From 85f273ce322ade75fb0d4f265cf8d0cda60b715d Mon Sep 17 00:00:00 2001 From: YuryHrytsuk Date: Thu, 5 Jun 2025 11:04:01 +0200 Subject: [PATCH 1/2] Traefik: use compose verson 3.12 Since introduction of traefik healthcheck we need settings that are not supported by 3.7 Bonus: * Remove unused dns and http compose files Related PR(s): * https://github.com/ITISFoundation/osparc-ops-environments/pull/1068 --- services/traefik/Makefile | 22 --------- services/traefik/docker-compose.aws.yml | 3 +- services/traefik/docker-compose.dalco.yml | 3 +- .../docker-compose.letsencrypt.dns.yml.j2 | 19 ------- .../docker-compose.letsencrypt.http.yml | 49 ------------------- services/traefik/docker-compose.local.yml | 2 +- services/traefik/docker-compose.master.yml | 3 +- services/traefik/docker-compose.public.yml | 3 +- services/traefik/docker-compose.yml.j2 | 2 +- 9 files changed, 10 insertions(+), 96 deletions(-) delete mode 100644 services/traefik/docker-compose.letsencrypt.dns.yml.j2 delete mode 100644 services/traefik/docker-compose.letsencrypt.http.yml diff --git a/services/traefik/Makefile b/services/traefik/Makefile index c0f5ada1..95b20199 100644 --- a/services/traefik/Makefile +++ b/services/traefik/Makefile @@ -13,14 +13,6 @@ include ${REPO_BASE_DIR}/scripts/common.Makefile up-local: .init .create_secrets ${TEMP_COMPOSE}-local prune-docker-stack-configs ## Deploys the stack using provided certificates @docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-local ${STACK_NAME} -.PHONY: up-letsencrypt-http -up-letsencrypt-http: .init ${TEMP_COMPOSE}-letsencrypt-http prune-docker-stack-configs ## Deploys the stack with let's encrypt http challenge - @docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-letsencrypt-http ${STACK_NAME} - -.PHONY: up-letsencrypt-dns -up-letsencrypt-dns: .init ${TEMP_COMPOSE}-letsencrypt-dns prune-docker-stack-configs ## Deploys the stack with let's encrypt dns challenge - @docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-dns ${STACK_NAME} - .PHONY: up-dalco up-dalco: .init ${TEMP_COMPOSE}-dalco prune-docker-stack-configs ## Deploys the stack on dalco cluster @docker stack deploy --with-registry-auth --prune --compose-file ${TEMP_COMPOSE}-dalco ${STACK_NAME} @@ -56,20 +48,6 @@ ${TEMP_COMPOSE}-local: docker-compose.yml docker-compose.local.yml .env set +o allexport; \ ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.local.yml > $@ -.PHONY: ${TEMP_COMPOSE}-letsencrypt-http -${TEMP_COMPOSE}-letsencrypt-http: docker-compose.yml docker-compose.letsencrypt.http.yml .env - @set -o allexport; \ - source .env; \ - set +o allexport; \ - ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.letsencrypt.http.yml > $@ - -.PHONY: ${TEMP_COMPOSE}-letsencrypt-dns -${TEMP_COMPOSE}-letsencrypt-dns: docker-compose.yml docker-compose.letsencrypt.dns.yml .env - @set -o allexport; \ - source .env; \ - set +o allexport; \ - ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.letsencrypt.dns.yml > $@ - .PHONY: ${TEMP_COMPOSE}-aws ${TEMP_COMPOSE}-aws: docker-compose.yml docker-compose.aws.yml .env @set -o allexport; \ diff --git a/services/traefik/docker-compose.aws.yml b/services/traefik/docker-compose.aws.yml index 7a2dd5b8..d76a3edc 100644 --- a/services/traefik/docker-compose.aws.yml +++ b/services/traefik/docker-compose.aws.yml @@ -1,4 +1,5 @@ -version: "3.7" +version: "3.12" + services: traefik: command: diff --git a/services/traefik/docker-compose.dalco.yml b/services/traefik/docker-compose.dalco.yml index b1a5e159..cb850253 100644 --- a/services/traefik/docker-compose.dalco.yml +++ b/services/traefik/docker-compose.dalco.yml @@ -1,4 +1,5 @@ -version: "3.7" +version: "3.12" + services: traefik: command: diff --git a/services/traefik/docker-compose.letsencrypt.dns.yml.j2 b/services/traefik/docker-compose.letsencrypt.dns.yml.j2 deleted file mode 100644 index ecf0d33d..00000000 --- a/services/traefik/docker-compose.letsencrypt.dns.yml.j2 +++ /dev/null @@ -1,19 +0,0 @@ -version: '3.7' -services: - traefik: - deploy: - labels: - - traefik.http.routers.www-catchall.tls.certresolver=myresolver - - traefik.http.routers.api.tls.certresolver=myresolver - - traefik.http.middlewares.ops_whitelist_ips.ipallowlist.sourcerange=${TRAEFIK_IPWHITELIST_SOURCERANGE} - # What follows is a tested workaround to ensure letsencrypt certificates for products' domains are generated -{% for j2item in DEPLOYMENT_FQDNS.split(",") + [MACHINE_FQDN] + CERTIFICATE_GENERATION_FQDNS.split(",") %} -{% if j2item and j2item.replace('@','').replace(' ','').replace('.','').replace('-','').replace('\'','') != "" %} - - traefik.http.routers.{{j2item.replace('@','').replace(' ','').replace('.','').replace('-','').replace('\'','')}}.tls.domains[0].main=service.{{j2item.replace(' ','').replace('\'','')}} - - traefik.http.routers.{{j2item.replace('@','').replace(' ','').replace('.','').replace('-','').replace('\'','')}}.tls.domains[0].sans=*.services.{{j2item.replace(' ','').replace('\'','')}} - - traefik.http.routers.{{j2item.replace('@','').replace(' ','').replace('.','').replace('-','').replace('\'','')}}testing.tls.domains[0].main=service.testing.{{j2item.replace(' ','').replace('\'','')}} - - traefik.http.routers.{{j2item.replace('@','').replace(' ','').replace('.','').replace('-','').replace('\'','')}}testing.tls.domains[0].sans=*.services.testing.{{j2item.replace(' ','').replace('\'','')}} - - traefik.http.routers.{{j2item.replace('@','').replace(' ','').replace('.','').replace('-','').replace('\'','')}}testing.tls.certresolver=myresolver - - traefik.http.routers.{{j2item.replace('@','').replace(' ','').replace('.','').replace('-','').replace('\'','')}}.tls.certresolver=myresolver -{% endif %} -{% endfor %} diff --git a/services/traefik/docker-compose.letsencrypt.http.yml b/services/traefik/docker-compose.letsencrypt.http.yml deleted file mode 100644 index 9d98779e..00000000 --- a/services/traefik/docker-compose.letsencrypt.http.yml +++ /dev/null @@ -1,49 +0,0 @@ -version: "3.7" -services: - traefik: - command: - - "--api=true" - - "--ping=true" - - "--entryPoints.ping.address=:9082" - - "--ping.entryPoint=ping" - - "--api.dashboard=true" - - "--log.level=${OPS_TRAEFIK_LOGLEVEL}" - - "--accesslog=false" - - "--metrics.prometheus=true" - - "--metrics.prometheus.addEntryPointsLabels=true" - - "--metrics.prometheus.addServicesLabels=true" - - "--entryPoints.metrics.address=:8082" - - "--metrics.prometheus.entryPoint=metrics" - - "--entryPoints.http.address=:80" - - "--entryPoints.http.transport.respondingTimeouts.idleTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.http.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.http.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.address=:443" - - "--providers.swarm.endpoint=unix:///var/run/docker.sock" - - "--providers.swarm.exposedByDefault=false" - - "--providers.swarm.constraints=!LabelRegex(`io.simcore.zone`, `.+`)" - - "--core.defaultRuleSyntax=v2" - - "--tracing=true" - - "--tracing.addinternals" - - "--tracing.otlp=true" - - "--tracing.otlp.http=true" - - "--certificatesresolvers.lehttpchallenge.acme.httpchallenge=true" - - "--certificatesresolvers.lehttpchallenge.acme.httpchallenge.entrypoint=http" - - "--certificatesresolvers.lehttpchallenge.acme.email=${OSPARC_DEVOPS_MAIL_ADRESS}" - - "--certificatesresolvers.lehttpchallenge.acme.storage=/letsencrypt/acme.json" - # uncomment the caserver when testing such that let's encrypt does not ban us - - '--certificatesresolvers.lehttpchallenge.acme.caserver=${OPS_TRAEFIK_LETSENCRYPT_ACME_CA_SERVER}' - volumes: - - "letsencrypt_certs:/letsencrypt" - deploy: - labels: - - traefik.http.routers.api.tls.certresolver=lehttpchallenge - whoami: - deploy: - labels: - - traefik.http.routers.whoami.tls.certresolver=lehttpchallenge - networks: - - public - -volumes: - letsencrypt_certs: diff --git a/services/traefik/docker-compose.local.yml b/services/traefik/docker-compose.local.yml index cc157037..04d2f6e0 100644 --- a/services/traefik/docker-compose.local.yml +++ b/services/traefik/docker-compose.local.yml @@ -1,4 +1,4 @@ -version: "3.7" +version: "3.12" services: traefik: diff --git a/services/traefik/docker-compose.master.yml b/services/traefik/docker-compose.master.yml index 14d5af8a..5b8aa0c3 100644 --- a/services/traefik/docker-compose.master.yml +++ b/services/traefik/docker-compose.master.yml @@ -1,4 +1,5 @@ -version: "3.7" +version: "3.12" + services: traefik: command: diff --git a/services/traefik/docker-compose.public.yml b/services/traefik/docker-compose.public.yml index adb3df3f..3954a57e 100644 --- a/services/traefik/docker-compose.public.yml +++ b/services/traefik/docker-compose.public.yml @@ -1,4 +1,5 @@ -version: "3.7" +version: "3.12" + services: traefik: dns: 8.8.8.8 # This is critical to make the ACME challange work diff --git a/services/traefik/docker-compose.yml.j2 b/services/traefik/docker-compose.yml.j2 index 2a606e5a..bc951c8a 100644 --- a/services/traefik/docker-compose.yml.j2 +++ b/services/traefik/docker-compose.yml.j2 @@ -1,4 +1,4 @@ -version: "3.7" +version: "3.12" services: traefik: From d39261c7c2a5b6fc2fe0d3b88ec2fe64c47aa794 Mon Sep 17 00:00:00 2001 From: YuryHrytsuk Date: Thu, 5 Jun 2025 11:15:11 +0200 Subject: [PATCH 2/2] Remove compose version as it is obsolete Read more: https://docs.docker.com/reference/compose-file/version-and-name/ --- services/traefik/docker-compose.aws.yml | 2 -- services/traefik/docker-compose.dalco.yml | 2 -- services/traefik/docker-compose.local.yml | 2 -- services/traefik/docker-compose.master.yml | 2 -- services/traefik/docker-compose.public.yml | 2 -- services/traefik/docker-compose.yml.j2 | 2 -- 6 files changed, 12 deletions(-) diff --git a/services/traefik/docker-compose.aws.yml b/services/traefik/docker-compose.aws.yml index d76a3edc..325419c5 100644 --- a/services/traefik/docker-compose.aws.yml +++ b/services/traefik/docker-compose.aws.yml @@ -1,5 +1,3 @@ -version: "3.12" - services: traefik: command: diff --git a/services/traefik/docker-compose.dalco.yml b/services/traefik/docker-compose.dalco.yml index cb850253..a6a27fad 100644 --- a/services/traefik/docker-compose.dalco.yml +++ b/services/traefik/docker-compose.dalco.yml @@ -1,5 +1,3 @@ -version: "3.12" - services: traefik: command: diff --git a/services/traefik/docker-compose.local.yml b/services/traefik/docker-compose.local.yml index 04d2f6e0..418f37ef 100644 --- a/services/traefik/docker-compose.local.yml +++ b/services/traefik/docker-compose.local.yml @@ -1,5 +1,3 @@ -version: "3.12" - services: traefik: command: diff --git a/services/traefik/docker-compose.master.yml b/services/traefik/docker-compose.master.yml index 5b8aa0c3..fb1280bb 100644 --- a/services/traefik/docker-compose.master.yml +++ b/services/traefik/docker-compose.master.yml @@ -1,5 +1,3 @@ -version: "3.12" - services: traefik: command: diff --git a/services/traefik/docker-compose.public.yml b/services/traefik/docker-compose.public.yml index 3954a57e..a1533362 100644 --- a/services/traefik/docker-compose.public.yml +++ b/services/traefik/docker-compose.public.yml @@ -1,5 +1,3 @@ -version: "3.12" - services: traefik: dns: 8.8.8.8 # This is critical to make the ACME challange work diff --git a/services/traefik/docker-compose.yml.j2 b/services/traefik/docker-compose.yml.j2 index bc951c8a..f3a00b99 100644 --- a/services/traefik/docker-compose.yml.j2 +++ b/services/traefik/docker-compose.yml.j2 @@ -1,5 +1,3 @@ -version: "3.12" - services: traefik: image: "traefik:v3.4.0"