Initial SSL for swarm tutorial #107
Conversation
| @@ -0,0 +1,319 @@ | |||
| # SSL on Swarm with Traefik | |||
|
|
|||
| To completely secure your OpenFaaS installation, you need SSL. On Swarm, you can do this easily with [Traefik][traefik] and [Let's Encrypt][letsencrypt]. Traefik is is reverse proxy that comes with SSL support via Let's Encrypt. In this tutorial we will show you how to deploy OpenFaaS with Traefik. | |||
There was a problem hiding this comment.
Are the double square brackets meant to be markdown links?
There was a problem hiding this comment.
yes, they are link references where the definition or the link is provided at the bottom of the document: https://daringfireball.net/projects/markdown/syntax#link
|
|
||
| ## Create an A record | ||
|
|
||
| If your domain is `.domain.com` then create an A record using your DNS administration panel such as `gateway.domain.com` or `openfaas.domain.com`. The required steps will vary depending on your domain provider and your cluster provider. For example; [on Google Cloud DNS](https://cloud.google.com/kubernetes-engine/docs/tutorials/configuring-domain-name-static-ip) or [with Route53 using AWS](https://kubernetes.io/docs/setup/custom-cloud/kops/#2-5-create-a-route53-domain-for-your-cluster). |
There was a problem hiding this comment.
Query whether we should call out specific CSPs as examples if we aren't mentioning all of them.
There was a problem hiding this comment.
This follows the statement in the k8s documentation. I will gladly add more, of course all is not possible
There was a problem hiding this comment.
Cloud service provider
| ## Update the Compose configuration | ||
|
|
||
| ### Configure Traefik | ||
| To use Traefik with OpenFaaS, you need to modify the OpenFaaS deployment manifest to include Traefik and configuring OpenFaaS communicate through Traefik instead of directly exposing its services to the internet. |
There was a problem hiding this comment.
Suggest amending and configuring OpenFaaS communicate to and configure OpenFaaS to communicate
There was a problem hiding this comment.
'the' Internet has a capital, otherwise its an internet
| - "acme:/etc/traefik/acme" | ||
| ... | ||
| ``` | ||
| 6. Next you must configure the networks the `traefix` service is part of. All OpenFaaS components live on the `functions` networks, which is also defined in the compose file. |
|
|
||
| - If you want to tail the Traefik logs, you can use | ||
| ```sh | ||
| $ docker service ls -f traefik |
There was a problem hiding this comment.
should this be logs, rather than ls?
| ``` | ||
| You can see internet traffic logs as well as logs related to the Let's Encrypt certificate process. | ||
|
|
||
| ## Profit! |
There was a problem hiding this comment.
I haven't seen profit used like this before?
There was a problem hiding this comment.
It was something silly that I had added and quietly made it into the ssl for k8s docs, so I duplicated it here. I can remove both
There was a problem hiding this comment.
I think this type of thing sounds better in personal blog posts where the reader is connecting with the writer.
|
I had to play with the quotes to get things working: It seems that it works with double quotes as well and its the mixture of the two that causes it problems. Before this I was plagued by: |
|
I will clean up the quotes, that is something I copied and then was cleaning up from how I originally had it in my files to clean up and standardize the mix of quotes that I had copied from other docs/tutorials |
| $ git clone https://github.com/openfaas/faas && cd faas | ||
| ``` | ||
|
|
||
| 2. Add the `traefik` service to the `docker-compose.yaml`. |
There was a problem hiding this comment.
I can see why you've gone for this approach, but it's going to be difficult for a user to follow all the edits. My gist had a separate version of the file for ease of use, but this would mean some maintenance.
What do you think to defining a new file and referencing the network as external maybe? See the Kafka connector as an example of this
|
|
||
| On your first visit, the HTTP authentication dialogue box will open, you can login with the username `admin` and secure random password that the deploy script created for you when you deployed OpenFaaS. | ||
|
|
||
| ## Verify and Debug |
There was a problem hiding this comment.
This isn't verifying or debugging. How about "check the logs"?
There was a problem hiding this comment.
I wanted to keep some of the structure from the k8s reference, I figured someone might be able to recommend other commands to put here? if not I can change the title
| ``` | ||
| Replace `openfaas.mydomain.com` with your domain as well as adding the username `admin` and secure random password that the deploy script created for you when you deployed OpenFaaS. | ||
|
|
||
| ### Using the web UI |
There was a problem hiding this comment.
Please prefer an active style for headings:
Use vs using
Setup vs setting up
Create a vs creating a
|
Lucas, it'll be great to provide users with an easy way to get SSL with LE for their OpenFaaS deployments. Thanks for working on this. Do you think there is a way to simplify the number of manual edits or use some scripts to help the user with some of the steps? Overall this looks to be much more involved than the cert-manager version. It may have to be that way, but I thought I'd mention it as my first impression. |
|
Of hand, a script to edit the docker compose file seems like something that would be fragile and people would forget to check/test. We could create a demo project they contains the required edits, but we would need to ensure that it stays in sync with the base compose file. A lot of the content of the tutorial is partial explanations of what is changing. We could simplify the walkthrough by reducing the amount of description and skip right to the "copy this service and chnagelog these two other lines", but I think that will make it more opeque. |
|
@alexellis i consolidated the traefik configuration into a single step as well as other streamlining and fixes, can you take another look? |
| @@ -0,0 +1,180 @@ | |||
| # SSL on Swarm with Traefik | |||
| @@ -0,0 +1,180 @@ | |||
| # SSL on Swarm with Traefik | |||
|
|
|||
| To completely secure your OpenFaaS installation, you need SSL. On Swarm, you can do this easily with [Traefik][traefik] and [Let's Encrypt][letsencrypt]. Traefik is a reverse proxy that comes with SSL support via Let's Encrypt. In this tutorial we will show you how to deploy OpenFaaS with Traefik. | |||
There was a problem hiding this comment.
Swarm = Docker Swarm (add a link)
| @@ -0,0 +1,180 @@ | |||
| # SSL on Swarm with Traefik | |||
|
|
|||
| To completely secure your OpenFaaS installation, you need SSL. On Swarm, you can do this easily with [Traefik][traefik] and [Let's Encrypt][letsencrypt]. Traefik is a reverse proxy that comes with SSL support via Let's Encrypt. In this tutorial we will show you how to deploy OpenFaaS with Traefik. | |||
| @@ -0,0 +1,180 @@ | |||
| # SSL on Swarm with Traefik | |||
|
|
|||
| To completely secure your OpenFaaS installation, you need SSL. On Swarm, you can do this easily with [Traefik][traefik] and [Let's Encrypt][letsencrypt]. Traefik is a reverse proxy that comes with SSL support via Let's Encrypt. In this tutorial we will show you how to deploy OpenFaaS with Traefik. | |||
There was a problem hiding this comment.
"To completely secure your OpenFaaS installation, you need SSL" - I'm worried that this is a bit too optimistic.
How about something more specific / description, i.e. about enabling encryption between the gateway and the outside world? Why is that important?
There was a problem hiding this comment.
An explanation of what and why you should use TLS is not included in the k8s document
**What** - Adds a new reference document to guide a user through installing OpenFaaS on Docker Swarm with Traefik as the proxy with ssl certs from Let's Encrypt Signed-off-by: Lucas Roesler <[email protected]>
**What** - Replace duplicate "is" with missing "a" in the opening statement Signed-off-by: Lucas Roesler <[email protected]>
**What** - Add missing "to" - Replace "the internate" with "publicaly" Signed-off-by: Lucas Roesler <[email protected]>
Signed-off-by: Lucas Roesler <[email protected]>
**What** - Replace `ls` with `logs` Signed-off-by: Lucas Roesler <[email protected]>
**What** - Remove the unnecceessary single quotes Signed-off-by: Lucas Roesler <[email protected]>
Signed-off-by: Lucas Roesler <[email protected]>
**What** - Reduce the number of steps so that it is easier for people to see the required changes Signed-off-by: Lucas Roesler <[email protected]>
Signed-off-by: Lucas Roesler <[email protected]>
**What** - Remove the "all together" snippet since the modification is so small and it should be clear. This should make it easier for someone to see what is happening instead of a large block of yaml Signed-off-by: Lucas Roesler <[email protected]>
**What** - Update the instructions to use the latest Traefik version and based on the Traefik user guide https://docs.traefik.io/user-guides/docker-compose/acme-http/ This also make several other changes to improve the readability Signed-off-by: Lucas Roesler <[email protected]>
LucasRoesler
force-pushed
the
feature-swam=ssl-guide
branch
from
e54f873
to
0157693
Compare
Description
Motivation and Context
Resolves #85
How Has This Been Tested?
Tested on a digital ocean swarm cluster
Types of changes
Checklist:
git commit -s