Skip to content

bdeshi/fly-traefik-deploy

BranchesTags

Repository files navigation

Traefik on Fly

this project deploys a traefik reverse proxy as a fly app that can front other services running privately inside fly.io.

init

fly-init.sh script creates the initial app, and saves the config as yaml.

here's how the initialization process works:

FLY_APP_PREFIX="a-random-static-string"
DEPLOY_ENV="prod|stg"

fly app create $FLY_APP_PREFIX-$FLY_APP_BASENAME-$DEPLOY_ENV

fly config save -a $FLY_APP_PREFIX-$FLY_APP_BASENAME-$DEPLOY_ENV -y -c "fly.${DEPLOY_ENV}.yaml"

provision IP addresses

fly can provide cerificates and tls termination.

fly ips allocate-v4 --shared
fly ips allocate-v6

to perform tcp termination with traefik, a dedicated public IP is required.

fly ips allocate-v4
fly ips allocate-v6

provision ssl certificate

Regardless of whether dedicated or shared IP is being is used, a certificate is required for fly to direct public traffic to the app based on certificate's SNI.

# for each domain (can be wildcard)
fly certs create $domain -c fly.$DEPLOY_ENV.yaml

add CNAME or A/AAAA records as directed.

deploy

after initial creation, the deploy process just reads app configs and deploys to existing app targets.

app configs have been refactored into a common base layer as fly.base.yaml, and environment specific overrides as fly.<env>.yaml.

the configs also contain go templates that are processed by gomplate.

FLY_APP_PREFIX="a-random-static-string"
DEPLOY_ENV="prod|stg"

# combine base and env specific config
yq eval-all '. as $item ireduce ({}; . *+ $item)' fly.base.yaml "fly.${DEPLOY_ENV}.yaml" > .fly.yaml
# replace env var templates in config
gomplate -f .fly.yaml o .fly.yaml

sops -d fly.$DEPLOY_ENV.env | fly secrets import --stage -c .fly.yaml
fly deploy -c .fly.yaml --ha=false
rm .fly.yaml

traefik

routing

the traefik config forwards requests to hostnames like <https://service.env.base_domain> to internal services like <service.env.flycast>:80

endpoints

  • :80,443: proxy to backends
  • :8080: traefik endpoints
  • :80,443/.well-known/_traefik/ping: global public traefik healthcheck
  • :8080/ping: traefik healthcheck
  • :8080/dashboard/: traefik dashboard, requires auth
  • :8080/api: traefik api, requires auth
  • :8080/metrics: traefik metrics

About

fly.io deployment experiments

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages