Comments (18)
I'm very interested in letsencrypt-support. That's the only thing keeping me from using mrsk right now. Let me know if I can help somehow!
from kamal.
I think if you're down this track, you're already off-piste. Better know your way around the terrain.
I'd be happy to see all the options be defaults you can overwrite.
from kamal.
Thanks, really looking forward to be able to customize ports! But.. an entrypoint will always require a port and vice versa right? Maybe just using entrypoints
instead of ports
would be even better 😆
traefik:
entrypoints:
web: 80
dashboard: 8080
Your example could then look like something this:
...
labels:
traefik.tcp.routers.logstash.rule: 'HostSNI(`*`)'
traefik.tcp.routers.logstash.entrypoints: logstash
traefik.tcp.services.logstash.loadbalancer.server.port: 10516
traefik.http.routers.logline.entrypoints: web
traefik.http.services.logline.loadbalancer.server.port: 8080
traefik:
entrypoints:
web: 80
logstash: 10516
And the user can focus on configuring traefik
instead of docker
. I would love to see this extended to work for volumes
as well. Which would make the following possible and enable configuration for things like ssl certificates with letsencrypt:
traefik:
entrypoints:
web: 80
websecure: 443
volumes:
- /letsencrypt/acme.json:/letsencrypt/acme.json
But let's get some feedback from @dhh first.
from kamal.
@kjellberg Would we want to fully override the dockers args if the user defined any? In your example, would overriding the restart policy work? Would restricting to ports and volumes be easier than resolving arbitrary args?
from kamal.
I'd like to see it as:
traefik:
options:
publish:
- 80
- 10516
volumes:
- ...
args:
entrypoints.web.address: :80
from kamal.
Updated PR - sorry, I misunderstood the desired config.
from kamal.
I've done a little work on this locally. Using the additional_ports suggestion above, I've ended up with a config yaml that includes a lot of excess effort. I've omitted anything not strictly related.
service: logline
labels:
traefik.tcp.routers.logstash.rule: 'HostSNI(`*`)'
traefik.tcp.routers.logstash.entrypoints: logstash
traefik.tcp.services.logstash.loadbalancer.server.port: 10516
traefik.http.routers.logline.entrypoints: web
traefik.http.services.logline.loadbalancer.server.port: 8080
traefik:
additional_ports:
- 10516
args:
'entrypoints.web.address=:80': true
'entrypoints.logstash.address=:10516': true
accesslog: true
I have a PR ready to go if this is an acceptable UX for now - or am interested in hearing about how 37s feels about the tradeoff between deeper traefik integration vs an escape hatch like this @dhh.
I'm particularly interested in this use-case as a motivating feature for us to move from platforms like Heroku et al where the ability to open a plain ol' TCP port isn't offered. The gap between PaaS and managed K8S or Nomad etc. is pretty sparse so I'd love to have mrsk fill this for us.
from kamal.
Opened a PR.
from kamal.
Updated PR in response to feedback from @kjellberg. This is the final result:
labels:
traefik.tcp.routers.logstash.rule: 'HostSNI(`*`)'
traefik.tcp.routers.logstash.entrypoints: logstash
traefik.tcp.services.logstash.loadbalancer.server.port: 10516
traefik.http.routers.logline.entrypoints: web
traefik.http.services.logline.loadbalancer.server.port: 8080
traefik:
ports:
- 80
- 10516
args:
'entrypoints.web.address=:80': true
'entrypoints.logstash.address=:10516': true
I'm fully overriding the ports published by traefik to avoid any confusion around how additional ports would have behaved with traefik defaults.
from kamal.
Hmm, I don't love marrying MRSK closer to Traefik. I'd rather see if we can't find a way to support this without needing new, Traefik specific configuration options that we translate. So that means doing this configuration in a generic way, like we do by allowing label specifications, or args to the starting command.
from kamal.
Ok, understood! Not sure though if you're referring to the whole issue or just my proposal re entrypoints
. But the thing is, there's no way (what I know, please correct me if I'm wrong cause I really need this 😁 ) to set docker arguments right now (for example additional ports and volumes). If you don't like idea of ports
and volumes
, we at least need a way to configure Docker args.
def run
docker :run, "--name traefik",
"--detach",
"--restart", "unless-stopped",
"--log-opt", "max-size=#{MAX_LOG_SIZE}",
"--publish", port,
"--volume", "/var/run/docker.sock:/var/run/docker.sock",
# <------ Docker args (--publish & --volume) must be inserted here before "traefik"
"traefik",
"--providers.docker",
"--log.level=DEBUG",
*cmd_option_args # <--- These are traefik specific args (--api.dashboard). Cant set port or mount volumes here.
end
But in my opinion, configuration will still not be generic anyways since mrsk users then will have to learn traefik
configuration. Most deploy.yaml
files will consist of 99% traefik labels :')
Having a small API for basic stuff like "domain", "ports" and "volumes" makes it really easy to get started. And user configurations can stay the same even though MRSK one day decides to switch to Caddy or something else.
from kamal.
Yeah, it's exactly that we should try to stay abstracted such that we could change "Traefik" to "caddy" or anything else, and the options would all stay the same. Seems to me that if we added options
, like we just did for app servers, we'd be able to get publish and volume in there, yeah?
from kamal.
Hmm, I don't love marrying MRSK closer to Traefik. I'd rather see if we can't find a way to support this without needing new, Traefik specific configuration options that we translate.
@dhh @kjellberg That is the motivation around only adding the ports config. The concession to UX is that a user that self-selects into manual port management would need to also pass additional args to configure traefik entry points.
My main concern is that an unwitting user could end up manually overriding ports, mess up the default traefik config and have a bad time as a result.
from kamal.
@dhh @kjellberg Would it be better to have a config like this:
traefik:
ports:
- 80
- 10516
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./letsencrypt/acme.json:/letsencrypt/acme.json
restart: unless-stopped
log-opt: '...'
image: traefik
... # other options
args:
'entrypoints.web.address=:80': true
'entrypoints.logstash.address=:10516': true
Or to acknowledge that users might want to run traefik in a way that mrsk doesn't know about (or want to know about) and to have something like this:
traefik:
cmd: "docker run --detach --name traefik --restart unless-stopped --publish 80..."
Which allows a user to do whatever weird and wonderful stuff they like by fully deploying the escape hatch. From your example @dhh, a user might even write something like:
traefik:
cmd: "docker run --name traefik --detach --publish 80 -e VIRTUAL_HOST=api.example.com jwilder/nginx-proxy
Happy to do the work around this, but I'm not sure which option is right for mrsk.
from kamal.
@dhh Updated #100 to support this config:
traefik:
options:
publish:
- 80
- 10516
volumes:
- /var/run/docker.sock:/var/run/docker.sock
args:
entrypoints.web.address: ':80'
And deployed to a production environment with it. @kjellberg We're using TLS termination on the Digital Ocean load balancer, so Let's Encrypt support is out of my wheelhouse.
from kamal.
Nice, but please allow options
to take any option, not only publish and volumes. You can have a look at how it was done with servers in PR #95. I guess you can just copy #cmd_option_args
, but modify it a bit to accept arrays (for multiple ports etc):
def run
docker :run, "--name traefik",
"--detach",
"--restart", "unless-stopped",
"--log-opt", "max-size=#{MAX_LOG_SIZE}",
"--publish", port,
"--volume", "/var/run/docker.sock:/var/run/docker.sock",
*option_args, # <---options goes here here
"traefik",
"--providers.docker",
"--log.level=DEBUG",
*cmd_option_args # <- maybe rename this to something with traefik?
end
We're using TLS termination on the Digital Ocean load balancer, so Let's Encrypt support is out of my wheelhouse.
Thanks, I will try with that, but I read something about that it requires us to switch to DO's nameservers. I want to use Cloudflare with Full SSL support. The Flexible SSL they offer doesn't work very well for me with Rails and CSRF - or does someone here have a hack?
from kamal.
@kjellberg would you like to move let's encrypt chat to another ticket? I'm happy to be involved but won't use it in prod so don't think I'm the right dev for it.
from kamal.
@kjellberg would you like to move let's encrypt chat to another ticket? I'm happy to be involved but won't use it in prod so don't think I'm the right dev for it.
I'd love to continue chat about different solutions in #112. If your PR get's merged, we only have one small step left: To create an empty acme.json
file on the host server(s) with correct permissions. Not sure if this is within the scope of MRSK or if it's something we'll have to do manually.
from kamal.
Related Issues (20)
- Setting up a specific role is failing because it's looking for the primary web role env file HOT 2
- Reuse same accessory across multiple kamal application deploy configs HOT 2
- Vanilla Rails 7.1 app fails to deploy with Kamal. HOT 10
- like capastranio, is that possible to put `-d` flag before the action argument? like `kamal -d prod app version` instead of `kamal app version -d prod` HOT 2
- Traefik renew letsencrypt certificates HOT 4
- observation: docker system dial-stdio processes do not die HOT 4
- Add volumes through `--mount` HOT 4
- No more logs when container fails to pass healthcheck
- Unable to Access http://localhost:3000 for Remix Run App container HOT 7
- Build failure: Docker image cannot be built due to missing Git submodules HOT 2
- /bin/rails assets:precompile" did not complete successfully: exit code: 1 randomly fails
- Is there any way to access a specific container? HOT 2
- Deploy stopped working since v1.7: `docker stderr: context "<name>" does not exist` HOT 6
- Asset is not present in Pipeline HOT 3
- Question about Default Configuration Merge with Destination Config HOT 2
- RubyZip 3.0 Warning Blocking Kamal Deploy HOT 2
- `kamal app exec` disregard the `--destination` option HOT 1
- SSH Connection Timeouts During Full Deployment
- Environment variable from terminal overwriting .env.erb value HOT 2
- Incorrect validation for traefik configuration. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kamal.