Setup TLS(SSL) in Traefik 2.0.x
This is a short guideline that provides information on how to configure ReportPortal to use Let TLS/SSL certificate setup for your existing ReportPortal environment.
Overview
We use Traefik as a layer-7 load balancer with TLS/SSL termination for the set of micro-services used to run ReportPortal web application.
Pre-requisites
- Server with a public IP address, with Docker and docker-compose installed on it
- Installed ReportPortal on this servers
- Your own domain and the DNS configured accordingly so the hostname records
Configuration
Provided below is an example of using Traefik (gateway service) in docker-compose.yaml. If you don't have any custom configurations, you are free to use the example below.
*** Create a directory on the server for Traefik data and storing certificates ***
mkdir data/traefik/ && mkdir -p data/certs/traefik
Check:
data
|-- certs
|-- opensearch
|-- postgres
|-- traefik
*** Create config file for Traefik with certificate and key path.***
cat << EOF | tee -a data/traefik/certs-traefik.yaml
tls:
certificates:
- certFile: /etc/certs/examplecert.crt
keyFile: /etc/certs/examplecert.key
EOF
Place certificate examplecert.crt and key examplecert.key to directory data/certs/traefik/ you created earlier.
*** Edit Traefik service in the docker-compose.yaml***
Add the following volumes to Traefik:
services:
gateway:
volumes:
- "./data/traefik/dynamic/certs-traefik.yaml:/etc/traefik/dynamic/certs-traefik.yaml"
- "./data/certs/traefik:/etc/certs/"
commands:
services:
gateway:
commands:
- "--providers.file.directory=/etc/traefik/dynamic"
- "--entrypoints.websecure.address=:443"
and ports:
services:
gateway:
ports:
- "443:443"
Check the Traefik part:
version: '2.4'
services:
gateway:
image: traefik:v2.0.5
ports:
- "8080:8080" # HTTP exposed
- "8081:8081" # HTTP Administration exposed
- "443:443" # TLS/SSL
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./data/traefik/dynamic/certs-traefik.yaml:/etc/traefik/dynamic/certs-traefik.yaml"
- "./data/certs/traefik:/etc/certs/"
command:
- "--providers.docker=true"
- "--providers.docker.constraints=Label(`traefik.expose`, `true`)"
- "--entrypoints.web.address=:8080"
- "--entrypoints.traefik.address=:8081"
- "--api.dashboard=true"
- "--api.insecure=true"
# TLS/SSL
- "--providers.file.directory=/etc/traefik/dynamic"
- "--entrypoints.websecure.address=:443"
restart: always
*** Add the following labels to existing services api, uat, index, ui, replacing <service> with the corresponding service name ***
labels:
- "traefik.http.routers.<service>.tls=true"
Check the UI and API services as an example:
version: '2.4'
services:
ui:
image: reportportal/service-ui:5.3.4
environment:
- RP_SERVER_PORT=8080
labels:
- "traefik.http.middlewares.ui-strip-prefix.stripprefix.prefixes=/ui"
- "traefik.http.routers.ui.middlewares=ui-strip-prefix@docker"
- "traefik.http.routers.ui.rule=PathPrefix(`/ui`)"
- "traefik.http.routers.ui.service=ui"
- "traefik.http.services.ui.loadbalancer.server.port=8080"
- "traefik.http.services.ui.loadbalancer.server.scheme=http"
- "traefik.expose=true"
- "traefik.http.routers.ui.tls=true" # label is here
restart: always
Make sure that the required ports are opened. Please check your firewall settings.
Helpful links
Issues
*** Unable to find valid certification path to requested target ***
Feb-2 00:00:00.000 [rp-io-1] ERROR Launch - [18] ReportPortal execution error
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Solutions:
- Recomended. Add certificate to Java-machine
- Not recommended. Ignoring SSL certificate