docker-traefik-cloudflare-companion
docker-traefik-cloudflare-companion copied to clipboard
tiredofit
Enchancement: Support for Docker Secrets
I would like to request an update to add in feature support Docker Secrets passing values to the container.
Hi there. I added this in version 5.0.0 and 6.0.0 (pyre python rebuild) and am getting reports it's not working. Will be adding a new development release shortly with some debugging code so I can get some logs to look at. Will be a day or so.
brilliant will this be under the "latest" tag or another one for the dockerhub image
You can try tag 6.0.2 for your secrets of CF_EMAIL and CF_TOKEN - Let me know.
You can try tag
6.0.2for your secrets of CF_EMAIL and CF_TOKEN - Let me know.
I will give it a try but there isn't a 6.0.2 only 6.0.1 ?
Using the email and global api token appears to be working for me. Since I'm using Traefik with secrets, I wound up creating a second secret for both email and API that point to the same folder since the ENV variable names were different. This appears to be working for me. If there is a better way to somehow alias different secrets to the same file without redundant global declarations I'd be interested in that.
Using any name for the secrets with the container here except for cf_email and cf_token did not work, as expected.
cloudflare_email:
file: $SECRETSDIR/cloudflare_email
cf_email:
file: $SECRETSDIR/cloudflare_email
cloudflare_api_key:
file: $SECRETSDIR/cloudflare_api_key
cf_token:
file: $SECRETSDIR/cloudflare_api_key
########################### SERVICES - FRONT ENDS
# Traefik 2 - Reverse Proxy & LetsEncrypt Certs
traefik:
image: traefik:picodon
container_name: traefik
restart: always
networks:
- $TRAEFIK_NETWORK
- $SOCKET_NETWORK
security_opt:
- no-new-privileges
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik/rules:/rules
- $DOCKERDIR/traefik/acme/acme.json:/acme.json
- $DOCKERDIR/traefik/traefik.log:/traefik.log
- $DOCKERDIR/traefik/traefik.yml:/traefik.yml:ro
environment:
- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
secrets:
- cloudflare_email
- cloudflare_api_key
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
## HTTP Services
- "traefik.http.routers.traefik-rtr.service=api@internal"
# Cloudflare-Companion - Automatic container CNAME DNS Creation
cloudflare-companion:
image: tiredofit/traefik-cloudflare-companion
container_name: cloudflare-companion
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- $SOCKET_NETWORK
depends_on:
- socket-proxy
environment:
- TIMEZONE=$TZ
- TRAEFIK_VERSION=2
- CF_EMAIL_FILE=/run/secrets/cf_email
- CF_TOKEN_FILE=/run/secrets/cf_token
- CONTAINER_LOG_LEVEL=info
- TARGET_DOMAIN=$DOMAINNAME
- DOMAIN1=$DOMAINNAME
- DOMAIN1_ZONE_ID=$CF_API_ZONE_ID
- DOMAIN1_PROXIED=TRUE
- DOCKER_HOST=tcp://socket-proxy:2375
secrets:
- cf_email
- cf_token
If there is a better way to somehow alias different secrets to the same file without redundant global declarations I'd be interested in that.
There is no better way than that. The issue is that the python function used is not processing secrets the "traditional way".
email = get_docker_secret('CF_EMAIL', autocast_name=True, getenv=True)
It basically goes directly to the /run/secrets directory to find a file named "cf_email", and if not found, fallback on an env variable named "CF_EMAIL". It ignores your CF_EMAIL_FILE and CF_TOKEN_FILE env vars.
To avoid duplication, you would have to set CF_API_EMAIL_FILE=/run/secrets/cf_email for traefik.
