Implemented segregation by network

[SilverFire]

Hi, @buchdag!

This pull-request implements the discussion we've started in #571

I've introduced a new env variable for LE container MUST_BE_CONNECTED_WITH_NETWORK, that limits the LE scope to containers, included only in the specified network. The tests are included.

Could you review this pull request, please? If it seems acceptable to you, I will add the necessary documentation. Thank you!

[buchdag]

Hi @SilverFire

Just to let you know that I saw this but I'm really, really lacking time those days.

I'll take a look as soon as possible.

[SilverFire]

No worries, take your time 🙌

I have already combined this PR together with #610 and deployed them on my production.

[SilverFire]

@buchdag did you have a chance to check this PR?

[buchdag]

@SilverFire not yet :/

[buchdag]

@SilverFire this will have to be rebased against #647 since it has been merged to master 😃

[SilverFire]

Yepp, definitely a good idea. Rebased and force-pushed)

[buchdag]

Ok sorry for the delay, I just took a look and it's mostly good, here are my remarks:

1. maybe we could have something shorter than MUST_BE_CONNECTED_WITH_NETWORK ? What about RESTRICT_TO_NETWORK, WATCH_NETWORK or NETWORK_SCOPE ?
2. so you choose to be able to specify the target network by name, have you weighted it against the same way nginx-proxy works (only containers on the same network as the nginx-proxy or docker-gen container) ? Any pro and cons to both methods from your point of view ?
3. I'm still deciphering some of that docker-gen template syntax. 😅

As this is a pretty substantial feature, would you mind if I merged it to dev first ?

[SilverFire]

1. I'd stick for NETWORK_SCOPE if it's OK for you.

2. Meh, I don't remember how it went this way. Either there was a problem, or I just overengineered :)

3. It's was my first docker-gen experience and I remember the first time I've touched it I thought I should never do it again :)

As this is a pretty substantial feature, would you mind if I merged it to dev first ?

As you wish

[buchdag]

Ok so about the docker-gen template:

1. we're getting the env from the letsencrypt companion container
2. we're iterating a first time over containers that have a LETSENCRYPT_HOST variable set
3. if the MUST_BE_CONNECTED_WITH_NETWORK (NETWORK_SCOPE) env var is set on the letsencrypt companion container we check that the container we're iterating over is connected to the same network and append its ID to a string if true.
4. if the MUST_BE_CONNECTED_WITH_NETWORK env var isn't set, we append the container ID to the string no matter what.
5. we create a slice from this string
6. we iterate a second time over containers that have a LETSENCRYPT_HOST variable set (the original range loop) and now only process containers whose ID intersect with the slice created at 5.

Got that right ?

Does the feature work as intended if the proxied container is connected to more than one network ?

[SilverFire]

That's absolutely correct!

[SilverFire]

Does the feature work as intended if the proxied container is connected to more than one network ?

Yes, it does:

{{ range $containerNetwork := $container.Networks }}
    {{ if eq $CurrentContainer.Env.MUST_BE_CONNECTED_WITH_NETWORK $containerNetwork.Name }}
[ ... ]

We iterate over all networks of the container

[buchdag]

LGTM for a merge to dev, do you want to change the variable name and add the doc on this PR or later on ?

[SilverFire]

Renamed. Will add docs lated