Traefik & TLS - make it generic across domains

Introduction

Traefik is an open-source reverse proxy/load-balancer, popular for the setup, the well integration with the containerized technologies (Docker, Kubernetes, AWS, …), the auto-discovery of services and much more features.

In this article, we will go through an use-case to make the TLS configuration in Traefik as flexible/generic as possible in a containerized ecosystem.

Use-case

At work, for your personal projects, you may use Traefik as a load-balancer. Activating TLS could become tough when you have to handle many domains and you don’t want to duplicate Traefik configurations.

Let’s say you work on a project toto, there would probably be (at least) three environments during the project: Development, UAT and Production. And so three domains (.dev.com, toto.staging.com and toto.com). Then three certificates to handle https protocol.

To activate TLS communications, two files are required: cert file and private key. As explained in the official documentation, for the user defined certificates, the configuration has to be set in the part:

At the runtime, Traefik expects to find these two files, following the paths. If the containerization is used in your application, the certificate and the private key have to be accessible from the container.

The problem is that these two files are not in the basic image (which is normal). You cannot build one docker image per domain (not flexible solution). You cannot store these files in a virtual machine where the container will be running and mounted it because you cannot know where it will (depends on the orchestrator and the availability of vms).

So how could we configure the TLS part and make it generic to use the same image through your different projects, environments, domains?

Solution

The concept is to store the required files (cert file and private key) in an external secured system (s3, k8s secrets, vault, …) and to get and set it inside the container at the start of the container and before running Traefik.

To perform that step, build a new docker image (using the official Traefik image as base) with a new entrypoint which will handle the download of the files and set the configuration for Traefik.

Given an environment variable set at the start, the container will configure TLS.

The only requirement of that new image is to upload your cert file and the private key of each domain in your external secured system. Once done, your new Traefik image could be used with TLS whatever the domain, for any new project.

In the file tls-configuration.yaml, only the section tls.certificates is provided. You should amend it with all your specific requirements and follow the official documentation. (TLS configuration is not just about the certificates)

I hope that the use case and the solution will fix some of your problems and give you some ideas for your projects. Don’t hesitate to comment.

All resources can be found in github.

Frank