Turn on Traefik access logs

changelog.d/20231107_183551_roman_traefik_logs.md

@@ -0,0 +1,5 @@
+### Changed
+
+- The Docker Compose file and Helm chart now enable Traefik access logs by
+ default, and change the log format to JSON
+ (<https://github.com/opencv/cvat/pull/7109>)

docker-compose.https.yml

@@ -16,20 +16,14 @@ services:
  traefik:
  image: traefik:v2.9
  container_name: traefik
- command:
- - "--providers.docker.exposedByDefault=false"
- - "--providers.docker.network=cvat"
- - '--providers.file.directory=/etc/traefik/rules'
- - "--entryPoints.web.address=:80"
- - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
- - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
- - "--entryPoints.websecure.address=:443"
- - "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
- - "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
- - "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
- # Uncomment to get Traefik dashboard
- # - "--entryPoints.dashboard.address=:8090"
- # - "--api.dashboard=true"
+ environment:
+ TRAEFIK_ENTRYPOINTS_web_ADDRESS: :80
+ TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+ TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME: https
+ TRAEFIK_ENTRYPOINTS_websecure_ADDRESS: :443
+ TRAEFIK_CERTIFICATESRESOLVERS_lets-encrypt_ACME_EMAIL: "${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
+ TRAEFIK_CERTIFICATESRESOLVERS_lets-encrypt_ACME_TLSCHALLENGE: "true"
+ TRAEFIK_CERTIFICATESRESOLVERS_lets-encrypt_ACME_STORAGE: /letsencrypt/acme.json
  ports:
  - 80:80
  - 443:443

docker-compose.yml

@@ -224,13 +224,6 @@ services:
  container_name: traefik
  restart: always
  command:
- - '--providers.docker.exposedByDefault=false'
- - '--providers.docker.network=cvat'
- - '--entryPoints.web.address=:8080'
- - '--providers.file.directory=/etc/traefik/rules'
- # Uncomment to get Traefik dashboard
- # - "--entryPoints.dashboard.address=:8090"
- # - "--api.dashboard=true"
  # labels:
  # - traefik.enable=true
  # - traefik.http.routers.dashboard.entrypoints=dashboard
@@ -243,11 +236,32 @@ services:
  CVAT_HOST: ${CVAT_HOST:-localhost}
  DJANGO_LOG_VIEWER_HOST: grafana
  DJANGO_LOG_VIEWER_PORT: 3000
+
+ TRAEFIK_ACCESSLOG_FORMAT: json
+ # We ought to restrict which fields get logged, so as to avoid redundant information,
+ # but it doesn't work when configuring with environment variables:
+ # <https://github.com/traefik/traefik/issues/9755>.
+ # And we want to use environment variables to allow individual settings to be
+ # overridden by other Compose files.
+ TRAEFIK_LOG_FORMAT: json
+ TRAEFIK_ENTRYPOINTS_web_ADDRESS: :8080
+ TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: "false"
+ TRAEFIK_PROVIDERS_DOCKER_NETWORK: cvat
+ TRAEFIK_PROVIDERS_FILE_DIRECTORY: /etc/traefik/rules
+
+ # Uncomment to get Traefik dashboard
+ # TRAEFIK_API_DASHBOARD: "true"
+ # TRAEFIK_ENTRYPOINTS_dashboard_ADDRESS: :8090
  volumes:
  - /var/run/docker.sock:/var/run/docker.sock:ro
  - ./components/analytics/grafana_conf.yml:/etc/traefik/rules/grafana_conf.yml:ro
  networks:
  - cvat
+ logging:
+ driver: "json-file"
+ options:
+ max-size: 100m
+ max-file: "10"
 
  cvat_opa:
  container_name: cvat_opa

helm-chart/values.yaml

@@ -392,6 +392,27 @@ ingress:
 
 traefik:
  enabled: false
+ logs:
+ general:
+ format: json
+ access:
+ enabled: true
+ format: json
+ fields:
+ general:
+ defaultmode: drop
+ names:
+ ClientHost: keep
+ DownstreamContentSize: keep
+ DownstreamStatus: keep
+ Duration: keep
+ RequestHost: keep
+ RequestMethod: keep
+ RequestPath: keep
+ RequestPort: keep
+ RequestProtocol: keep
+ RouterName: keep
+ StartUTC: keep
 
 smokescreen:
  opts: ''