fix: router service pointer to allow multiple endpoints

Morriz · Mar 27, 2024 · a417e7e · a417e7e
1 parent 7e70e99
commit a417e7e
Show file tree

Hide file tree

Showing 10 changed files with 25 additions and 57 deletions.
diff --git a/db.yml.sample b/db.yml.sample
@@ -40,7 +40,6 @@ projects:
         env:
           MINIO_ROOT_USER: root
           MINIO_ROOT_PASSWORD: 83b01a6b8f210b5f5862943f3ebe257d
-          MINIO_DEFAULT_BUCKETS: ai-assistant
         image: minio/minio:latest
         ingress:
           - domain: minio-api.example.com

diff --git a/lib/proxy.py b/lib/proxy.py
@@ -88,13 +88,13 @@ def write_terminate() -> None:
 
 
 def write_routers() -> None:
-    projects_tcp = get_projects(filter=lambda _, _2, i: i.protocol == Protocol.tcp)
+    projects_passthrough = get_projects(filter=lambda _, s, i: i.passthrough or not s.image)
     with open("proxy/tpl/routers-web.yml.j2", encoding="utf-8") as f:
         t = f.read()
     tpl_routers_web = Template(t)
     domain = os.environ.get("TRAEFIK_DOMAIN")
     routers_web = tpl_routers_web.render(
-        projects=projects_tcp,
+        projects=projects_passthrough,
         traefik_rule=f"Host(`{domain}`)",
         traefik_admin=os.environ.get("TRAEFIK_ADMIN"),
         plugin_registry=get_plugin_registry(),
@@ -106,7 +106,7 @@ def write_routers() -> None:
         t = f.read()
     tpl_routers_tcp = Template(t)
     tpl_routers_tcp.globals["ProxyProtocol"] = ProxyProtocol
-    routers_tcp = tpl_routers_tcp.render(projects=projects_tcp, traefik_rule=f"HostSNI(`{domain}`)")
+    routers_tcp = tpl_routers_tcp.render(projects=projects_passthrough, traefik_rule=f"HostSNI(`{domain}`)")
     with open("proxy/traefik/routers-tcp.yml", "w", encoding="utf-8") as f:
         f.write(routers_tcp)
     projects_udp = get_projects(filter=lambda _, _2, i: i.protocol == Protocol.udp)

diff --git a/lib/test_stubs.py b/lib/test_stubs.py
@@ -53,7 +53,6 @@
                 env={
                     "MINIO_ROOT_USER": "root",
                     "MINIO_ROOT_PASSWORD": "83b01a6b8f210b5f5862943f3ebe257d",
-                    "MINIO_DEFAULT_BUCKETS": "ai-assistant",
                 },
                 image="minio/minio:latest",
                 ingress=[

diff --git a/proxy/docker-compose.yml b/proxy/docker-compose.yml
@@ -48,17 +48,17 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
 
-  traefic-in:
+  traefik-in:
     image: traefik:v2.11
-    container_name: traefic-in
+    container_name: traefik-in
     env_file:
       - ../.env
     networks:
       - default
       - proxynet
     ports:
-      - 8080:8080
-      - 8443:8443
+      - 8080:8080/tcp
+      - 8443:8443/tcp
       - 1194:1194/udp
     volumes:
       - ./traefik/config-in.yml:/etc/traefik/traefik.yml:ro
@@ -77,13 +77,12 @@ services:
       - '8080'
       - '8443'
     volumes:
-      - logs:/var/log/traefik
       - ./traefik/config-web.yml:/etc/traefik/traefik.yml:ro
       - ./traefik/routers-web.yml:/etc/traefik/dynamic/routers-web.yml:ro
       - ./traefik/acme:/etc/acme
     depends_on:
       - dockerproxy
-      - traefic-in
+      - traefik-in
       - crowdsec
   crowdsec:
     image: crowdsecurity/crowdsec:v1.6.0
@@ -101,12 +100,6 @@ services:
       BOUNCER_KEY_TRAEFIK: L9yZ1y2XagDm9915mRg2fg==
     volumes:
       - ./traefik/crowdsec/acquis.yml:/etc/crowdsec/acquis.yaml:ro
-      - logs:/var/log/traefik:ro
-      - crowdsec-db:/var/lib/crowdsec/data/
+      - ../data/crowdsec:/var/lib/crowdsec/data/
     labels:
-      - "traefik.enable=false"
-
-volumes:
-  logs:
-  crowdsec-db:
-  shared:
+      - "traefik.enable=false"
diff --git a/proxy/tpl/config-in.yml.j2 b/proxy/tpl/config-in.yml.j2
@@ -1,5 +1,4 @@
-accessLog:
-  filePath: /var/log/traefik/access.log
+accessLog: {}
 
 entryPoints:
   tcp:
@@ -55,7 +54,7 @@ entryPoints:
 {%- endfor %}
 
 log:
-  level: DEBUG
+  level: INFO
 
 providers:
   file:

diff --git a/proxy/tpl/config-web.yml.j2 b/proxy/tpl/config-web.yml.j2
@@ -1,10 +1,4 @@
-accessLog:
-  filePath: /var/log/traefik/access.log
-  # format: json
-  # fields:
-  #   defaultMode: keep
-  #   headers:
-  #     defaultMode: keep
+accessLog: {}
 
 api:
   insecure: false
@@ -69,7 +63,7 @@ global:
   sendAnonymousUsage: true
 
 log:
-  level: DEBUG
+  level: INFO
 
 providers:
   docker:

diff --git a/proxy/tpl/docker-compose.yml.j2 b/proxy/tpl/docker-compose.yml.j2
@@ -48,17 +48,17 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
 
-  traefic-in:
+  traefik-in:
     image: traefik:v2.11
-    container_name: traefic-in
+    container_name: traefik-in
     env_file:
       - ../.env
     networks:
       - default
       - proxynet
     ports:
-      - 8080:8080
-      - 8443:8443
+      - 8080:8080/tcp
+      - 8443:8443/tcp
 {%- for p in projects %}
   {%- for s in p.services %}
     {%- for i in s.ingress %}
@@ -83,13 +83,12 @@ services:
       - '8080'
       - '8443'
     volumes:
-      - logs:/var/log/traefik
       - ./traefik/config-web.yml:/etc/traefik/traefik.yml:ro
       - ./traefik/routers-web.yml:/etc/traefik/dynamic/routers-web.yml:ro
       - ./traefik/acme:/etc/acme
     depends_on:
       - dockerproxy
-      - traefic-in
+      - traefik-in
 {%- if plugin_registry.crowdsec.enabled %}
   {%- set cs = plugin_registry.crowdsec %}
       - crowdsec
@@ -111,13 +110,7 @@ services:
       {%- endif %}
     volumes:
       - ./traefik/crowdsec/acquis.yml:/etc/crowdsec/acquis.yaml:ro
-      - logs:/var/log/traefik:ro
-      - crowdsec-db:/var/lib/crowdsec/data/
+      - ../data/crowdsec:/var/lib/crowdsec/data/
     labels:
       - "traefik.enable=false"      
 {%- endif %}
-
-volumes:
-  logs:
-  crowdsec-db:
-  shared:
diff --git a/proxy/tpl/routers-tcp.yml.j2 b/proxy/tpl/routers-tcp.yml.j2
@@ -4,12 +4,12 @@ tcp:
   {%- for s in p.services %}
     {%- for i in s.ingress %}
       {%- set name = p.name ~ '-' ~ s.name.replace('.', '-') ~ '-' ~ i.port %}
-      {%- if i.passthrough %}
     {{ name }}:
       entryPoints:
         - tcp-secure
       service: {{ name }}
       rule: 'HostSNI(`{{ i.domain }}`){% if i.path_prefix %} && PathPrefix(`{{ i.path_prefix }}`){% endif %}'
+      {%- if i.passthrough %}
       tls:
         passthrough: true
       {%- endif %}
@@ -33,7 +33,6 @@ tcp:
   {%- for s in p.services %}
     {%- for i in s.ingress %}
       {%- set name = p.name ~ '-' ~ s.name.replace('.', '-') ~ '-' ~ i.port %}
-      {%- if i.passthrough %}
     {{ name }}:
       loadBalancer:
         {%- if i.proxyprotocol %}
@@ -42,7 +41,6 @@ tcp:
         {%- endif %}
         servers:
           - address: {{ s.name }}:{{ i.port }}
-      {%- endif %}
     {%- endfor %}
   {%- endfor %}
 {%- endfor %}

diff --git a/proxy/tpl/routers-web.yml.j2 b/proxy/tpl/routers-web.yml.j2
@@ -16,17 +16,12 @@ http:
   {%- for s in p.services %}
     {%- for i in s.ingress %}
       {%- set name = p.name ~ '-' ~ s.name.replace('.', '-') ~ '-' ~ i.port %}
+      {%- if i.passthrough %}
     {{ name}}:
       service: {{ name }}
       entryPoints:
-      {%- if i.passthrough %}
         - web
       rule: 'Host(`{{ i.domain }}`) && PathPrefix(`/.well-known/acme-challenge/`)'
-      {%- else %}
-        - web-secure
-      rule: 'Host(`{{ i.domain }}`){% if i.path_prefix %} && PathPrefix(`{{ i.path_prefix }}`){% endif %}'
-      tls:
-        certResolver: letsencrypt
       {%- endif %}
     {%- endfor %}
   {%- endfor %}
@@ -36,15 +31,12 @@ http:
   {%- for s in p.services %}
     {%- for i in s.ingress %}
       {%- set name = p.name ~ '-' ~ s.name.replace('.', '-') ~ '-' ~ i.port %}
+      {%- if i.passthrough %}
     {{ name}}:
       loadBalancer:
         servers:
-      {%- if i.passthrough %}
           # just forwarding port 80 for doing own http challenge:
           - url: http://{{ s.name }}:80/
-      {%- else %}
-          # routing to a service on the host:
-          - url: http://{{ s.name }}:{{ i.port }}/
       {%- endif %}
     {%- endfor %}
   {%- endfor %}

diff --git a/tpl/docker-compose.yml.j2 b/tpl/docker-compose.yml.j2
@@ -33,9 +33,10 @@ services:
       {%- for i in s.ingress %}
         {%- if i.domain %}
           {%- set name = project.name ~ '-' ~ s.name.replace('.', '-') ~ '-' ~ i.port %}
-      - traefik.http.routers.{{ name }}.entrypoints=web-secure
+      - traefik.http.routers.{{ name }}.entrypoints={% if i.hostport %}{{ Protocol(i.protocol).value }}-{{ i.hostport }}{% else %}web-secure{% endif %}
       - traefik.http.routers.{{ name }}.rule=Host(`{{ i.domain }}`){%- if i.path_prefix %} && PathPrefix(`{{ i.path_prefix }}`){%- endif %}
       - traefik.http.routers.{{ name }}.tls.certresolver=letsencrypt
+      - traefik.http.routers.{{ name }}.service={{ name }}
           {%- if i.path_prefix and i.path_remove %}
       - traefik.http.middlewares.removeServiceSelector.stripPrefix.prefixes={{ i.path_prefix }}
           {%- endif %}