Modify ACME configuration migration into KV store
This commit is contained in:
parent
3c7c6c4d9f
commit
9e41485ff1
5 changed files with 53 additions and 60 deletions
|
@ -67,14 +67,23 @@ func runStoreConfig(kv *staert.KvSource, traefikConfiguration *TraefikConfigurat
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if traefikConfiguration.GlobalConfiguration.ACME != nil && len(traefikConfiguration.GlobalConfiguration.ACME.StorageFile) > 0 {
|
if traefikConfiguration.GlobalConfiguration.ACME != nil {
|
||||||
|
var object cluster.Object
|
||||||
|
if len(traefikConfiguration.GlobalConfiguration.ACME.StorageFile) > 0 {
|
||||||
// convert ACME json file to KV store
|
// convert ACME json file to KV store
|
||||||
localStore := acme.NewLocalStore(traefikConfiguration.GlobalConfiguration.ACME.StorageFile)
|
localStore := acme.NewLocalStore(traefikConfiguration.GlobalConfiguration.ACME.StorageFile)
|
||||||
object, err := localStore.Load()
|
object, err = localStore.Load()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
} else {
|
||||||
|
// Create an empty account to create all the keys into the KV store
|
||||||
|
account := &acme.Account{}
|
||||||
|
account.Init()
|
||||||
|
object = account
|
||||||
|
}
|
||||||
|
|
||||||
meta := cluster.NewMetadata(object)
|
meta := cluster.NewMetadata(object)
|
||||||
err = meta.Marshall()
|
err = meta.Marshall()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -89,6 +98,11 @@ func runStoreConfig(kv *staert.KvSource, traefikConfiguration *TraefikConfigurat
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// Force to delete storagefile
|
||||||
|
err = kv.Delete(kv.Prefix + "/acme/storagefile")
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,12 @@ See also [Let's Encrypt examples](/user-guide/examples/#lets-encrypt-support) an
|
||||||
#
|
#
|
||||||
email = "test@traefik.io"
|
email = "test@traefik.io"
|
||||||
|
|
||||||
|
# File used for certificates storage.
|
||||||
|
#
|
||||||
|
# Optional (Deprecated)
|
||||||
|
#
|
||||||
|
#storageFile = "acme.json"
|
||||||
|
|
||||||
# File or key used for certificates storage.
|
# File or key used for certificates storage.
|
||||||
#
|
#
|
||||||
# Required
|
# Required
|
||||||
|
@ -55,7 +61,7 @@ entryPoint = "https"
|
||||||
#
|
#
|
||||||
# acmeLogging = true
|
# acmeLogging = true
|
||||||
|
|
||||||
# Enable on demand certificate.
|
# Enable on demand certificate. (Deprecated)
|
||||||
#
|
#
|
||||||
# Optional
|
# Optional
|
||||||
#
|
#
|
||||||
|
@ -89,6 +95,10 @@ entryPoint = "https"
|
||||||
# main = "local4.com"
|
# main = "local4.com"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
ACME entryPoint has to be relied to the port 443, otherwise ACME Challenges can not be done.
|
||||||
|
It's a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
|
||||||
|
|
||||||
### `storage`
|
### `storage`
|
||||||
|
|
||||||
```toml
|
```toml
|
||||||
|
@ -100,7 +110,7 @@ storage = "acme.json"
|
||||||
|
|
||||||
File or key used for certificates storage.
|
File or key used for certificates storage.
|
||||||
|
|
||||||
**WARNING** If you use Traefik in Docker, you have 2 options:
|
**WARNING** If you use Træfik in Docker, you have 2 options:
|
||||||
|
|
||||||
- create a file on your host and mount it as a volume:
|
- create a file on your host and mount it as a volume:
|
||||||
```toml
|
```toml
|
||||||
|
@ -118,6 +128,14 @@ storage = "/etc/traefik/acme/acme.json"
|
||||||
docker run -v "/my/host/acme:/etc/traefik/acme" traefik
|
docker run -v "/my/host/acme:/etc/traefik/acme" traefik
|
||||||
```
|
```
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
`storage` replaces `storageFile` which is deprecated.
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
During Træfik configuration migration from a configuration file to a KV store (thanks to `storeconfig` subcommand as described [here](/user-guide/kv-config/#store-configuration-in-key-value-store)), if ACME certificates have to be migrated too, use both `storageFile` and `storage`.
|
||||||
|
`storageFile` will contain the path to the `acme.json` file to migrate.
|
||||||
|
`storage` will contain the key where the certificates will be stored.
|
||||||
|
|
||||||
### `dnsProvider`
|
### `dnsProvider`
|
||||||
|
|
||||||
```toml
|
```toml
|
||||||
|
@ -146,7 +164,7 @@ Select the provider that matches the DNS domain that will host the challenge TXT
|
||||||
| [GoDaddy](https://godaddy.com/domains) | `godaddy` | `GODADDY_API_KEY`, `GODADDY_API_SECRET` |
|
| [GoDaddy](https://godaddy.com/domains) | `godaddy` | `GODADDY_API_KEY`, `GODADDY_API_SECRET` |
|
||||||
| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud` | `GCE_PROJECT`, `GCE_SERVICE_ACCOUNT_FILE` |
|
| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud` | `GCE_PROJECT`, `GCE_SERVICE_ACCOUNT_FILE` |
|
||||||
| [Linode](https://www.linode.com) | `linode` | `LINODE_API_KEY` |
|
| [Linode](https://www.linode.com) | `linode` | `LINODE_API_KEY` |
|
||||||
| manual | - | none, but run Traefik interactively & turn on `acmeLogging` to see instructions & press <kbd>Enter</kbd>. |
|
| manual | - | none, but run Træfik interactively & turn on `acmeLogging` to see instructions & press <kbd>Enter</kbd>. |
|
||||||
| [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` |
|
| [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` |
|
||||||
| [Ns1](https://ns1.com/) | `ns1` | `NS1_API_KEY` |
|
| [Ns1](https://ns1.com/) | `ns1` | `NS1_API_KEY` |
|
||||||
| [Open Telekom Cloud](https://cloud.telekom.de/en/) | `otc` | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT` |
|
| [Open Telekom Cloud](https://cloud.telekom.de/en/) | `otc` | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT` |
|
||||||
|
@ -171,7 +189,7 @@ If `delayDontCheckDNS` is greater than zero, avoid this & instead just wait so m
|
||||||
|
|
||||||
Useful if internal networks block external DNS queries.
|
Useful if internal networks block external DNS queries.
|
||||||
|
|
||||||
### `onDemand`
|
### `onDemand` (Deprecated)
|
||||||
|
|
||||||
```toml
|
```toml
|
||||||
[acme]
|
[acme]
|
||||||
|
@ -188,7 +206,10 @@ This will request a certificate from Let's Encrypt during the first TLS handshak
|
||||||
TLS handshakes will be slow when requesting a hostname certificate for the first time, this can lead to DoS attacks.
|
TLS handshakes will be slow when requesting a hostname certificate for the first time, this can lead to DoS attacks.
|
||||||
|
|
||||||
!!! warning
|
!!! warning
|
||||||
Take note that Let's Encrypt have [rate limiting](https://letsencrypt.org/docs/rate-limits)
|
Take note that Let's Encrypt have [rate limiting](https://letsencrypt.org/docs/rate-limits).
|
||||||
|
|
||||||
|
!!! warning
|
||||||
|
This option is deprecated.
|
||||||
|
|
||||||
### `onHostRule`
|
### `onHostRule`
|
||||||
|
|
||||||
|
@ -238,7 +259,7 @@ main = "local4.com"
|
||||||
```
|
```
|
||||||
|
|
||||||
You can provide SANs (alternative domains) to each main domain.
|
You can provide SANs (alternative domains) to each main domain.
|
||||||
All domains must have A/AAAA records pointing to Traefik.
|
All domains must have A/AAAA records pointing to Træfik.
|
||||||
|
|
||||||
!!! warning
|
!!! warning
|
||||||
Take note that Let's Encrypt have [rate limiting](https://letsencrypt.org/docs/rate-limits).
|
Take note that Let's Encrypt have [rate limiting](https://letsencrypt.org/docs/rate-limits).
|
||||||
|
|
|
@ -38,16 +38,7 @@ services:
|
||||||
|
|
||||||
etcdctl-ping:
|
etcdctl-ping:
|
||||||
image: tenstartups/etcdctl
|
image: tenstartups/etcdctl
|
||||||
command: --endpoints=[10.0.1.12:2379] get "traefik/acme/storagefile"
|
command: --endpoints=[10.0.1.12:2379] get "traefik/acme/storage"
|
||||||
environment:
|
|
||||||
ETCDCTL_DIAL_: "TIMEOUT 10s"
|
|
||||||
ETCDCTL_API : "3"
|
|
||||||
networks:
|
|
||||||
- net
|
|
||||||
|
|
||||||
etcdctl-rm:
|
|
||||||
image: tenstartups/etcdctl
|
|
||||||
command: --endpoints=[10.0.1.12:2379] del "/traefik/acme/storagefile"
|
|
||||||
environment:
|
environment:
|
||||||
ETCDCTL_DIAL_: "TIMEOUT 10s"
|
ETCDCTL_DIAL_: "TIMEOUT 10s"
|
||||||
ETCDCTL_API : "3"
|
ETCDCTL_API : "3"
|
||||||
|
@ -129,7 +120,6 @@ services:
|
||||||
image: containous/traefik
|
image: containous/traefik
|
||||||
volumes:
|
volumes:
|
||||||
- "./traefik.toml:/traefik.toml:ro"
|
- "./traefik.toml:/traefik.toml:ro"
|
||||||
- "./acme.json:/acme.json:ro"
|
|
||||||
command: storeconfig --debug
|
command: storeconfig --debug
|
||||||
networks:
|
networks:
|
||||||
- net
|
- net
|
||||||
|
|
|
@ -32,15 +32,6 @@ delete_services() {
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
# Init the environment : get IP address and create needed files
|
|
||||||
init_acme_json() {
|
|
||||||
echo "CREATE empty acme.json file"
|
|
||||||
rm -f $basedir/acme.json && \
|
|
||||||
touch $basedir/acme.json && \
|
|
||||||
echo "{}" > $basedir/acme.json && \
|
|
||||||
chmod 600 $basedir/acme.json # Needed for ACME
|
|
||||||
}
|
|
||||||
|
|
||||||
start_consul() {
|
start_consul() {
|
||||||
up_environment consul
|
up_environment consul
|
||||||
waiting_counter=12
|
waiting_counter=12
|
||||||
|
@ -76,7 +67,6 @@ start_etcd3() {
|
||||||
}
|
}
|
||||||
|
|
||||||
start_storeconfig_consul() {
|
start_storeconfig_consul() {
|
||||||
init_acme_json
|
|
||||||
# Create traefik.toml with consul provider
|
# Create traefik.toml with consul provider
|
||||||
cp $basedir/traefik.toml.tmpl $basedir/traefik.toml
|
cp $basedir/traefik.toml.tmpl $basedir/traefik.toml
|
||||||
echo '
|
echo '
|
||||||
|
@ -85,29 +75,13 @@ start_storeconfig_consul() {
|
||||||
watch = true
|
watch = true
|
||||||
prefix = "traefik"' >> $basedir/traefik.toml
|
prefix = "traefik"' >> $basedir/traefik.toml
|
||||||
up_environment traefik-storeconfig
|
up_environment traefik-storeconfig
|
||||||
rm -f $basedir/traefik.toml && rm -f $basedir/acme.json
|
rm -f $basedir/traefik.toml
|
||||||
# Delete acme-storage-file key
|
|
||||||
waiting_counter=5
|
waiting_counter=5
|
||||||
# Not start Traefik store config if consul is not started
|
delete_services traefik-storeconfig
|
||||||
echo "Delete storage file key..."
|
|
||||||
while [[ -z $(curl -s http://10.0.1.2:8500/v1/kv/traefik/acme/storagefile) && $waiting_counter -gt 0 ]]; do
|
|
||||||
sleep 5
|
|
||||||
let waiting_counter-=1
|
|
||||||
done
|
|
||||||
if [[ $waiting_counter -eq 0 ]]; then
|
|
||||||
echo "[WARN] Unable to get storagefile key in consul"
|
|
||||||
else
|
|
||||||
curl -s --request DELETE http://10.0.1.2:8500/v1/kv/traefik/acme/storagefile
|
|
||||||
ret=$1
|
|
||||||
if [[ $ret -ne 0 ]]; then
|
|
||||||
echo "[ERROR] Unable to delete storagefile key from consul kv."
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
start_storeconfig_etcd3() {
|
start_storeconfig_etcd3() {
|
||||||
init_acme_json
|
|
||||||
# Create traefik.toml with consul provider
|
# Create traefik.toml with consul provider
|
||||||
cp $basedir/traefik.toml.tmpl $basedir/traefik.toml
|
cp $basedir/traefik.toml.tmpl $basedir/traefik.toml
|
||||||
echo '
|
echo '
|
||||||
|
@ -117,20 +91,15 @@ start_storeconfig_etcd3() {
|
||||||
prefix = "/traefik"
|
prefix = "/traefik"
|
||||||
useAPIV3 = true' >> $basedir/traefik.toml
|
useAPIV3 = true' >> $basedir/traefik.toml
|
||||||
up_environment traefik-storeconfig
|
up_environment traefik-storeconfig
|
||||||
rm -f $basedir/traefik.toml && rm -f $basedir/acme.json
|
rm -f $basedir/traefik.toml
|
||||||
# Delete acme-storage-file key
|
|
||||||
waiting_counter=5
|
waiting_counter=5
|
||||||
# Not start Traefik store config if consul is not started
|
# Don't start Traefik store config if ETCD3 is not started
|
||||||
echo "Delete storage file key..."
|
echo "Delete storage file key..."
|
||||||
while [[ $(docker-compose -f $doc_file up --exit-code-from etcdctl-ping etcdctl-ping &>/dev/null) -ne 0 && $waiting_counter -gt 0 ]]; do
|
while [[ $(docker-compose -f $doc_file up --exit-code-from etcdctl-ping etcdctl-ping &>/dev/null) -ne 0 && $waiting_counter -gt 0 ]]; do
|
||||||
sleep 5
|
sleep 5
|
||||||
let waiting_counter-=1
|
let waiting_counter-=1
|
||||||
done
|
done
|
||||||
# Not start Traefik store config if consul is not started
|
delete_services traefik-storeconfig etcdctl-ping
|
||||||
echo "Delete storage file key from ETCD3..."
|
|
||||||
|
|
||||||
up_environment etcdctl-rm && \
|
|
||||||
delete_services etcdctl-rm traefik-storeconfig etcdctl-ping
|
|
||||||
}
|
}
|
||||||
|
|
||||||
start_traefik() {
|
start_traefik() {
|
||||||
|
|
|
@ -12,7 +12,6 @@ defaultEntryPoints = ["http", "https"]
|
||||||
[acme]
|
[acme]
|
||||||
email = "test@traefik.io"
|
email = "test@traefik.io"
|
||||||
storage = "traefik/acme/account"
|
storage = "traefik/acme/account"
|
||||||
storageFile = "/acme.json"
|
|
||||||
entryPoint = "https"
|
entryPoint = "https"
|
||||||
OnHostRule = true
|
OnHostRule = true
|
||||||
caServer = "http://traefik.boulder.com:4000/directory"
|
caServer = "http://traefik.boulder.com:4000/directory"
|
||||||
|
|
Loading…
Add table
Reference in a new issue