homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add AWS ECS provider

Browse source 
* add ecs provider

* add ecs docs

* fix test after rebase

* add provider icon

* add missing addProvider call

* Fix for review

* Fix documentation

* Fix for review

* Fix documentation

* fix ctx usage

* autoDiscoverClusters setDefaults false

* Fix for review

* review: doc.

* Fix for review: add ctx in backoff retry

* review: linter.

Co-authored-by: Michael <michael.matur@gmail.com>
Co-authored-by: romain <romain@containo.us>
Co-authored-by: Fernandez Ludovic <ludovic@containo.us>
This commit is contained in:
Alessandro Chitolina 2020-07-15 16:28:04 +02:00 committed by GitHub
parent 6e4f5821dc
commit 285ded6e49
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 4348 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

194
docs/content/providers/ecs.md Normal file
View file

@ -0,0 +1,194 @@
# Traefik & AWS ECS
A Story of Labels & Elastic Containers
{: .subtitle }
Attach labels to your ECS containers and let Traefik do the rest!
## Configuration Examples
??? example "Configuring ECS provider"
Enabling the ECS provider:
```toml tab="File (TOML)"
[providers.ecs]
clusters = ["default"]
```
```yaml tab="File (YAML)"
providers:
ecs:
clusters:
- default
```
```bash tab="CLI"
--providers.ecs.clusters=default
```
## Policy
Traefik needs the following policy to read ECS information:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TraefikECSReadAccess",
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ecs:DescribeContainerInstances",
"ecs:DescribeTaskDefinition",
"ec2:DescribeInstances"
],
"Resource": [
"*"
]
}
]
}
```
## Provider configuration
### `autoDiscoverClusters`
_Optional, Default=false_
```toml tab="File (TOML)"
[providers.ecs]
autoDiscoverClusters = true
# ...
```
```yaml tab="File (YAML)"
providers:
ecs:
autoDiscoverClusters: true
# ...
```
```bash tab="CLI"
--providers.ecs.autoDiscoverClusters=true
# ...
```
Search for services in all clusters.
If set to true the configured clusters will be ignored and the clusters will be discovered.
If set to false the services will be discovered only in configured clusters.
### `exposedByDefault`
_Optional, Default=true_
```toml tab="File (TOML)"
[providers.ecs]
exposedByDefault = false
# ...
```
```yaml tab="File (YAML)"
providers:
ecs:
exposedByDefault: false
# ...
```
```bash tab="CLI"
--providers.ecs.exposedByDefault=false
# ...
```
Expose ECS services by default in Traefik.
If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
### `defaultRule`
_Optional, Default=```Host(`{{ normalize .Name }}`)```_
```toml tab="File (TOML)"
[providers.ecs]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
```yaml tab="File (YAML)"
providers:
ecs:
defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
```bash tab="CLI"
--providers.ecs.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
# ...
```
For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
The service name can be accessed as the `Name` identifier,
and the template has access to all the labels defined on this container.
### `refreshSeconds`
_Optional, Default=15_
```toml tab="File (TOML)"
[providers.ecs]
refreshSeconds = 15
# ...
```
```yaml tab="File (YAML)"
providers:
ecs:
refreshSeconds: 15
# ...
```
```bash tab="CLI"
--providers.ecs.refreshSeconds=15
# ...
```
Polling interval (in seconds).
### Credentials
_Optional_
```toml tab="File (TOML)"
[providers.ecs]
region = "us-east-1"
accessKeyID = "abc"
secretAccessKey = "123"
```
```yaml tab="File (YAML)"
providers:
ecs:
region: us-east-1
accessKeyID: "abc"
secretAccessKey: "123"
# ...
```
```bash tab="CLI"
--providers.ecs.region="us-east-1"
--providers.ecs.accessKeyID="abc"
--providers.ecs.secretAccessKey="123"
# ...
```
If `accessKeyID` / `secretAccessKey` is not provided credentials will be resolved in the following order:
- From environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to default and `~/.aws/credentials`.
- EC2 instance role or ECS task role

11
docs/content/reference/dynamic-configuration/ecs.md Normal file
View file

@ -0,0 +1,11 @@
# ECS Configuration Reference
Dynamic configuration with ECS provider
{: .subtitle }
The labels are case insensitive.
```yaml
--8<-- "content/reference/dynamic-configuration/ecs.yml"
--8<-- "content/reference/dynamic-configuration/docker-labels.yml"
```

1
docs/content/reference/dynamic-configuration/ecs.yml Normal file
View file

@ -0,0 +1 @@
- "traefik.enable=true"

27
docs/content/reference/static-configuration/cli-ref.md
View file

@ -417,6 +417,33 @@ Use the ip address from the bound port, rather than from the inner network. (Def
`--providers.docker.watch`:
Watch Docker Swarm events. (Default: ```true```)
`--providers.ecs.accesskeyid`:
The AWS credentials access key to use for making requests
`--providers.ecs.autodiscoverclusters`:
Auto discover cluster (Default: ```false```)
`--providers.ecs.clusters`:
ECS Clusters name (Default: ```default```)
`--providers.ecs.constraints`:
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
`--providers.ecs.defaultrule`:
Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
`--providers.ecs.exposedbydefault`:
Expose services by default (Default: ```true```)
`--providers.ecs.refreshseconds`:
Polling interval (in seconds) (Default: ```15```)
`--providers.ecs.region`:
The AWS region to use for requests
`--providers.ecs.secretaccesskey`:
The AWS credentials access key to use for making requests
`--providers.etcd`:
Enable Etcd backend with default settings. (Default: ```false```)

27
docs/content/reference/static-configuration/env-ref.md
View file

@ -417,6 +417,33 @@ Use the ip address from the bound port, rather than from the inner network. (Def
`TRAEFIK_PROVIDERS_DOCKER_WATCH`:
Watch Docker Swarm events. (Default: ```true```)
`TRAEFIK_PROVIDERS_ECS_ACCESSKEYID`:
The AWS credentials access key to use for making requests
`TRAEFIK_PROVIDERS_ECS_AUTODISCOVERCLUSTERS`:
Auto discover cluster (Default: ```false```)
`TRAEFIK_PROVIDERS_ECS_CLUSTERS`:
ECS Clusters name (Default: ```default```)
`TRAEFIK_PROVIDERS_ECS_CONSTRAINTS`:
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
`TRAEFIK_PROVIDERS_ECS_DEFAULTRULE`:
Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
`TRAEFIK_PROVIDERS_ECS_EXPOSEDBYDEFAULT`:
Expose services by default (Default: ```true```)
`TRAEFIK_PROVIDERS_ECS_REFRESHSECONDS`:
Polling interval (in seconds) (Default: ```15```)
`TRAEFIK_PROVIDERS_ECS_REGION`:
The AWS region to use for requests
`TRAEFIK_PROVIDERS_ECS_SECRETACCESSKEY`:
The AWS credentials access key to use for making requests
`TRAEFIK_PROVIDERS_ETCD`:
Enable Etcd backend with default settings. (Default: ```false```)

11
docs/content/reference/static-configuration/file.toml
View file

@ -151,6 +151,16 @@
[providers.consulCatalog.endpoint.httpAuth]
username = "foobar"
password = "foobar"
[providers.ecs]
constraints = "foobar"
exposedByDefault = true
refreshSeconds = 42
defaultRule = "foobar"
clusters = ["foobar", "foobar"]
autoDiscoverClusters = true
region = "foobar"
accessKeyID = "foobar"
secretAccessKey = "foobar"
[providers.consul]
rootKey = "foobar"
endpoints = ["foobar", "foobar"]
@ -233,6 +243,7 @@
[ping]
entryPoint = "foobar"
manualRouting = true
terminatingStatusCode = 42
[log]
level = "foobar"

13
docs/content/reference/static-configuration/file.yaml
View file

@ -161,6 +161,18 @@ providers:
httpAuth:
username: foobar
password: foobar
ecs:
constraints: foobar
exposedByDefault: true
refreshSeconds: 42
defaultRule: foobar
clusters:
- foobar
- foobar
autoDiscoverClusters: true
region: foobar
accessKeyID: foobar
secretAccessKey: foobar
consul:
rootKey: foobar
endpoints:
@ -250,6 +262,7 @@ metrics:
ping:
entryPoint: foobar
manualRouting: true
terminatingStatusCode: 42
log:
level: foobar
filePath: foobar

445
docs/content/routing/providers/ecs.md Normal file
View file

@ -0,0 +1,445 @@
# Traefik & ECS
A Story of Labels & Elastic Containers
{: .subtitle }
Attach labels to your containers and let Traefik do the rest!
## Routing Configuration
!!! info "labels"
- labels are case insensitive.
- The complete list of labels can be found [the reference page](../../reference/dynamic-configuration/ecs.md)
### General
Traefik creates, for each elastic service, a corresponding [service](../services/index.md) and [router](../routers/index.md).
The Service automatically gets a server per elastic container, and the router gets a default rule attached to it, based on the service name.
### Routers
To update the configuration of the Router automatically attached to the service, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change.
For example, to change the rule, you could add the label ```traefik.http.routers.my-service.rule=Host(`example.com`)```.
!!! warning "The character `@` is not authorized in the router name `<router_name>`."
??? info "`traefik.http.routers.<router_name>.rule`"
See [rule](../routers/index.md#rule) for more information.
```yaml
traefik.http.routers.myrouter.rule=Host(`example.com`)
```
??? info "`traefik.http.routers.<router_name>.entrypoints`"
See [entry points](../routers/index.md#entrypoints) for more information.
```yaml
traefik.http.routers.myrouter.entrypoints=web,websecure
```
??? info "`traefik.http.routers.<router_name>.middlewares`"
See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information.
```yaml
traefik.http.routers.myrouter.middlewares=auth,prefix,cb
```
??? info "`traefik.http.routers.<router_name>.service`"
See [rule](../routers/index.md#service) for more information.
```yaml
traefik.http.routers.myrouter.service=myservice
```
??? info "`traefik.http.routers.<router_name>.tls`"
See [tls](../routers/index.md#tls) for more information.
```yaml
traefik.http.routers.myrouter>.tls=true
```
??? info "`traefik.http.routers.<router_name>.tls.certresolver`"
See [certResolver](../routers/index.md#certresolver) for more information.
```yaml
traefik.http.routers.myrouter.tls.certresolver=myresolver
```
??? info "`traefik.http.routers.<router_name>.tls.domains[n].main`"
See [domains](../routers/index.md#domains) for more information.
```yaml
traefik.http.routers.myrouter.tls.domains[0].main=example.org
```
??? info "`traefik.http.routers.<router_name>.tls.domains[n].sans`"
See [domains](../routers/index.md#domains) for more information.
```yaml
traefik.http.routers.myrouter.tls.domains[0].sans=test.example.org,dev.example.org
```
??? info "`traefik.http.routers.<router_name>.tls.options`"
See [options](../routers/index.md#options) for more information.
```yaml
traefik.http.routers.myrouter.tls.options=foobar
```
??? info "`traefik.http.routers.<router_name>.priority`"
See [priority](../routers/index.md#priority) for more information.
```yaml
traefik.http.routers.myrouter.priority=42
```
### Services
To update the configuration of the Service automatically attached to the service,
add labels starting with `traefik.http.services.{name-of-your-choice}.`, followed by the option you want to change.
For example, to change the `passHostHeader` behavior,
you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false`.
!!! warning "The character `@` is not authorized in the service name `<service_name>`."
??? info "`traefik.http.services.<service_name>.loadbalancer.server.port`"
Registers a port.
Useful when the service exposes multiples ports.
```yaml
traefik.http.services.myservice.loadbalancer.server.port=8080
```
??? info "`traefik.http.services.<service_name>.loadbalancer.server.scheme`"
Overrides the default scheme.
```yaml
traefik.http.services.myservice.loadbalancer.server.scheme=http
```
??? info "`traefik.http.services.<service_name>.loadbalancer.passhostheader`"
See [pass Host header](../services/index.md#pass-host-header) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.passhostheader=true
```
??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.headers.<header_name>`"
See [health check](../services/index.md#health-check) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo=foobar
```
??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.hostname`"
See [health check](../services/index.md#health-check) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.healthcheck.hostname=example.org
```
??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.interval`"
See [health check](../services/index.md#health-check) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
```
??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
See [health check](../services/index.md#health-check) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo
```
??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"
See [health check](../services/index.md#health-check) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.healthcheck.port=42
```
??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.scheme`"
See [health check](../services/index.md#health-check) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.healthcheck.scheme=http
```
??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.timeout`"
See [health check](../services/index.md#health-check) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10
```
??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects`"
See [health check](../services/index.md#health-check) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.healthcheck.followredirects=true
```
??? info "`traefik.http.services.<service_name>.loadbalancer.sticky`"
See [sticky sessions](../services/index.md#sticky-sessions) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.sticky=true
```
??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.httponly`"
See [sticky sessions](../services/index.md#sticky-sessions) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly=true
```
??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.name`"
See [sticky sessions](../services/index.md#sticky-sessions) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar
```
??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure`"
See [sticky sessions](../services/index.md#sticky-sessions) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true
```
??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite`"
See [sticky sessions](../services/index.md#sticky-sessions) for more information.
```yaml
traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none
```
??? info "`traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval`"
See [response forwarding](../services/index.md#response-forwarding) for more information.
FlushInterval specifies the flush interval to flush to the client while copying the response body.
```yaml
traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10
```
### Middleware
You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.
For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).
!!! warning "The character `@` is not authorized in the middleware name."
??? example "Declaring and Referencing a Middleware"
```yaml
# ...
# Declaring a middleware
traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
# Referencing a middleware
traefik.http.routers.my-service.middlewares=my-redirect
```
!!! warning "Conflicts in Declaration"
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
### TCP
You can declare TCP Routers and/or Services using labels.
??? example "Declaring TCP Routers and Services"
```yaml
traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)
traefik.tcp.routers.my-router.tls=true
traefik.tcp.services.my-service.loadbalancer.server.port=4123
```
!!! warning "TCP and HTTP"
If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined).
You can declare both a TCP Router/Service and an HTTP Router/Service for the same elastic service (but you have to do so manually).
#### TCP Routers
??? info "`traefik.tcp.routers.<router_name>.entrypoints`"
See [entry points](../routers/index.md#entrypoints_1) for more information.
```yaml
traefik.tcp.routers.mytcprouter.entrypoints=ep1,ep2
```
??? info "`traefik.tcp.routers.<router_name>.rule`"
See [rule](../routers/index.md#rule_1) for more information.
```yaml
traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)
```
??? info "`traefik.tcp.routers.<router_name>.service`"
See [service](../routers/index.md#services) for more information.
```yaml
traefik.tcp.routers.mytcprouter.service=myservice
```
??? info "`traefik.tcp.routers.<router_name>.tls`"
See [TLS](../routers/index.md#tls_1) for more information.
```yaml
traefik.tcp.routers.mytcprouter.tls=true
```
??? info "`traefik.tcp.routers.<router_name>.tls.certresolver`"
See [certResolver](../routers/index.md#certresolver_1) for more information.
```yaml
traefik.tcp.routers.mytcprouter.tls.certresolver=myresolver
```
??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].main`"
See [domains](../routers/index.md#domains_1) for more information.
```yaml
traefik.tcp.routers.mytcprouter.tls.domains[0].main=example.org
```
??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].sans`"
See [domains](../routers/index.md#domains_1) for more information.
```yaml
traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.example.org,dev.example.org
```
??? info "`traefik.tcp.routers.<router_name>.tls.options`"
See [options](../routers/index.md#options_1) for more information.
```yaml
traefik.tcp.routers.mytcprouter.tls.options=mysoptions
```
??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
See [TLS](../routers/index.md#tls_1) for more information.
```yaml
traefik.tcp.routers.mytcprouter.tls.passthrough=true
```
#### TCP Services
??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.port`"
Registers a port of the application.
```yaml
traefik.tcp.services.mytcpservice.loadbalancer.server.port=423
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.terminationdelay`"
See [termination delay](../services/index.md#termination-delay) for more information.
```yaml
traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100
```
### UDP
You can declare UDP Routers and/or Services using tags.
??? example "Declaring UDP Routers and Services"
```yaml
traefik.udp.routers.my-router.entrypoints=udp
traefik.udp.services.my-service.loadbalancer.server.port=4123
```
!!! warning "UDP and HTTP"
If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined).
You can declare both a UDP Router/Service and an HTTP Router/Service for the same elastic service (but you have to do so manually).
#### UDP Routers
??? info "`traefik.udp.routers.<router_name>.entrypoints`"
See [entry points](../routers/index.md#entrypoints_2) for more information.
```yaml
traefik.udp.routers.myudprouter.entrypoints=ep1,ep2
```
??? info "`traefik.udp.routers.<router_name>.service`"
See [service](../routers/index.md#services_1) for more information.
```yaml
traefik.udp.routers.myudprouter.service=myservice
```
#### UDP Services
??? info "`traefik.udp.services.<service_name>.loadbalancer.server.port`"
Registers a port of the application.
```yaml
traefik.udp.services.myudpservice.loadbalancer.server.port=423
```
### Specific Provider Options
#### `traefik.enable`
```yaml
traefik.enable=true
```
You can tell Traefik to consider (or not) the ECS service by setting `traefik.enable` to true or false.
This option overrides the value of `exposedByDefault`.

2
docs/mkdocs.yml
View file

@ -77,6 +77,7 @@ nav:
- 'Kubernetes IngressRoute': 'providers/kubernetes-crd.md'
- 'Kubernetes Ingress': 'providers/kubernetes-ingress.md'
- 'Consul Catalog': 'providers/consul-catalog.md'
- 'ECS': 'providers/ecs.md'
- 'Marathon': 'providers/marathon.md'
- 'Rancher': 'providers/rancher.md'
- 'File': 'providers/file.md'
@ -94,6 +95,7 @@ nav:
- 'Kubernetes IngressRoute': 'routing/providers/kubernetes-crd.md'
- 'Kubernetes Ingress': 'routing/providers/kubernetes-ingress.md'
- 'Consul Catalog': 'routing/providers/consul-catalog.md'
- 'ECS': 'routing/providers/ecs.md'
- 'Marathon': 'routing/providers/marathon.md'
- 'Rancher': 'routing/providers/rancher.md'
- 'KV': 'routing/providers/kv.md'