From e3ced1e052ae4c4889b38da49c840032925bff13 Mon Sep 17 00:00:00 2001
From: Roman Donchenko <roman@cvat.ai>
Date: Tue, 7 Nov 2023 18:32:17 +0200
Subject: [PATCH] Turn on Traefik access logs

This will be useful for debugging issues and gathering statistics.

Use the JSON format, since that allows us to include more information than
the traditional HTTP access logs. Switch the other logs to JSON as well, for
ease of parsing.

Add a cap on the size of the log in Docker compose, since the JSON logs are
pretty bulky, and we don't want users to inadvertently run out of space.
---
 .../20231107_183551_roman_traefik_logs.md     |  5 ++++
 docker-compose.https.yml                      | 22 ++++++---------
 docker-compose.yml                            | 28 ++++++++++++++-----
 helm-chart/values.yaml                        | 21 ++++++++++++++
 4 files changed, 55 insertions(+), 21 deletions(-)
 create mode 100644 changelog.d/20231107_183551_roman_traefik_logs.md

diff --git a/changelog.d/20231107_183551_roman_traefik_logs.md b/changelog.d/20231107_183551_roman_traefik_logs.md
new file mode 100644
index 000000000000..e55889d1011a
--- /dev/null
+++ b/changelog.d/20231107_183551_roman_traefik_logs.md
@@ -0,0 +1,5 @@
+### Changed
+
+- The Docker Compose file and Helm chart now enable Traefik access logs by
+  default, and change the log format to JSON
+  (<https://github.com/opencv/cvat/pull/7109>)
diff --git a/docker-compose.https.yml b/docker-compose.https.yml
index 2c8ebc22bfad..78bfb79bee22 100644
--- a/docker-compose.https.yml
+++ b/docker-compose.https.yml
@@ -16,20 +16,14 @@ services:
   traefik:
     image: traefik:v2.9
     container_name: traefik
-    command:
-      - "--providers.docker.exposedByDefault=false"
-      - "--providers.docker.network=cvat"
-      - '--providers.file.directory=/etc/traefik/rules'
-      - "--entryPoints.web.address=:80"
-      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
-      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
-      - "--entryPoints.websecure.address=:443"
-      - "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
-      - "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
-      - "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
-      # Uncomment to get Traefik dashboard
-      # - "--entryPoints.dashboard.address=:8090"
-      # - "--api.dashboard=true"
+    environment:
+      TRAEFIK_ENTRYPOINTS_web_ADDRESS: :80
+      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME: https
+      TRAEFIK_ENTRYPOINTS_websecure_ADDRESS: :443
+      TRAEFIK_CERTIFICATESRESOLVERS_lets-encrypt_ACME_EMAIL: "${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
+      TRAEFIK_CERTIFICATESRESOLVERS_lets-encrypt_ACME_TLSCHALLENGE: "true"
+      TRAEFIK_CERTIFICATESRESOLVERS_lets-encrypt_ACME_STORAGE: /letsencrypt/acme.json
     ports:
       - 80:80
       - 443:443
diff --git a/docker-compose.yml b/docker-compose.yml
index 85422f5926e6..d185a3e7a51f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -224,13 +224,6 @@ services:
     container_name: traefik
     restart: always
     command:
-      - '--providers.docker.exposedByDefault=false'
-      - '--providers.docker.network=cvat'
-      - '--entryPoints.web.address=:8080'
-      - '--providers.file.directory=/etc/traefik/rules'
-    # Uncomment to get Traefik dashboard
-    #   - "--entryPoints.dashboard.address=:8090"
-    #   - "--api.dashboard=true"
     # labels:
     #   - traefik.enable=true
     #   - traefik.http.routers.dashboard.entrypoints=dashboard
@@ -243,11 +236,32 @@ services:
       CVAT_HOST: ${CVAT_HOST:-localhost}
       DJANGO_LOG_VIEWER_HOST: grafana
       DJANGO_LOG_VIEWER_PORT: 3000
+
+      TRAEFIK_ACCESSLOG_FORMAT: json
+      # We ought to restrict which fields get logged, so as to avoid redundant information,
+      # but it doesn't work when configuring with environment variables:
+      # <https://github.com/traefik/traefik/issues/9755>.
+      # And we want to use environment variables to allow individual settings to be
+      # overridden by other Compose files.
+      TRAEFIK_LOG_FORMAT: json
+      TRAEFIK_ENTRYPOINTS_web_ADDRESS: :8080
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: "false"
+      TRAEFIK_PROVIDERS_DOCKER_NETWORK: cvat
+      TRAEFIK_PROVIDERS_FILE_DIRECTORY: /etc/traefik/rules
+
+      # Uncomment to get Traefik dashboard
+      # TRAEFIK_API_DASHBOARD: "true"
+      # TRAEFIK_ENTRYPOINTS_dashboard_ADDRESS: :8090
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./components/analytics/grafana_conf.yml:/etc/traefik/rules/grafana_conf.yml:ro
     networks:
       - cvat
+    logging:
+      driver: "json-file"
+      options:
+        max-size: 100m
+        max-file: "10"
 
   cvat_opa:
     container_name: cvat_opa
diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml
index 66d72ef8884e..de4804349851 100644
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -392,6 +392,27 @@ ingress:
 
 traefik:
   enabled: false
+  logs:
+    general:
+      format: json
+    access:
+      enabled: true
+      format: json
+      fields:
+        general:
+          defaultmode: drop
+          names:
+            ClientHost: keep
+            DownstreamContentSize: keep
+            DownstreamStatus: keep
+            Duration: keep
+            RequestHost: keep
+            RequestMethod: keep
+            RequestPath: keep
+            RequestPort: keep
+            RequestProtocol: keep
+            RouterName: keep
+            StartUTC: keep
 
 smokescreen:
   opts: ''