1

I am running around 20 service stacks on a docker swarm host that all expose their individual https frontends which are protected by basic auth using Traefik (same username and password for all services).

I would love to centrally manage the .htpassword file or username/passwordHash, so that if there is a requirement for a password change, I can do it once and it will affect all services immediately or after redeployment. I am using Swarmpit to orchestrate Docker Swarm.

I looked into Docker Secrets and Docker Configs but both seem to be immutable if actively used by a running service. I also thought about environment variables, but I cannot really find my way through.

How should I go about this?

Jabb
  • 3,414
  • 8
  • 35
  • 58

2 Answers2

1

You can potentially do this with a shared volume, placing the file in one volume and having all the containers mount that volume. If the swarm containers are spread across multiple nodes, you would need to either mount a network volume (e.g. NFS), or update the volume on each host individually.

This sort of use case is precisely what a docker secret or docker config are designed to solve. You inject the contents of the file into the secret/config, and docker automatically deploys that to each node where the service is being run.

Yes, these are immutable. And you won't hot swap these in an existing container. When you make the change and it's managed by swarm, you will get a rolling update of the services. What I've done to manage this in my environment is to inject a version number of the secret/config as an environment variable, and update that variable using a script. I've got that script and example usage up here: https://github.com/sudo-bmitch/docker-config-update

BMitch
  • 231,797
  • 42
  • 475
  • 450
0

If you don't want to use docker secrets/configs for this then you can do the following (for Traefik 2.1):

First add a dynamic configuration directory to your traefik config

--providers.file.directory=/my/path/to/dynamic/conf
--providers.file.watch=true

The mount a volume in this location and create your middleware file (middlewares.yml for example)

http:
  middlewares:
    defaultAuth:
      basicAuth:
        users:
          - "admin:$apr1$13r2hvw0$Oljx0V7CwdQJG7WxLWRVt0" # correcthorsebatterystaple

Now you can edit your users array and traefik will pick the changes automatically.

To use the middleware just reference it on your docker labels:

- traefik.http.routers.<my_router_name>.middlewares=defaultAuth@file

For traefik 1.x you could add the following label

- traefik.frontend.auth.basic.usersFile=/path/.htpasswd

Then update the file when needed and restart the affected services. I don't use 1.x anymore so that one isn't tested.

codestation
  • 2,938
  • 1
  • 22
  • 22
  • Thanks. Will this work for Traefik 1.7 due to the usage of middlewares? – Jabb Feb 19 '20 at 04:44
  • @Jabb no, the middleware config is exclusive to 2.x version. I updated my answer with a 1.7 workaround but i am not sure if it requires restarting the services after changes on the htpasswd file. You should update anyway since i don't expect that they maintain the 1.7 branch for too long. – codestation Feb 19 '20 at 17:15