From 436825b7829ee3dcc1aaac4740ea6072e1117a6a Mon Sep 17 00:00:00 2001 From: Jose Diaz-Gonzalez Date: Tue, 12 May 2026 18:54:26 -0400 Subject: [PATCH] feat: split caddy report tls-internal into raw, computed, and global The bare `tls-internal` key previously returned the computed value, so external tooling could not tell whether the property had been set on the app or was merely defaulting to `false`. The property is now also configurable with `--global`, the report exposes `computed-tls-internal` and `global-tls-internal` keys alongside the bare raw key, and the deploy path honors the per-app value with a fallback to the global value before the built-in default. Closes #8625. --- docs/networking/proxies/caddy.md | 45 +++++-- plugins/caddy-vhosts/command-functions | 3 + plugins/caddy-vhosts/core-post-deploy | 2 +- .../caddy-vhosts/docker-args-process-deploy | 2 +- plugins/caddy-vhosts/help-functions | 2 +- plugins/caddy-vhosts/internal-functions | 16 ++- plugins/caddy-vhosts/subcommands/set | 2 +- tests/unit/caddy.bats | 112 ++++++++++++++++++ 8 files changed, 168 insertions(+), 16 deletions(-) diff --git a/docs/networking/proxies/caddy.md b/docs/networking/proxies/caddy.md index 5405241c3..579691811 100644 --- a/docs/networking/proxies/caddy.md +++ b/docs/networking/proxies/caddy.md @@ -6,12 +6,12 @@ Dokku provides integration with the [Caddy](https://caddyserver.com/) proxy service by utilizing the Docker label-based integration implemented by [Caddy Docker Proxy](https://github.com/lucaslorentz/caddy-docker-proxy). ``` -caddy:report [] [] # Displays a caddy report for one or more apps -caddy:logs [--num num] [--tail] # Display caddy log output -caddy:set () # Set or clear an caddy property for an app -caddy:show-config # Display caddy compose config -caddy:start # Starts the caddy server -caddy:stop # Stops the caddy server +caddy:report [] [] # Displays a caddy report for one or more apps +caddy:logs [--num num] [--tail] # Display caddy log output +caddy:set [|--global] () # Set or clear an caddy property for an app or globally +caddy:show-config # Display caddy compose config +caddy:start # Starts the caddy server +caddy:stop # Stops the caddy server ``` ## Requirements @@ -191,12 +191,25 @@ After enabling, the Caddy container will need to be restarted and apps will need ### Using Caddy's Internal TLS server -To switch to Caddy's internal TLS server for certificate provisioning, set the `tls-internal` property. This can only be set on a per-app basis. +To switch to Caddy's internal TLS server for certificate provisioning, set the `tls-internal` property. ```shell dokku caddy:set node-js-app tls-internal true ``` +The default value may also be configured globally with the `--global` flag. Per-app values take precedence over the global value when set. + +```shell +dokku caddy:set --global tls-internal true +``` + +Both the per-app and the global value may be unset by setting a blank value. + +```shell +dokku caddy:set node-js-app tls-internal +dokku caddy:set --global tls-internal +``` + ## Displaying Caddy reports for an app You can get a report about the app's Caddy config using the `caddy:report` command: @@ -207,28 +220,36 @@ dokku caddy:report ``` =====> node-js-app caddy information + Caddy computed tls internal: false + Caddy global tls internal: false Caddy image: lucaslorentz/caddy-docker-proxy:2.7 Caddy letsencrypt email: Caddy letsencrypt server: Caddy log level: ERROR Caddy polling interval: 5s - Caddy tls internal: false + Caddy tls internal: =====> python-app caddy information + Caddy computed tls internal: false + Caddy global tls internal: false Caddy image: lucaslorentz/caddy-docker-proxy:2.7 Caddy letsencrypt email: Caddy letsencrypt server: Caddy log level: ERROR Caddy polling interval: 5s - Caddy tls internal: false + Caddy tls internal: =====> ruby-app caddy information + Caddy computed tls internal: false + Caddy global tls internal: false Caddy image: lucaslorentz/caddy-docker-proxy:2.7 Caddy letsencrypt email: Caddy letsencrypt server: Caddy log level: ERROR Caddy polling interval: 5s - Caddy tls internal: false + Caddy tls internal: ``` +The `tls-internal` key holds the raw per-app value and is empty when nothing has been set on the app. The `computed-tls-internal` key holds the effective value used at deploy time, falling back to the global value and then to the built-in default of `false`. The `global-tls-internal` key holds the global value. + You can run the command for a specific app also. ```shell @@ -237,12 +258,14 @@ dokku caddy:report node-js-app ``` =====> node-js-app caddy information + Caddy computed tls internal: false + Caddy global tls internal: false Caddy image: lucaslorentz/caddy-docker-proxy:2.7 Caddy letsencrypt email: Caddy letsencrypt server: Caddy log level: ERROR Caddy polling interval: 5s - Caddy tls internal: false + Caddy tls internal: ``` You can pass flags which will output only the value of the specific information you want. For example: diff --git a/plugins/caddy-vhosts/command-functions b/plugins/caddy-vhosts/command-functions index 85ec998a0..5508f1e47 100755 --- a/plugins/caddy-vhosts/command-functions +++ b/plugins/caddy-vhosts/command-functions @@ -70,6 +70,7 @@ cmd-caddy-report-single() { local flag_map=() if [[ "$APP" == "--global" ]]; then flag_map=( + "--caddy-global-tls-internal: $(fn-caddy-global-tls-internal)" "--caddy-image: $(fn-caddy-image)" "--caddy-letsencrypt-email: $(fn-caddy-letsencrypt-email)" "--caddy-letsencrypt-server: $(fn-caddy-letsencrypt-server)" @@ -79,6 +80,8 @@ cmd-caddy-report-single() { else verify_app_name "$APP" flag_map=( + "--caddy-computed-tls-internal: $(fn-caddy-computed-tls-internal "$APP")" + "--caddy-global-tls-internal: $(fn-caddy-global-tls-internal)" "--caddy-image: $(fn-caddy-image)" "--caddy-letsencrypt-email: $(fn-caddy-letsencrypt-email)" "--caddy-letsencrypt-server: $(fn-caddy-letsencrypt-server)" diff --git a/plugins/caddy-vhosts/core-post-deploy b/plugins/caddy-vhosts/core-post-deploy index 78598a844..66d764058 100755 --- a/plugins/caddy-vhosts/core-post-deploy +++ b/plugins/caddy-vhosts/core-post-deploy @@ -14,7 +14,7 @@ trigger-caddy-vhosts-core-post-deploy() { return fi - tls_internal="$(fn-caddy-tls-internal)" + tls_internal="$(fn-caddy-computed-tls-internal "$APP")" dokku_log_info1 "Routing app via caddy" if [[ "$tls_internal" == "true" ]]; then dokku_log_warn "Warning: using caddy's internal, locally-trusted CA to produce certificates for this site" diff --git a/plugins/caddy-vhosts/docker-args-process-deploy b/plugins/caddy-vhosts/docker-args-process-deploy index 7b909315c..b44256827 100755 --- a/plugins/caddy-vhosts/docker-args-process-deploy +++ b/plugins/caddy-vhosts/docker-args-process-deploy @@ -88,7 +88,7 @@ trigger-caddy-vhosts-docker-args-process-deploy() { # prefer the https:443 mapping to http:80 mapping if [[ -n "$is_app_listening" ]] && [[ -n "$caddy_domains" ]]; then has_443_mapping=false - tls_internal="$(fn-caddy-tls-internal)" + tls_internal="$(fn-caddy-computed-tls-internal "$APP")" if [[ -n "$proxy_container_https_port" ]] || [[ -n "$proxy_container_https_port_candidate" ]]; then has_443_mapping=true fi diff --git a/plugins/caddy-vhosts/help-functions b/plugins/caddy-vhosts/help-functions index 19d17a00e..6e0aaaa4a 100755 --- a/plugins/caddy-vhosts/help-functions +++ b/plugins/caddy-vhosts/help-functions @@ -28,7 +28,7 @@ fn-help-content() { declare desc="return help content" cat <] [], Displays an caddy report for one or more apps - caddy:set (), Set or clear an caddy property for an app + caddy:set [|--global] (), Set or clear an caddy property for an app or globally caddy:show-config , Display caddy compose config caddy:labels:add