TLS Injection

The TLS injection overlay is responsible for inecting all the TLS certificates generated by orca into the container. This can be useful for trusting or using certificates within applications.

Configuration

The configuration is extremely simple, just add the orca.pantoptescloud.tls/inject-certs: "/path/" label to any service within the workspace. This will generate an overlay adding an extra bind mount from your host into the path defined by the labels value. See the Traefik use-case below for a full example. You can configure services to use these certificates in your entrypoint or applications.

Note, the bind mount right now is writable; this needs addressing so the mount is readonly.

Traefik use case

One handy use-case for this overlay is using Traefik as an ingress controller with TLS termination. Lets look at an example compose file:

services:
  traefik:
    image: "traefik:v2.9.1"
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro" # listen to docker events
      - "traefik.yaml:/etc/traefik/traefik.yaml" # mount config
      - "traefik-dynamic-config.yaml:/traefik-dynamic-config.yaml"
    labels:
      # Injects the certificates into the container in the `/certs` directory
      orca.pantoptescloud.tls/inject-certs: "/certs/"
  api:
    image: myapi:1.0.0
    labels:
      - "traefik.http.routers.api.rule=Host(`myapp.test`)"
      - "traefik.enable=true"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.services.api.loadbalancer.server.port=80"
      - "traefik.http.routers.api.tls=true"

We'll through the rest of the traefik configuration briefly below, but for now just note that we added the orca.pantoptescloud.tls/inject-certs: "/certs/" label to the traefik container. This will mount all the TLS certificates, that were generated by orca, from your host into the container. From here we can configure the traefik configs that we mount like below:

traefik.yamltraefik-dynamic-config.yaml

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: "websecure"
          scheme: "https"
          permanent: "true"

  websecure:
    address: ":443"

providers:
  docker:
    exposedByDefault: false
  file:
    filename: /traefik-dynamic-config.yaml

tls:
  domains:
  certificates:
    - certFile: /certs/myapp.test.cert
      keyFile: /certs/myapp.test.key

The traefik dynamic config above will guide traefik to use the certificates we mounted at /certs for TLS. So with a host entry like so 127.0.0.0 my.test, you should be able to use https://myapp.test to access the api service in the docker compose environment.

Do note here, that if you didn't use orca this service would still work, but you'd have to define the mounting of the TLS certificates yourself.