drpauldixon/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Notes for anyone struggling to get Traefik routing on both http and https with Nomad

By default, Traefik routes on the http interface only. We want to route on both http and https interfaces (front ends).
The trick is to create 2x services in the Nomad Job for the application - one for http and one for https. See example Traefik/MyApp jobs below.
I also had trouble getting traefik to use custom TLS certs - the trick was to put those into the dynamic config for traefik.
Tags: nomad traefik https tls ingress router

  
## myapp.nomad
job "myapp" {
  datacenters = ["dc1"]
  group "myapp" {

    # use scaling instead of count, to enable scaling in the UI
    # count = 1
    scaling {
      enabled = true
      min = 1
      max = 3
      policy {
      }
    }

    #constraint {
    #  distinct_hosts = true
    #}

    network {
      port "http" {}
    }

    task "myapp" {
      driver = "raw_exec"

      config {
        command = "./myapp"
      }

      template {
        env         = true
        destination = "/dev/null"
        change_mode = "restart"
        data        = <<EOF
{{- with nomadVar "nomad/jobs/myapp" -}}
REDIS_PASSWORD = {{ .redis_password }}
{{- end -}}
EOF
      }

      artifact {
        source = "https://<somehost>/artifacts/myapp.tgz"
        destination = "."
      }

      resources {
        cpu = 200
        memory = 400
      }

      # For ingress routes for http
      service {
        name = "myapp"
        provider = "nomad"
        port = "http"
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.myapp.rule=PathPrefix(`/api/myapp/v2`)"
        ]

        check {
          type     = "tcp"
          port     = "http"
          interval = "10s"
          timeout  = "2s"
        }
      }

      # For ingress routes using https
      service {
        name = "myapp-tls"
        provider = "nomad"
        port = "http"
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.myapp-tls.rule=PathPrefix(`/api/myapp/v2`)",
          "traefik.http.routers.myapp-tls.tls=true"
        ]

        check {
          type     = "tcp"
          port     = "http"
          interval = "10s"
          timeout  = "2s"
        }
      }

    }
  }
}

## traefik.nomad
job "traefik" {
  datacenters = ["dc1"]
  type = "system"
  group "traefik" {

    network {
      port "http" {
        static = 8080
      }

      port "https" {
        static = 8443
      }

      port "api" {
        static = 8081
      }
    }

    service {
      name = "traefik"
      provider = "nomad"
      port = "http"

      check {
        name     = "alive"
        type     = "tcp"
        port     = "http"
        interval = "10s"
        timeout  = "2s"
      }
    }

    task "traefik" {
      driver = "raw_exec"

      config {
        command = "traefik"
        args = [  "--configfile", "local/traefik.yaml", "--entryPoints.http.address=:8080", "--entryPoints.https.address=:8443", "--entrypoints.https.http.tls=true"]
      }

      # Deploy TLS cert
      template {
        env         = false
        destination = "local/tls_crt.pem"
        change_mode = "restart"
        data        = <<EOC
{{- with nomadVar "nomad/jobs/traefik" -}}
{{ .tls_cert }}
{{- end -}}
EOC
      }

      # Deploy TLS key
      template {
        env         = false
        destination = "local/tls_key.pem"
        change_mode = "restart"
        data        = <<EOC
{{- with nomadVar "nomad/jobs/traefik" -}}
{{ .tls_key }}
{{- end -}}
EOC
      }


    template {
      data = <<EOF
tls:
  stores:
    default:
      defaultCertificate:
        certFile: local/tls_crt.pem
        keyFile: local/tls_key.pem

  certificates:
    - certFile: local/tls_crt.pem
      keyFile: local/tls_key.pem
      stores:
        - default

accessLog:
  format: "json"

defaultEntryPoints:
  - https
  - https

entryPoints:
  http:
    address: ":8080"

  https:
    address: ":8443"

  traefik:
    address: ":8081"

api:
  dashboard: true
  insecure: true

# Enable Nomad configuration backend.
providers:
  nomad:
    prefix: "traefik"
    exposedByDefault: false
  file:
    filename: local/dynamic.yaml
    watch: false
EOF

      destination = "local/traefik.yaml"
    }

    template {
      data = <<EOD
tls:
  stores:
    default:
      defaultCertificate:
        certFile: local/tls_crt.pem
        keyFile: local/tls_key.pem

  certificates:
    - certFile: local/tls_crt.pem
      keyFile: local/tls_key.pem
      stores:
        - default
EOD

      destination = "local/dynamic.yaml"
    }


      artifact {
        source      = "https://<somehost>/artifacts/traefik_v2.10.7_linux_amd64.tar.gz"
      }
    }
  }
}
	job "myapp" {
	datacenters = ["dc1"]
	group "myapp" {

	# use scaling instead of count, to enable scaling in the UI
	# count = 1
	scaling {
	enabled = true
	min = 1
	max = 3
	policy {
	}
	}

	#constraint {
	# distinct_hosts = true
	#}

	network {
	port "http" {}
	}

	task "myapp" {
	driver = "raw_exec"

	config {
	command = "./myapp"
	}

	template {
	env = true
	destination = "/dev/null"
	change_mode = "restart"
	data = <<EOF
	{{- with nomadVar "nomad/jobs/myapp" -}}
	REDIS_PASSWORD = {{ .redis_password }}
	{{- end -}}
	EOF
	}

	artifact {
	source = "https://<somehost>/artifacts/myapp.tgz"
	destination = "."
	}

	resources {
	cpu = 200
	memory = 400
	}

	# For ingress routes for http
	service {
	name = "myapp"
	provider = "nomad"
	port = "http"
	tags = [
	"traefik.enable=true",
	"traefik.http.routers.myapp.rule=PathPrefix(`/api/myapp/v2`)"
	]

	check {
	type = "tcp"
	port = "http"
	interval = "10s"
	timeout = "2s"
	}
	}

	# For ingress routes using https
	service {
	name = "myapp-tls"
	provider = "nomad"
	port = "http"
	tags = [
	"traefik.enable=true",
	"traefik.http.routers.myapp-tls.rule=PathPrefix(`/api/myapp/v2`)",
	"traefik.http.routers.myapp-tls.tls=true"
	]

	check {
	type = "tcp"
	port = "http"
	interval = "10s"
	timeout = "2s"
	}
	}

	}
	}
	}
	job "traefik" {
	datacenters = ["dc1"]
	type = "system"
	group "traefik" {

	network {
	port "http" {
	static = 8080
	}

	port "https" {
	static = 8443
	}

	port "api" {
	static = 8081
	}
	}

	service {
	name = "traefik"
	provider = "nomad"
	port = "http"

	check {
	name = "alive"
	type = "tcp"
	port = "http"
	interval = "10s"
	timeout = "2s"
	}
	}

	task "traefik" {
	driver = "raw_exec"

	config {
	command = "traefik"
	args = [ "--configfile", "local/traefik.yaml", "--entryPoints.http.address=:8080", "--entryPoints.https.address=:8443", "--entrypoints.https.http.tls=true"]
	}

	# Deploy TLS cert
	template {
	env = false
	destination = "local/tls_crt.pem"
	change_mode = "restart"
	data = <<EOC
	{{- with nomadVar "nomad/jobs/traefik" -}}
	{{ .tls_cert }}
	{{- end -}}
	EOC
	}

	# Deploy TLS key
	template {
	env = false
	destination = "local/tls_key.pem"
	change_mode = "restart"
	data = <<EOC
	{{- with nomadVar "nomad/jobs/traefik" -}}
	{{ .tls_key }}
	{{- end -}}
	EOC
	}


	template {
	data = <<EOF
	tls:
	stores:
	default:
	defaultCertificate:
	certFile: local/tls_crt.pem
	keyFile: local/tls_key.pem

	certificates:
	- certFile: local/tls_crt.pem
	keyFile: local/tls_key.pem
	stores:
	- default

	accessLog:
	format: "json"

	defaultEntryPoints:
	- https
	- https

	entryPoints:
	http:
	address: ":8080"

	https:
	address: ":8443"

	traefik:
	address: ":8081"

	api:
	dashboard: true
	insecure: true

	# Enable Nomad configuration backend.
	providers:
	nomad:
	prefix: "traefik"
	exposedByDefault: false
	file:
	filename: local/dynamic.yaml
	watch: false
	EOF

	destination = "local/traefik.yaml"
	}

	template {
	data = <<EOD
	tls:
	stores:
	default:
	defaultCertificate:
	certFile: local/tls_crt.pem
	keyFile: local/tls_key.pem

	certificates:
	- certFile: local/tls_crt.pem
	keyFile: local/tls_key.pem
	stores:
	- default
	EOD

	destination = "local/dynamic.yaml"
	}


	artifact {
	source = "https://<somehost>/artifacts/traefik_v2.10.7_linux_amd64.tar.gz"
	}
	}
	}
	}