Support for wildcard ssl certificates

[knx-am]

Hi @garutilorenzo,

first of all thank you very much for publishing this project. It's simple and effective and worked out of the box. Just like good solutions should be 💪

Is there a chance you could add support for wildcard ssl certificates?

I'm using the ssl-termination mode and would like to dynamically make multiple services in my cluster reachable through https using a single wildcard certificate covering *.my-domain
Ideally, it would be great if I could crate the secrets for cert and key only once and attach them to the ingress service only once initially and make the ingress service use those secrets for all domains (or maybe as a fallback if no secrets are found which exactly match the domain name? or maybe allow the services to specify which existing cert and key they would like to use among existing ones?)

My problem right now is that if I add a new service to my cluster (happens dynamically on a regular basis) and make it register a new domain, I have to create new secrets for it (using the same cert and key I'm already using for other services) and mount those new secrets to the ingress service (making its compose config longer), update the ingress service etc.

Does this make sense?

[knx-am]

My problem is basically these two lines and the fact that crt and key are expected under a specific path bound to the host config of the specific service. It would be enough to make this somehow configurable

docker-swarm-ingress/nginx-ingress/ingress/nginx.tpl

Line 161 in 7543679

ssl_certificate /run/secrets/{{ service['virtual_host'] }}.crt;

[garutilorenzo]

Hi @knx-am,

yes I think we can add a specific label for this. If this label is not present we can fallback to the original value "{{ service['virtual_host'] }}"
I can open a PR with this new feature.

[knx-am]

That would be much appreciated. Thank you 🙏

[knx-am]

Hi @garutilorenzo,
any idea on when you might be able to do the change?
Would you accept a pull request if I implement it myself?

[garutilorenzo]

Hi @knx-am I have just opened this PR #4.
The PR is not tested, you can test this PR with this image:

garutilorenzo/docker-swarm-ingress:dev

[knx-am]

Hi @garutilorenzo,
the dev version is unable to start because of a dependency issue with docker-py and the requests library.
Looks like the issue was fixed 3 days ago and we just missed the fix. Could you trigger a new build? Then I can test again. Thanks!
ansible-collections/community.docker#611

[garutilorenzo]

Hi @knx-am,
just pushed a new container version with docker-py version 1.10.6.

[knx-am]

Thank you but I think it should be 6.1.0 and not 1.10.6. The current dev version is still failing on startup with the same error

[knx-am]

Here is the link to the release notes:
https://github.com/docker/docker-py/releases#:~:text=Support%20for%20requests%202.29.0%2B%20and%20urllib3%202.x

[garutilorenzo]

Hi @knx-am,

this project uses docker-py module, not docker.
The problem here is the requests and urllib modules compatibility, the old unsupported docker-py hasn't been updated.
I will open in the future a new PR to replace docker-py with docker python module.
I have pushed a new dev version on the registry with an old version of requests and urllib, please test it.

[garutilorenzo]

I see now that both docker-py and docker redirects to the same GitHub page...
There is some confusion about this python modules... but they are different.
I will open a new PR to fix the problem

[knx-am]

Ah ok It's indeed very confusing.
The new dev version is running fine now and the wildcard certificate works as expected with the new service label.
Thank you so much for implementing it!
The PR can be merged from my point of view (the new label should probably be documented in the readme though right?)