Traefik rolling config updates

services/traefik/Makefile

@@ -9,33 +9,32 @@ REPO_BASE_DIR := $(shell git rev-parse --show-toplevel)
 # TARGETS --------------------------------------------------
 include ${REPO_BASE_DIR}/scripts/common.Makefile
 
-
 .PHONY: up-local
-up-local: .init .create_secrets .env ${TEMP_COMPOSE}-local ## Deploys the stack using provided certificates
+up-local: .init .create_secrets ${TEMP_COMPOSE}-local prune-docker-stack-configs ## Deploys the stack using provided certificates
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-local ${STACK_NAME}
 
 .PHONY: up-letsencrypt-http
-up-letsencrypt-http: .init .env ${TEMP_COMPOSE}-letsencrypt-http ## Deploys the stack with let's encrypt http challenge
+up-letsencrypt-http: .init ${TEMP_COMPOSE}-letsencrypt-http prune-docker-stack-configs ## Deploys the stack with let's encrypt http challenge
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-letsencrypt-http ${STACK_NAME}
 
 .PHONY: up-letsencrypt-dns
-up-letsencrypt-dns: .init .env ${TEMP_COMPOSE}-letsencrypt-dns ## Deploys the stack with let's encrypt dns challenge
+up-letsencrypt-dns: .init ${TEMP_COMPOSE}-letsencrypt-dns prune-docker-stack-configs ## Deploys the stack with let's encrypt dns challenge
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-dns ${STACK_NAME}
 
 .PHONY: up-dalco
-up-dalco: .init .env ${TEMP_COMPOSE}-dalco ## Deploys the stack on dalco cluster
+up-dalco: .init ${TEMP_COMPOSE}-dalco prune-docker-stack-configs ## Deploys the stack on dalco cluster
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-dalco ${STACK_NAME}
 
 .PHONY: up-public
-up-public: .init .env ${TEMP_COMPOSE}-public ## Deploys the stack on dalco cluster
+up-public: .init ${TEMP_COMPOSE}-public prune-docker-stack-configs ## Deploys the stack on dalco cluster
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-public ${STACK_NAME}
 
 .PHONY: up-aws
-up-aws: .init .env ${TEMP_COMPOSE}-aws ## Deploys the stack aws
+up-aws: .init ${TEMP_COMPOSE}-aws prune-docker-stack-configs ## Deploys the stack aws
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-aws ${STACK_NAME}
 
 .PHONY: up-master ## Deploys the stack on master
-up-master: .init .env ${TEMP_COMPOSE}-master ## Deploys the stack on dalco cluster
+up-master: .init ${TEMP_COMPOSE}-master prune-docker-stack-configs ## Deploys the stack on dalco cluster
 	@docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-master ${STACK_NAME}
 
 # Helpers -------------------------------------------------

services/traefik/docker-compose.aws.yml

@@ -44,13 +44,6 @@ services:
           - node.labels.traefik==true
     volumes:
       - /etc/traefik_certs:/etc/traefik_certs
-    configs:
-      - source: traefik_dynamic_config.yml
-        target: /etc/traefik/dynamic_conf.yml
   whoami:
     dns: # Add this always for AWS, otherwise we get "No such image: " for docker services
       8.8.8.8
-
-configs:
-  traefik_dynamic_config.yml:
-    file: ./traefik_dynamic_config.yml

services/traefik/docker-compose.dalco.yml

@@ -40,12 +40,5 @@ services:
             placement:
                 constraints:
                     - node.labels.traefik==true
-        configs:
-            - source: traefik_dynamic_config.yml
-              target: /etc/traefik/dynamic_conf.yml
         volumes:
             - /etc/traefik_certs:/etc/traefik_certs
-
-configs:
-    traefik_dynamic_config.yml:
-        file: ./traefik_dynamic_config.yml

services/traefik/docker-compose.master.yml

@@ -37,16 +37,9 @@ services:
             - "--providers.file.watch=true"
         env_file:
             - .env
-        configs:
-            - source: traefik_dynamic_config.yml
-              target: /etc/traefik/dynamic_conf.yml
         deploy:
             placement:
                 constraints:
                     - node.labels.traefik==true
         volumes:
             - /etc/traefik_certs:/etc/traefik_certs
-
-configs:
-    traefik_dynamic_config.yml:
-        file: ./traefik_dynamic_config.yml

services/traefik/docker-compose.public.yml

@@ -36,17 +36,10 @@ services:
       - "--entryPoints.https.forwardedHeaders.insecure"
       - "--providers.file.directory=/etc/traefik/"
       - "--providers.file.watch=true"
-    configs:
-      - source: traefik_dynamic_config.yml
-        target: /etc/traefik/dynamic_conf.yml
     deploy:
       replicas: ${OPS_TRAEFIK_REPLICAS}
       placement:
         constraints:
           - node.labels.traefik==true
     volumes:
       - /etc/traefik_certs:/etc/traefik_certs
-
-configs:
-  traefik_dynamic_config.yml:
-    file: ./traefik_dynamic_config.yml

services/traefik/docker-compose.yml.j2

@@ -56,12 +56,20 @@ services:
       - target: 5433
         published: 5433
         mode: host
+    configs:
+      - source: traefik_dynamic_config.yml
+        target: /etc/traefik/dynamic_conf.yml
     volumes:
       # So that Traefik can listen to the Docker events
       - /var/run/docker.sock:/var/run/docker.sock
     deploy:
       # mode: global
       replicas: ${OPS_TRAEFIK_REPLICAS}
+      update_config:
+        order: stop-first
+        delay: 20s
+        failure_action: rollback
+        parallelism: 1
       resources:
         limits:
           memory: 2048M
@@ -211,3 +219,8 @@ networks:
   monitored:
     name: ${MONITORED_NETWORK}
     external: true
+
+configs:
+  traefik_dynamic_config.yml:
+    name: ${STACK_NAME}_traefik_dynamic_config_{{ "./traefik_dynamic_config.yml" | sha256file | substring(0,10) }}
+    file: ./traefik_dynamic_config.yml

services/traefik/template.env

@@ -1,3 +1,5 @@
+STACK_NAME=${STACK_NAME}
+
 MACHINE_FQDN=${MACHINE_FQDN}
 TRAEFIK_USER=${SERVICES_USER}
 TRAEFIK_SIMCORE_ZONE=${TRAEFIK_SIMCORE_ZONE}
@@ -31,7 +33,7 @@ CERTIFICATE_GENERATION_FQDNS='${CERTIFICATE_GENERATION_FQDNS}'
 CERTIFICATE_RESOLVE_DNS_CHALLANGE_IP=${CERTIFICATE_RESOLVE_DNS_CHALLANGE_IP}
 OPS_TRAEFIK_LETSENCRYPT_ACME_CA_SERVER=${OPS_TRAEFIK_LETSENCRYPT_ACME_CA_SERVER}
 OPS_TRAEFIK_LOGLEVEL=${OPS_TRAEFIK_LOGLEVEL}
-DEPLOYMENT_FQDNS_WWW_CAPTURE_TRAEFIK_RULE="${DEPLOYMENT_FQDNS_WWW_CAPTURE_TRAEFIK_RULE}"
+DEPLOYMENT_FQDNS_WWW_CAPTURE_TRAEFIK_RULE='${DEPLOYMENT_FQDNS_WWW_CAPTURE_TRAEFIK_RULE}'
 PUBLIC_NETWORK=${PUBLIC_NETWORK}
 MONITORED_NETWORK=${MONITORED_NETWORK}