https://github.com/osquery/osquery logo
Title
a

Andreas Piening

05/25/2022, 3:43 PM
After exploring fleet with
fleetctl preview
I want to install
fleet
on a public node with
docker-compose
using
traefic
to provide the
HTTPs
cert via
letsencrypt
. Is there any example / guide available which I can use as a template?
b

Benjamin Edwards

05/25/2022, 3:49 PM
Wild. I was just talking about this with @Kathy Satterlee
👍 1
😁 1
k

Kathy Satterlee

05/25/2022, 3:49 PM
Hi, @Andreas Piening That's actually what I'm working on now! Should be out soon, just working on sorting out the HTTPS portion,
a

Andreas Piening

05/25/2022, 3:50 PM
That’s great to hear! What is the current issue with the
HTTPs
portion if I may ask?
Providing
HTTPs
for the
HTTP
service port should be easy I guess, but I found something related to the
SSL
certificate that is needed to be exported so that the clients can use it to check the authentication against the server. Maybe I completely misunderstood this.
k

Kathy Satterlee

05/25/2022, 3:57 PM
@Andreas Piening Nothing wrong with the process, just the practitioner 🙂. Both Docker and SSL are things that I am relatively unfamiliar with setting up (which made me the obvious choice to put this together because I'm going to hit all of the pain points and learn a ton).
a

Andreas Piening

05/25/2022, 4:02 PM
k

Kathy Satterlee

05/25/2022, 4:02 PM
That's exactly what my next step was, thanks! Cleaning up my repo a little and I'll send that over shortly if you'd like to take a look.
👍 1
a

Andreas Piening

05/25/2022, 4:03 PM
Using these example config I was able to spin up a
traefic
instance with working
SSL
via
letsenvcrypt
within under 15 minutes.
k

Kathy Satterlee

05/25/2022, 4:03 PM
Brilliant.
a

Andreas Piening

05/25/2022, 4:05 PM
Yes @Kathy Satterlee I would love to take a look at your repo. I could give it a try and provide feedback then.
Regarding
traefik
I use a
docker-compose
project dedicated to to
traefik
. I then can have multiple
docker-compose
projects and expose them with just a few labels. You can use this as an example for a HTTP based service based on a simple
docker
container: https://github.com/cbirkenbeul/docker-homelab/blob/master/compose-files/applications/yourls/docker-compose.yaml
The relevant part for
traefik
is the
labels
section and the
networks
section, because the container that needs to be exposed must be attached to the same network that
traefik
uses. In this case it is called
traefik_proxy
.
k

Kathy Satterlee

05/25/2022, 4:22 PM
Here's the repo! You're more than welcome to contribute if that's something you'd enjoy. I'd also be happy to answer any questions here or hop on a Zoom meeting,
Your timing genuinely could not have been more perfect on this.
a

Andreas Piening

05/25/2022, 4:24 PM
Did you paste the url? I can’t see it.
k

Kathy Satterlee

05/25/2022, 4:24 PM
I did not
I'd tweaked some things when I realized my previous approach wasn't working for SSL, just pushed fixes to the paths I broke.
a

Andreas Piening

05/25/2022, 4:50 PM
Ok I’ll give it a try
docker-com config
says: ERROR: Service ‘fleet’ depends on service ‘certs’ which is undefined.
There is in fact an option
certs
under
depends_on
for the
fleet
container. But the service is not defined.
k

Kathy Satterlee

05/25/2022, 4:55 PM
Odd that it didn't err for me.
Must not have cleaned things up as well as I thought before my last test.
a

Andreas Piening

05/25/2022, 5:00 PM
I’ve just removed the dependency and now it is starting.
🙌 1
I added traefik to the docker-compose.yml but at the moment I get an error when I access the web interface: Client sent an HTTP request to an HTTPS server.
I think
fleet
needs to be configured to serve
HTTP
while
traefic
is doing the
HTTPS
encryption.
I’ll take a look at the docs. Maybe it is enough to remove the
FLEET_SERVER_CERT
from the env.
b

Benjamin Edwards

05/25/2022, 6:16 PM
yeah you would set
FLEET_SERVER_TLS=false
💯 1
👍 1
@Andreas Piening what is the lets encrypt default resolver? https://doc.traefik.io/traefik/https/acme/#the-different-acme-challenges personally I have only ever used DNS Challenge
a

Andreas Piening

05/25/2022, 6:22 PM
It works!
I’m using tlsChallenge at the moment, this works without any additional setup but does not support wild card DNS.
b

Benjamin Edwards

05/25/2022, 6:25 PM
Ok cool. Where do you keep your acme credentials?
a

Andreas Piening

05/25/2022, 6:26 PM
I’m using
dnsChallenge
on another system where I need wildcard-DNS and it works fine with my DNS-Provider (hetzner), but many DNS APIs are supported.
b

Benjamin Edwards

05/25/2022, 6:26 PM
Yeah I've used DigitalOcean successfully too with dnsChallenge
a

Andreas Piening

05/25/2022, 6:26 PM
I’ve set the
storage
parameter in the
traefik.toml
to a
acme.json
file.
b

Benjamin Edwards

05/25/2022, 6:27 PM
Ok right on. And that file is mounted into the Traefik container?
a

Andreas Piening

05/25/2022, 6:27 PM
Exactly.
I’ve mapped a config folder like this:
- ./config:/etc/traefik
b

Benjamin Edwards

05/25/2022, 6:29 PM
Lol I wish I found this project when I was doing this a few years ago. Figuring it out from scratch was brutal. Traefik is amazing, but it has so many configuration options it's almost overwhelming
a

Andreas Piening

05/25/2022, 6:29 PM
YES! It can be a nightmare to dive into traefik. Agree.
😅 1
💯 1
But once it works it is super easy 😉
b

Benjamin Edwards

05/25/2022, 6:30 PM
I remember when Traefik 2 came out and I had to rewrite all the tag stuff…omg. Got through it but damn.
a

Andreas Piening

05/25/2022, 6:31 PM
LOL same here. Borked my production system and had to go back to Traefik 1 and plan the migration.
😅 1
b

Benjamin Edwards

05/25/2022, 6:31 PM
Traefik 1 > 2 migration was tough. Loving Traefik 2 though. Now that it's clicked for me.
I'm so glad I'm not the only one. It made me feel stupid haha
a

Andreas Piening

05/25/2022, 6:32 PM
Doing a clean Traefik config, starting from scratch turned out to be easier for me instead of converting everything to the new format and missing importing things
💯 1
Wow I’ve just created a
.deb
package with the command provided by the
fleet
web-ui and installed it on another system and it worked right away.
I’m surprised how easy the deployment is. I have searched for a
docker-compose
example for hours and now it is working perfectly fine. Thank you very much @Kathy Satterlee
k

Kathy Satterlee

05/25/2022, 7:59 PM
That's exactly what I was going for. I'm so glad you reached out!
If you'd like to DM me your shipping info, I'd love to send a "thanks for being my guinea pig" your way.
a

Andreas Piening

05/25/2022, 8:02 PM
I had to change a few minor things, for example I had to remove the quotes from the
default.env
files.
FLEET_MYSQL_ADDRESS="mysql:3306" => FLEET_MYSQL_ADDRESS=mysql:3306
k

Kathy Satterlee

05/25/2022, 8:03 PM
I feel like docker compose treats .env files with some kind of random selection of rules it'll choose to apply to any given build
a

Andreas Piening

05/25/2022, 8:08 PM
On my first
docker-compose up
I get an error because the variable FLEET_OSQUERY_LABEL_UPDATE_INTERVAL=\“FLEET_SOMETHING\” was not a valid value. After removing the quotes all was fine.
Can I assist you to get your setup up and running with traefik?
k

Kathy Satterlee

05/25/2022, 8:17 PM
That would be amazing, I'll send over a scheduling link so you can have my full attention.