "The key '$KEY' cannot be set globally" + fi + verify_app_name "$APP" + fi + + if [[ -n "$VALUE" ]]; then + dokku_log_info2_quiet "Setting ${KEY} to ${VALUE}" + fn-plugin-property-write "traefik" "$APP" "$KEY" "$VALUE" + else + dokku_log_info2_quiet "Unsetting ${KEY}" + fn-plugin-property-delete "traefik" "$APP" "$KEY" + fi +} + +cmd-traefik-set "$@" diff --git a/plugins/traefik-vhosts/subcommands/show-config b/plugins/traefik-vhosts/subcommands/show-config new file mode 100755 index 000000000..233322b45 --- /dev/null +++ b/plugins/traefik-vhosts/subcommands/show-config @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x +source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions" +source "$PLUGIN_AVAILABLE_PATH/traefik-vhosts/command-functions" + +cmd-traefik-show-config "$@" diff --git a/plugins/traefik-vhosts/subcommands/start b/plugins/traefik-vhosts/subcommands/start new file mode 100755 index 000000000..eb6533d86 --- /dev/null +++ b/plugins/traefik-vhosts/subcommands/start @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x +source "$PLUGIN_AVAILABLE_PATH/traefik-vhosts/command-functions" + +cmd-traefik-start "$@" diff --git a/plugins/traefik-vhosts/subcommands/stop b/plugins/traefik-vhosts/subcommands/stop new file mode 100755 index 000000000..409e7e33a --- /dev/null +++ b/plugins/traefik-vhosts/subcommands/stop @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x +source "$PLUGIN_AVAILABLE_PATH/traefik-vhosts/command-functions" + +cmd-traefik-stop "$@" diff --git a/plugins/traefik-vhosts/templates/compose.yml.sigil b/plugins/traefik-vhosts/templates/compose.yml.sigil new file mode 100644 index 000000000..866f78600 --- /dev/null +++ b/plugins/traefik-vhosts/templates/compose.yml.sigil @@ -0,0 +1,54 @@ +--- +version: "3.3" + +services: + traefik: + image: "{{ $.TRAEFIK_IMAGE }}" + command: + - --entrypoints.web.address=:80 + - --entrypoints.websecure.address=:443 + - --providers.docker + - --api={{ $.TRAEFIK_API_ENABLED }} + - --api.dashboard={{ $.TRAEFIK_DASHBOARD_ENABLED }} + + - --log.level={{ $.TRAEFIK_LOG_LEVEL }} + - --log.format=json + + {{ if $.TRAEFIK_LETSENCRYPT_EMAIL }} + - --certificatesresolvers.leresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory + - --certificatesresolvers.leresolver.acme.email={{ $.TRAEFIK_LETSENCRYPT_EMAIL }} + - --certificatesresolvers.leresolver.acme.storage=/acme.json + - --certificatesresolvers.leresolver.acme.tlschallenge=true + {{ end }} + + labels: + # Dashboard + - "traefik.http.routers.api.rule=Host(`{{ $.TRAEFIK_API_VHOST }}`)" + - "traefik.http.routers.api.service=api@internal" + - "traefik.http.routers.api.entrypoints=web{{ if $.TRAEFIK_LETSENCRYPT_EMAIL }}secure{{ end }}" + - "traefik.http.routers.middlewares=auth" + {{ if $.TRAEFIK_BASIC_AUTH }} + - "traefik.http.middlewares.auth.basicauth.users={{ $.TRAEFIK_BASIC_AUTH }}" + {{ end }} + + {{ if $.TRAEFIK_LETSENCRYPT_EMAIL }} + - "traefik.http.routers.api.tls.certresolver=leresolver" + + # global redirect to https + - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.entrypoints=web" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + + # middleware redirect + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + {{ end }} + + network_mode: bridge + + ports: + - "80:80" + - "443:443" + + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "{{ $.TRAEFIK_DATA_DIR }}/traefik-acme.json:/acme.json"