diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a1e66bd..bf942b1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,7 +3,7 @@ image: $CI_REGISTRY/$CI_PROJECT_NAMESPACE/hub/auto-deploy-image:latest variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "/certs" - TRAEFIK_VERSION: 1.7-alpine + TRAEFIK_VERSION: "2.1" PORTAINER_VERSION: latest PSU_IMAGE: ${CI_REGISTRY_IMAGE}/builds PSU_TAG: $CI_COMMIT_SHA diff --git a/tests/dockerfiles/docker-stack-portainer.yml b/tests/dockerfiles/docker-stack-portainer.yml index e41b515..f5666b2 100644 --- a/tests/dockerfiles/docker-stack-portainer.yml +++ b/tests/dockerfiles/docker-stack-portainer.yml @@ -3,13 +3,20 @@ version: '3.6' services: portainer: image: portainer/portainer:$PORTAINER_VERSION - command: --admin-password-file '/run/secrets/portainer-password' + command: --admin-password-file '/run/secrets/portainer-password' --no-analytics labels: - traefik.enable=true - - traefik.frontend.rule=Host:portainer.$BASE_DOMAIN - - traefik.frontend.redirect.entryPoint=https - - traefik.backend=portainer - - traefik.port=9000 + - traefik.docker.network=traefik-net + # HTTPS route + - "traefik.http.routers.portainer.entrypoints=https" + - "traefik.http.routers.portainer.rule=Host(`portainer.$BASE_DOMAIN`)" + - "traefik.http.routers.portainer.tls=true" + - traefik.http.middlewares.retry-if-fails.retry.attempts=10 + - traefik.http.middlewares.https-only.redirectscheme.scheme=https + - traefik.http.middlewares.secured.chain.middlewares=retry-if-fails,https-only + - traefik.http.routers.portainer.middlewares=secured + # Service + - traefik.http.services.portainer.loadbalancer.server.port=9000 networks: - traefik-net environment: diff --git a/tests/dockerfiles/docker-stack-traefik.yml b/tests/dockerfiles/docker-stack-traefik.yml index eff9961..c43f951 100644 --- a/tests/dockerfiles/docker-stack-traefik.yml +++ b/tests/dockerfiles/docker-stack-traefik.yml @@ -5,26 +5,32 @@ services: image: traefik:$TRAEFIK_VERSION # Enables the web UI and tells Traefik to listen to docker command: - - --api - - --docker - - --docker.watch - - --defaultEntryPoints=http,https - # IMPORTANT: The `retry.attempts` param is required to allow zero (1s) downtime deployment - - --retry.attempts=10 - - "--entryPoints=Name:http Address::80" - - "--entryPoints=Name:https Address::443 TLS WhiteList.UseXForwardedFor:true" - - --docker.exposedbydefault=false + - --providers.docker=true + - --providers.docker.watch=true + - --providers.docker.exposedbydefault=false + - --entryPoints.http.address=:80 + - --entryPoints.https.address=:443 + - --api.dashboard=true environment: - HTTP_PROXY - HTTPS_PROXY - http_proxy - https_proxy - NO_PROXY + labels: + - "traefik.enable=true" + - traefik.docker.network=traefik-net + - traefik.http.middlewares.retry-if-fails.retry.attempts=10 + - traefik.http.middlewares.https-only.redirectscheme.scheme=https + - traefik.http.middlewares.secured.chain.middlewares=retry-if-fails,https-only + - "traefik.http.routers.traefik.entrypoints=https" + - "traefik.http.routers.traefik.rule=Host(`traefik.$BASE_DOMAIN`)" + - "traefik.http.routers.traefik.middlewares=secured" + - "traefik.http.routers.traefik.tls=true" + - "traefik.http.routers.traefik.service=api@internal" ports: - "80:80" - 443:443 - # The Web UI (enabled by --api) - - "8080:8080" networks: - traefik-net volumes: diff --git a/tests/dockerfiles/docker-stack-web-app.yml b/tests/dockerfiles/docker-stack-web-app.yml index 2799385..cfc1f60 100644 --- a/tests/dockerfiles/docker-stack-web-app.yml +++ b/tests/dockerfiles/docker-stack-web-app.yml @@ -37,10 +37,18 @@ services: image: $CI_REGISTRY/$CI_PROJECT_NAMESPACE/hub/testing/psu-apache2:latest labels: - traefik.enable=true - - "traefik.frontend.rule=Host:$PSU_STACK_NAME.$BASE_DOMAIN" - - traefik.frontend.redirect.entryPoint=https - - traefik.backend=web-php-app - - traefik.port=5000 + - traefik.docker.network=traefik-net + # HTTPS route + - "traefik.http.routers.web-php-app.entrypoints=https" + - "traefik.http.routers.web-php-app.rule=Host(`$PSU_STACK_NAME.$BASE_DOMAIN`)" + - "traefik.http.routers.web-php-app.tls=true" + # IMPORTANT: The `retry.attempts` middleware is required to allow zero (1s) downtime deployment + - traefik.http.middlewares.retry-if-fails.retry.attempts=10 + - traefik.http.middlewares.https-only.redirectscheme.scheme=https + - traefik.http.middlewares.secured.chain.middlewares=retry-if-fails,https-only + - traefik.http.routers.web-php-app.middlewares=secured + # Service + - traefik.http.services.web-php-app.loadbalancer.server.port=5000 environment: - HTTP_PROXY - HTTPS_PROXY @@ -49,7 +57,6 @@ services: - NO_PROXY volumes: - php-runner:/var/run/php - stop_signal: SIGWINCH deploy: update_config: failure_action: rollback diff --git a/tests/run.sh b/tests/run.sh index 98ce55f..996242d 100644 --- a/tests/run.sh +++ b/tests/run.sh @@ -44,9 +44,9 @@ docker swarm init # Deploy Traefik test # Parse the Docker traefik stack file to deploy -envsubst '$TRAEFIK_VERSION' < dockerfiles/docker-stack-traefik.yml > dockerfiles/docker-stack-traefik-final.yml +envsubst '$TRAEFIK_VERSION,$BASE_DOMAIN' < dockerfiles/docker-stack-traefik.yml > dockerfiles/docker-stack-traefik-final.yml docker stack deploy -c dockerfiles/docker-stack-traefik-final.yml traefik --with-registry-auth -bash -c "timeout 20 bash -c 'while ! (echo > /dev/tcp/cluster/443 && curl -fs --max-time 2 http://cluster:8080/dashboard/) >/dev/null 2>&1; do sleep 1; done;'" +bash -c "timeout 20 bash -c 'while ! (echo > /dev/tcp/cluster/443 && curl -fks --max-time 2 https://traefik.$BASE_DOMAIN/dashboard/) >/dev/null 2>&1; do sleep 1; done;'" # Deploy Portainer test echo -n $PSU_PASSWORD | docker secret create portainer-password -