diff --git a/charts/longhorn/README.md b/charts/longhorn/README.md index 1bae02be..fb26f649 100644 --- a/charts/longhorn/README.md +++ b/charts/longhorn/README.md @@ -27,7 +27,15 @@ Source: ### How to configure disks for LH -As of now, we follow the same approach we use for `/docker` folder (via ansible playbook) but we use `/longhorn` folder name +Manual configuration performed (to be moved to ansible) +1. Create partition on the disk + * e.g. via using `fdisk` https://phoenixnap.com/kb/linux-create-partition +2. Format partition as XFS + * `sudo mkfs.xfs -f /dev/sda1` +3. Mount partition `sudo mount -t xfs /dev/sda1 /longhorn` +4. Persist mount in `/etc/fstab` by adding line + * `UUID= /longhorn xfs pquota 0 0` + * UUID can be received from `lsblk -f` Issue asking LH to clearly document requirements: https://github.com/longhorn/longhorn/issues/11125 @@ -54,3 +62,22 @@ Insights into LH's performance: Resource requirements: * https://github.com/longhorn/longhorn/issues/1691 + +### (Kubernetes) Node maintenance + +https://longhorn.io/docs/1.8.1/maintenance/maintenance/ + +Note: you can use Longhorn GUI to perform some operations + +### Zero downtime updating longhorn disks (procedure) +Notes: +* Update one node at a time so that other nodes can still serve data + +1. Go to LH GUI and select a Node + 1. Disable scheduling + 2. Request eviction +1. Remove disk from the node + * If remove icon is disabled, disable eviction on disk to enable the remove button +2. Perform disks updates on the node +3. Make sure LH didn't pick up wrongly configured disk in the meantime and remove the wrong disk if it did so +4. Wait till LH automatically adds the disk to the Node diff --git a/charts/topolvm/README.md b/charts/topolvm/README.md new file mode 100644 index 00000000..849df697 --- /dev/null +++ b/charts/topolvm/README.md @@ -0,0 +1,43 @@ +## topolvm components and architecture +See diagram https://github.com/topolvm/topolvm/blob/topolvm-chart-v15.5.5/docs/design.md + +## Preqrequisites +`topolvm` does not automatically creates Volume Groups (specified in device-classes). This needs to be configured additionally (e.g. manually, via ansible, ...) + +Manual example (Ubuntu 22.04): +1. Create partition to use later (`sudo fdisk /dev/sda`) +2. Create PV (`sudo pvcreate /dev/sda2`) + * Prerequisite: `sudo apt install lvm2` +3. Create Volume group (`sudo vgcreate topovg-sdd /dev/sda2`) + * Note: Volume group's name must correspond to the setting of `volume-group` inside `lvmd.deviceClasses` +4. Check volume group (`sudo vgdisplay`) + +Source: https://github.com/topolvm/topolvm/blob/topolvm-chart-v15.5.5/docs/getting-started.md#prerequisites + +## Deleting PV(C)s with `retain` reclaim policy +1. Delete release (e.g. helm uninstall -n test test) +2. Find LogicalVolume CR (`kubectl get logicalvolumes.topolvm.io` +3. Delete LogicalVolume CR (`kubectl delete logicalvolumes.topolvm.io `) +4. Delete PV (`kubectl delete PV `) + +## Backup / Snapshotting +1. Only possible while using thin provisioning +2. We use thick (non-thin provisioned) volumes --> no snapshot support + + Track this feature request for changes https://github.com/topolvm/topolvm/issues/1070 + +Note: there might be alternative not documented ways (e.g. via Velero) + +## Resizing PVs +1. Update storage capacity in configuration +2. Deploy changes + +Note: storage size can only be increased. Otherwise, one gets `Forbidden: field can not be less than previous value` error + +## Node maintenance + +Read https://github.com/topolvm/topolvm/blob/topolvm-chart-v15.5.5/docs/node-maintenance.md + +## Using topolvm. Notes +* `topolvm` may not work with pods that define `spec.nodeName` Use node affinity instead + https://github.com/topolvm/topolvm/blob/main/docs/faq.md#the-pod-does-not-start-when-nodename-is-specified-in-the-pod-spec diff --git a/charts/topolvm/values.yaml.gotmpl b/charts/topolvm/values.yaml.gotmpl new file mode 100644 index 00000000..216d54ef --- /dev/null +++ b/charts/topolvm/values.yaml.gotmpl @@ -0,0 +1,106 @@ +lvmd: + # set up lvmd service with DaemonSet + managed: true + + # device classes (VGs) need to be created outside of topolvm (e.g. manually, via ansible, ...) + deviceClasses: + - name: ssd + volume-group: topovg-sdd + default: true + spare-gb: 5 + +storageClasses: + - name: {{ .Values.topolvmStorageClassName }} + storageClass: + # Want to use non-default device class? + # See configuration example in + # https://github.com/topolvm/topolvm/blob/topolvm-chart-v15.5.5/docs/snapshot-and-restore.md#set-up-a-storage-class + + fsType: xfs + isDefaultClass: false + # volumeBindingMode can be either WaitForFirstConsumer or Immediate. WaitForFirstConsumer is recommended because TopoLVM cannot schedule pods wisely if volumeBindingMode is Immediate. + volumeBindingMode: WaitForFirstConsumer + allowVolumeExpansion: true + # NOTE: On removal requires manual clean up of PVs, LVMs + # and Logical Volumes (CR logicalvolumes.topolvm.io). + # Removal Logical Volume (CR) would clean up the LVM on the node, + # but PV has still to be removed manually. + # Read more: https://github.com/topolvm/topolvm/blob/topolvm-chart-v15.5.5/docs/advanced-setup.md#storageclass + reclaimPolicy: Retain + +resources: + topolvm_node: + requests: + memory: 100Mi + cpu: 100m + limits: + memory: 500Mi + cpu: 500m + + topolvm_controller: + requests: + memory: 50Mi + cpu: 50m + limits: + memory: 200Mi + cpu: 200m + + lvmd: + requests: + memory: 100Mi + cpu: 100m + limits: + memory: 500Mi + cpu: 500m + + csi_registrar: + requests: + cpu: 25m + memory: 10Mi + limits: + cpu: 200m + memory: 200Mi + + csi_provisioner: + requests: + memory: 50Mi + cpu: 50m + limits: + memory: 200Mi + cpu: 200m + + csi_resizer: + requests: + memory: 50Mi + cpu: 50m + limits: + memory: 200Mi + cpu: 200m + + csi_snapshotter: + requests: + memory: 50Mi + cpu: 50m + limits: + memory: 200Mi + cpu: 200m + + liveness_probe: + requests: + cpu: 25m + memory: 10Mi + limits: + cpu: 200m + memory: 200Mi + +# https://github.com/topolvm/topolvm/blob/topolvm-chart-v15.5.5/docs/topolvm-scheduler.md +scheduler: + # start simple + enabled: false + +cert-manager: + # start simple + enabled: false + +snapshot: + enabled: true diff --git a/scripts/deployments/deploy_everything_locally.bash b/scripts/deployments/deploy_everything_locally.bash index a20c02e8..8907150f 100755 --- a/scripts/deployments/deploy_everything_locally.bash +++ b/scripts/deployments/deploy_everything_locally.bash @@ -243,7 +243,7 @@ if [ "$start_opsstack" -eq 0 ]; then call_make "." up-"$stack_target"; popd - # -------------------------------- GRAYLOG ------------------------------- + # -------------------------------- Graylog ------------------------------- log_info "starting graylog..." service_dir="${repo_basedir}"/services/graylog pushd "${service_dir}" diff --git a/services/graylog/GraylogWorkflow.png b/services/graylog/GraylogWorkflow.png deleted file mode 100644 index 0f795fa6..00000000 Binary files a/services/graylog/GraylogWorkflow.png and /dev/null differ diff --git a/services/graylog/data/contentpacks/osparc-custom-content-pack-v2.json b/services/graylog/contentpacks/osparc-custom-content-pack-v2.json similarity index 100% rename from services/graylog/data/contentpacks/osparc-custom-content-pack-v2.json rename to services/graylog/contentpacks/osparc-custom-content-pack-v2.json diff --git a/services/graylog/docker-compose.aws.yml b/services/graylog/docker-compose.aws.yml index 02c74c29..d32afc1f 100644 --- a/services/graylog/docker-compose.aws.yml +++ b/services/graylog/docker-compose.aws.yml @@ -1,4 +1,4 @@ -version: '3.7' +version: '3.8' services: mongodb: deploy: diff --git a/services/graylog/docker-compose.dalco.yml b/services/graylog/docker-compose.dalco.yml index 4429c90b..ad187885 100644 --- a/services/graylog/docker-compose.dalco.yml +++ b/services/graylog/docker-compose.dalco.yml @@ -1,4 +1,3 @@ -version: "3.7" services: mongodb: deploy: diff --git a/services/graylog/docker-compose.letsencrypt.dns.yml b/services/graylog/docker-compose.letsencrypt.dns.yml index 48222860..f990268d 100644 --- a/services/graylog/docker-compose.letsencrypt.dns.yml +++ b/services/graylog/docker-compose.letsencrypt.dns.yml @@ -1,4 +1,4 @@ -version: '3.7' +version: '3.8' services: graylog: deploy: diff --git a/services/graylog/docker-compose.letsencrypt.http.yml b/services/graylog/docker-compose.letsencrypt.http.yml index ccf4a52f..bf180418 100644 --- a/services/graylog/docker-compose.letsencrypt.http.yml +++ b/services/graylog/docker-compose.letsencrypt.http.yml @@ -1,4 +1,4 @@ -version: '3.7' +version: '3.8' services: graylog: deploy: diff --git a/services/graylog/docker-compose.local.yml b/services/graylog/docker-compose.local.yml index be320908..036d0dee 100644 --- a/services/graylog/docker-compose.local.yml +++ b/services/graylog/docker-compose.local.yml @@ -1,4 +1,3 @@ -version: "3.7" services: mongodb: deploy: diff --git a/services/graylog/docker-compose.master.yml b/services/graylog/docker-compose.master.yml index 4429c90b..ad187885 100644 --- a/services/graylog/docker-compose.master.yml +++ b/services/graylog/docker-compose.master.yml @@ -1,4 +1,3 @@ -version: "3.7" services: mongodb: deploy: diff --git a/services/graylog/docker-compose.yml.j2 b/services/graylog/docker-compose.yml.j2 index 9e6d4c0e..ca1eb5d6 100644 --- a/services/graylog/docker-compose.yml.j2 +++ b/services/graylog/docker-compose.yml.j2 @@ -1,4 +1,3 @@ -version: "3.7" services: # MongoDB: https://hub.docker.com/_/mongo/ mongodb: @@ -19,7 +18,7 @@ services: memory: 300M cpus: "0.1" networks: - default: + graylog: aliases: - mongo # needed because of graylog configuration @@ -46,6 +45,8 @@ services: reservations: memory: 1G cpus: "0.1" + networks: + graylog: # Graylog: https://hub.docker.com/r/graylog/graylog/ graylog: image: graylog/graylog:6.0.5 @@ -69,8 +70,11 @@ services: - GRAYLOG_HTTP_EXTERNAL_URI=${GRAYLOG_HTTP_EXTERNAL_URI} - GRAYLOG_ELASTICSEARCH_HOSTS=http://elasticsearch:9200, networks: - - public - - default + public: + monitoring: + graylog: + aliases: + - graylog ports: - 12201:12201/udp - 12202:12202/udp @@ -85,10 +89,9 @@ services: reservations: cpus: "0.1" memory: 1G - labels: - traefik.enable=true - - traefik.swarm.network=${PUBLIC_NETWORK} + - traefik.docker.network=${PUBLIC_NETWORK} # direct access through port - traefik.http.services.graylog.loadbalancer.server.port=9000 - traefik.http.routers.graylog.rule=Host(`${MONITORING_DOMAIN}`) && PathPrefix(`/graylog`) @@ -97,18 +100,98 @@ services: - traefik.http.middlewares.graylog_replace_regex.replacepathregex.regex=^/graylog/?(.*)$$ - traefik.http.middlewares.graylog_replace_regex.replacepathregex.replacement=/$${1} - traefik.http.routers.graylog.middlewares=ops_whitelist_ips@swarm, ops_gzip@swarm, graylog_replace_regex + fluentd: + image: itisfoundation/fluentd:v1.16.8-1.0 + configs: + - source: fluentd_config + target: /fluentd/etc/fluent.conf + environment: + - GRAYLOG_HOST=graylog + - GRAYLOG_PORT=12201 + - LOKI_URL=http://loki:3100 + - FLUENTD_HOSTNAME={% raw %}{{.Node.Hostname}}{% endraw %} + ports: + - "24224:24224/tcp" + deploy: + #mode: global # Run on all nodes + restart_policy: + condition: on-failure + resources: + limits: + cpus: '1.0' + memory: 1G + reservations: + cpus: '0.5' + memory: 512M + update_config: + parallelism: 1 + delay: 10s + order: start-first + networks: + - monitoring + - graylog + healthcheck: + test: ["CMD", "curl", "-f", "http://0.0.0.0:24220/api/plugins"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 40s + + loki: + image: grafana/loki:3.5.0 + configs: + - source: loki_config + target: /etc/loki/loki.yaml + command: -config.file=/etc/loki/loki.yaml + deploy: + placement: + constraints: [] + replicas: 1 + restart_policy: + condition: any + delay: 5s + resources: + limits: + cpus: '1.0' + memory: 2G + reservations: + cpus: '0.5' + memory: 1G + update_config: + parallelism: 1 + delay: 10s + order: start-first + networks: + - monitoring + healthcheck: + test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://0.0.0.0:3100/ready"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 40s + volumes: + loki-data: mongo_data: elasticsearch_data: graylog_journal: networks: + graylog: public: external: true name: ${PUBLIC_NETWORK} - + monitoring: + external: true + name: ${MONITORED_NETWORK} configs: graylog_config: name: ${STACK_NAME}_graylog_config_{{ "./data/contentpacks/osparc-custom-content-pack-v2.json" | sha256file | substring(0,10) }} file: ./data/contentpacks/osparc-custom-content-pack-v2.json + fluentd_config: + name: ${STACK_NAME}_fluentd_config_{{ "./fluentd/fluent.conf" | sha256file | substring(0,10) }} + file: ./fluentd/fluent.conf + loki_config: + name: ${STACK_NAME}_loki_config_{{ "./loki.yaml" | sha256file | substring(0,10) }} + file: ./loki.yaml diff --git a/services/graylog/fluentd/Dockerfile b/services/graylog/fluentd/Dockerfile new file mode 100644 index 00000000..b3b0ef1c --- /dev/null +++ b/services/graylog/fluentd/Dockerfile @@ -0,0 +1,26 @@ +FROM fluent/fluentd:v1.16.8-1.0 + +USER root + +# Install dependencies and plugins +RUN apk add --no-cache --update --virtual .build-deps \ + sudo build-base ruby-dev curl \ + && sudo gem install fluent-plugin-grafana-loki \ + && sudo gem install fluent-plugin-gelf-best \ + && sudo gem install fluent-plugin-prometheus \ + && apk del .build-deps \ + && apk add --no-cache curl jq \ + && rm -rf /var/cache/apk/* \ + && rm -rf /tmp/* /var/tmp/* /usr/lib/ruby/gems/*/cache/*.gem + +# Create directories with appropriate permissions +RUN mkdir -p /fluentd/buffer /fluentd/log \ + && chown -R fluent:fluent /fluentd/buffer /fluentd/log + +# Health check +HEALTHCHECK --interval=30s --timeout=30s --retries=3 \ + CMD curl -s http://localhost:24220/api/plugins | jq -e '.plugins | length > 0' || exit 1 + +USER fluent + +ENTRYPOINT ["fluentd", "-c", "/fluentd/etc/fluent.conf"] diff --git a/services/graylog/fluentd/fluent.conf b/services/graylog/fluentd/fluent.conf new file mode 100644 index 00000000..84ecda6b --- /dev/null +++ b/services/graylog/fluentd/fluent.conf @@ -0,0 +1,105 @@ +# Monitoring + + @type monitor_agent + bind 0.0.0.0 + port 24220 + + +# Prometheus metrics + + @type prometheus + bind 0.0.0.0 + port 24231 + metrics_path metrics + + +# +# log_level debug +# + + + @type prometheus_output_monitor + interval 10 + + hostname ${hostname} + + + +# Input: Receive logs from Docker containers + + @type forward + port 24224 + bind 0.0.0.0 + + +# Add additional metadata + + @type record_transformer + + hostname "#{Socket.gethostname}" + fluentd_hostname "#{ENV['FLUENTD_HOSTNAME']}" + tag ${tag} + + + +# Output to both Graylog (GELF) and Loki + + @type copy + + # Output to Graylog using GELF + + @type gelf + host graylog + port 12201 + protocol udp + add_msec_time true + flush_interval 5s + + @type file + path /fluentd/buffer/graylog + flush_thread_count 8 + flush_interval 5s + retry_forever true + retry_max_interval 30 + chunk_limit_size 8M + total_limit_size 1G + + + @type file + path /fluentd/log/graylog-error + append true + + @type json + + + + + # Output to Loki + + @type loki + url "#{ENV['LOKI_URL']}" + extra_labels {"job": "docker"} + line_format json + username "" + password "" + flush_interval 5s + + @type file + path /fluentd/buffer/loki + flush_thread_count 8 + flush_interval 5s + retry_forever true + retry_max_interval 30 + chunk_limit_size 8M + total_limit_size 1G + + + @type file + path /fluentd/log/loki-error + append true + + @type json + + + + diff --git a/services/graylog/loki.yaml b/services/graylog/loki.yaml new file mode 100644 index 00000000..eb6fae7d --- /dev/null +++ b/services/graylog/loki.yaml @@ -0,0 +1,39 @@ +auth_enabled: false + +server: + http_listen_port: 3100 + +common: + path_prefix: /tmp/loki # Required for automatic directory resolution + +ingester: + lifecycler: + address: 0.0.0.0 + ring: + kvstore: + store: inmemory + replication_factor: 1 + +schema_config: + configs: + - from: 2020-10-15 + store: tsdb + object_store: filesystem + schema: v13 + index: + prefix: index_ + period: 24h + +storage_config: + tsdb_shipper: # Correct section name + active_index_directory: /tmp/loki/tsdb-index + cache_location: /tmp/loki/tsdb-cache + filesystem: + directory: /tmp/loki/chunks + +compactor: # Required for TSDB + working_directory: /tmp/loki/compactor + retention_enabled: false + +limits_config: + retention_period: 48h # Must be ≥24h and multiple of index period (24h) diff --git a/services/graylog/scripts/alerts.template.yaml b/services/graylog/scripts/alerts.template.yaml index fcadc6cf..8568215e 100644 --- a/services/graylog/scripts/alerts.template.yaml +++ b/services/graylog/scripts/alerts.template.yaml @@ -3,7 +3,7 @@ priority: 3 config: query: > - container_name: /.*director-v2.*/ AND "could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network" AND NOT container_name:/.*graylog_graylog.*/ + container_name: /.*director-v2.*/ AND "could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network" AND NOT container_name:/.*logging_graylog.*/ query_parameters: [] search_within_ms: 600000 event_limit: 1000 @@ -43,7 +43,7 @@ priority: 2 config: query: > - "lock is no longer owned. This is unexpected and requires investigation" AND NOT container_name:/.*graylog_graylog.*/ + "lock is no longer owned. This is unexpected and requires investigation" AND NOT container_name:/.*logging_graylog.*/ query_parameters: [] search_within_ms: 3600000 event_limit: 1000 @@ -82,7 +82,7 @@ priority: 2 config: query: > - "LockNotOwnedError" AND NOT container_name:/.*graylog_graylog.*/ + "LockNotOwnedError" AND NOT container_name:/.*logging_graylog.*/ query_parameters: [] search_within_ms: 3600000 event_limit: 1000 diff --git a/services/graylog/template.env b/services/graylog/template.env index 6d8bd056..7ea0096a 100644 --- a/services/graylog/template.env +++ b/services/graylog/template.env @@ -15,3 +15,4 @@ GRAYLOG_WAIT_ONLINE_TIMEOUT_SEC=${GRAYLOG_WAIT_ONLINE_TIMEOUT_SEC} GRAYLOG_LOG_MAX_DAYS_IN_STORAGE=${GRAYLOG_LOG_MAX_DAYS_IN_STORAGE} GRAYLOG_LOG_MIN_DAYS_IN_STORAGE=${GRAYLOG_LOG_MIN_DAYS_IN_STORAGE} PUBLIC_NETWORK=${PUBLIC_NETWORK} +MONITORED_NETWORK=${MONITORED_NETWORK} diff --git a/services/monitoring/Makefile b/services/monitoring/Makefile index e6bf0702..5e01027c 100644 --- a/services/monitoring/Makefile +++ b/services/monitoring/Makefile @@ -63,6 +63,7 @@ docker-compose.yml: docker-compose.yml.j2 \ tempo_config.yaml \ alertmanager/config.yml \ grafana/config.monitoring \ + config.prometheus \ $(COMMON_COMPOSE_DEPENDENCIES) # generating $@ @$(call jinja,$<,.env,$@) diff --git a/services/monitoring/grafana/terraform/datasources.tf b/services/monitoring/grafana/terraform/datasources.tf index a984cca3..9d928f6c 100644 --- a/services/monitoring/grafana/terraform/datasources.tf +++ b/services/monitoring/grafana/terraform/datasources.tf @@ -34,6 +34,13 @@ resource "grafana_data_source" "tempo" { is_default = false } +resource "grafana_data_source" "loki" { + type = "loki" + name = "loki" + url = "http://loki:3100" + basic_auth_enabled = false + is_default = false +} resource "grafana_data_source" "cloudwatch" { # This resource is only created if the AWS Deployments count = var.IS_AWS_DEPLOYMENT ? 1 : 0 diff --git a/services/traefik/Makefile b/services/traefik/Makefile index 7aeb625d..f17f9cf0 100644 --- a/services/traefik/Makefile +++ b/services/traefik/Makefile @@ -49,38 +49,32 @@ ${TEMP_COMPOSE}-local: docker-compose.yml docker-compose.local.yml .env traefik_ ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.local.yml > $@ .PHONY: ${TEMP_COMPOSE}-aws -${TEMP_COMPOSE}-aws: docker-compose.yml docker-compose.aws.yml .env +${TEMP_COMPOSE}-aws: docker-compose.yml .env @set -o allexport; \ source .env; \ set +o allexport; \ - ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.aws.yml > $@ + ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< > $@ .PHONY: ${TEMP_COMPOSE}-dalco -${TEMP_COMPOSE}-dalco: docker-compose.yml docker-compose.dalco.yml .env +${TEMP_COMPOSE}-dalco: docker-compose.yml .env @set -o allexport; \ source .env; \ set +o allexport; \ - ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.dalco.yml > $@ + ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< > $@ .PHONY: ${TEMP_COMPOSE}-public -${TEMP_COMPOSE}-public: docker-compose.yml docker-compose.public.yml .env +${TEMP_COMPOSE}-public: docker-compose.yml .env @set -o allexport; \ source .env; \ set +o allexport; \ - ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.public.yml > $@ + ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< > $@ .PHONY: ${TEMP_COMPOSE}-master -${TEMP_COMPOSE}-master: docker-compose.yml docker-compose.master.yml .env +${TEMP_COMPOSE}-master: docker-compose.yml .env @set -o allexport; \ source .env; \ set +o allexport; \ - ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< docker-compose.master.yml > $@ - -.PHONY: docker-compose.letsencrypt.dns.yml -docker-compose.letsencrypt.dns.yml: .venv .env - @$(call jinja, docker-compose.letsencrypt.dns.yml.j2, .env, docker-compose.letsencrypt.dns.yml.unlinted) && \ - $(_yq) docker-compose.letsencrypt.dns.yml.unlinted > docker-compose.letsencrypt.dns.yml; \ - rm docker-compose.letsencrypt.dns.yml.unlinted >/dev/null 2>&1; + ${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< > $@ .PHONY: docker-compose.yml docker-compose.yml: traefik_dynamic_config.yml .venv .env diff --git a/services/traefik/docker-compose.aws.yml b/services/traefik/docker-compose.aws.yml deleted file mode 100644 index 325419c5..00000000 --- a/services/traefik/docker-compose.aws.yml +++ /dev/null @@ -1,54 +0,0 @@ -services: - traefik: - command: - - "--api=true" - - "--ping=true" - - "--entryPoints.ping.address=:9082" - - "--ping.entryPoint=ping" - - "--api.dashboard=true" - - "--log.level=${OPS_TRAEFIK_LOGLEVEL}" - - "--accesslog=false" - - "--metrics.prometheus=true" - - "--metrics.prometheus.addEntryPointsLabels=true" - - "--metrics.prometheus.addServicesLabels=true" - - "--entryPoints.metrics.address=:8082" - - "--metrics.prometheus.entryPoint=metrics" - - "--entryPoints.http.address=:80" - - "--entrypoints.http.http.redirections.entrypoint.to=https" - - "--entrypoints.http.http.redirections.entrypoint.scheme=https" - - "--entrypoints.http.http.redirections.entrypoint.permanent=true" - - "--entryPoints.http.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.http.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.address=:443" - - "--entryPoints.https.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.smtp.address=:25" - - "--entryPoints.rabbit.address=:5672" - - "--providers.swarm.endpoint=unix:///var/run/docker.sock" - - "--providers.swarm.exposedByDefault=false" - - "--core.defaultRuleSyntax=v2" - - "--tracing=true" - - "--tracing.addinternals" - - "--tracing.otlp=true" - - "--tracing.otlp.http=true" - - "--providers.swarm.constraints=!LabelRegex(`io.simcore.zone`, `.+`)" - - "--entryPoints.https.forwardedHeaders.insecure" - - "--providers.file.directory=/etc/traefik/" - - "--providers.file.watch=true" - ports: - - target: 5672 - published: 5672 - mode: host - environment: - - AWS_ACCESS_KEY_ID=${ROUTE53_DNS_CHALLANGE_ACCESS_KEY} - - AWS_SECRET_ACCESS_KEY=${ROUTE53_DNS_CHALLANGE_SECRET_KEY} - deploy: - replicas: ${OPS_TRAEFIK_REPLICAS} - placement: - constraints: - - node.labels.traefik==true - volumes: - - /etc/traefik_certs:/etc/traefik_certs - whoami: - dns: # Add this always for AWS, otherwise we get "No such image: " for docker services - 8.8.8.8 diff --git a/services/traefik/docker-compose.dalco.yml b/services/traefik/docker-compose.dalco.yml deleted file mode 100644 index 81fcc865..00000000 --- a/services/traefik/docker-compose.dalco.yml +++ /dev/null @@ -1,42 +0,0 @@ -services: - traefik: - command: - - "--api=true" - - "--ping=true" - - "--entryPoints.ping.address=:9082" - - "--ping.entryPoint=ping" - - "--api.dashboard=true" - - "--log.level=${OPS_TRAEFIK_LOGLEVEL}" - - "--accesslog=false" - - "--metrics.prometheus=true" - - "--metrics.prometheus.addEntryPointsLabels=true" - - "--metrics.prometheus.addServicesLabels=true" - - "--entryPoints.metrics.address=:8082" - - "--metrics.prometheus.entryPoint=metrics" - - "--entryPoints.http.address=:80" - - "--entrypoints.http.http.redirections.entrypoint.to=https" - - "--entrypoints.http.http.redirections.entrypoint.scheme=https" - - "--entrypoints.http.http.redirections.entrypoint.permanent=true" - - "--entryPoints.http.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.http.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.address=:443" - - "--entryPoints.https.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.smtp.address=:25" - - "--entryPoints.postgres.address=:5432" - - "--providers.swarm.endpoint=unix:///var/run/docker.sock" - - "--providers.swarm.exposedByDefault=false" - - "--core.defaultRuleSyntax=v2" - - "--tracing.serviceName=ops-traefik" - - "--tracing.otlp.http.endpoint=http://otel-collector:4318/v1/traces" - - "--providers.swarm.constraints=!LabelRegex(`io.simcore.zone`, `.+`)" - - "--entryPoints.https.forwardedHeaders.insecure" - - "--providers.file.directory=/etc/traefik/" - - "--providers.file.watch=true" - deploy: - replicas: ${OPS_TRAEFIK_REPLICAS} - placement: - constraints: - - node.labels.traefik==true - volumes: - - /etc/traefik_certs:/etc/traefik_certs diff --git a/services/traefik/docker-compose.local.yml b/services/traefik/docker-compose.local.yml index c15ee2e7..611fc0d5 100644 --- a/services/traefik/docker-compose.local.yml +++ b/services/traefik/docker-compose.local.yml @@ -1,48 +1,5 @@ services: traefik: - command: - # Here we subsitute with a custom entrypoint to load self-signed - # certificates. - - "/bin/sh" - - "/customEntrypoint.sh" - - "--api=true" - - "--ping=true" - - "--entryPoints.ping.address=:9082" - - "--ping.entryPoint=ping" - - "--api.dashboard=true" - - "--log.level=${OPS_TRAEFIK_LOGLEVEL}" - - "--accesslog=true" - - "--accesslog.format=json" - - "--accesslog.fields.defaultmode=keep" - - "--accesslog.fields.names.ClientUsername=keep" - - "--accesslog.fields.headers.defaultmode=keep" - - "--accesslog.fields.headers.names.User-Agent=keep" - - "--accesslog.fields.headers.names.Authorization=drop" - - "--accesslog.fields.headers.names.Content-Type=keep" - - "--metrics.prometheus=true" - - "--metrics.prometheus.addEntryPointsLabels=true" - - "--metrics.prometheus.addServicesLabels=true" - - "--entryPoints.metrics.address=:8082" - - "--metrics.prometheus.entryPoint=metrics" - - "--entryPoints.smtp.address=:25" - - "--entryPoints.http.address=:80" - - "--entryPoints.http.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.http.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.address=:443" - - "--entryPoints.https.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.postgres.address=:5432" - - "--entrypoints.http.http.redirections.entrypoint.to=https" - - "--entrypoints.http.http.redirections.entrypoint.scheme=https" - - "--entrypoints.http.http.redirections.entrypoint.permanent=true" - - "--providers.swarm.endpoint=unix:///var/run/docker.sock" - - "--providers.swarm.exposedByDefault=false" - - "--providers.swarm.constraints=!LabelRegex(`io.simcore.zone`, `${TRAEFIK_SIMCORE_ZONE}`)" - - "--core.defaultRuleSyntax=v2" - - "--tracing.serviceName=ops-traefik" - - "--tracing.otlp.http.endpoint=http://otel-collector:4318/v1/traces" - - "--providers.file.directory=/etc/traefik/" - - "--providers.file.watch=true" networks: public: monitored: diff --git a/services/traefik/docker-compose.master.yml b/services/traefik/docker-compose.master.yml deleted file mode 100644 index e676a479..00000000 --- a/services/traefik/docker-compose.master.yml +++ /dev/null @@ -1,50 +0,0 @@ -services: - traefik: - command: - - "--api=true" - - "--ping=true" - - "--entryPoints.ping.address=:9082" - - "--ping.entryPoint=ping" - - "--api.dashboard=true" - - "--log.level=${OPS_TRAEFIK_LOGLEVEL}" - - "--accesslog=false" - - "--metrics.prometheus=true" - - "--metrics.prometheus.addEntryPointsLabels=true" - - "--metrics.prometheus.addServicesLabels=true" - - "--entryPoints.metrics.address=:8082" - - "--metrics.prometheus.entryPoint=metrics" - - "--entryPoints.http.address=:80" - - "--entrypoints.http.http.redirections.entrypoint.to=https" - - "--entrypoints.http.http.redirections.entrypoint.scheme=https" - - "--entrypoints.http.http.redirections.entrypoint.permanent=true" - - "--entryPoints.http.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.http.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.address=:443" - - "--entryPoints.https.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.postgres.address=:5432" - - "--entryPoints.rabbitmq.address=:${RABBIT_EXTERNAL_PORT}" - - "--entryPoints.redis.address=:${REDIS_EXTERNAL_PORT}" - - "--entryPoints.smtp.address=:25" - - "--providers.swarm.endpoint=unix:///var/run/docker.sock" - - "--providers.swarm.exposedByDefault=false" - - "--core.defaultRuleSyntax=v2" - - "--providers.swarm.constraints=!LabelRegex(`io.simcore.zone`, `.+`)" - - "--entryPoints.https.forwardedHeaders.insecure" - - "--providers.file.directory=/etc/traefik/" - - "--providers.file.watch=true" - ports: - - target: ${RABBIT_EXTERNAL_PORT} - published: ${RABBIT_EXTERNAL_PORT} - mode: host - - target: ${REDIS_EXTERNAL_PORT} - published: ${REDIS_EXTERNAL_PORT} - mode: host - env_file: - - .env - deploy: - placement: - constraints: - - node.labels.traefik==true - volumes: - - /etc/traefik_certs:/etc/traefik_certs diff --git a/services/traefik/docker-compose.public.yml b/services/traefik/docker-compose.public.yml deleted file mode 100644 index bee0bc1f..00000000 --- a/services/traefik/docker-compose.public.yml +++ /dev/null @@ -1,43 +0,0 @@ -services: - traefik: - dns: 8.8.8.8 # This is critical to make the ACME challange work - command: - - "--api=true" - - "--ping=true" - - "--entryPoints.ping.address=:9082" - - "--ping.entryPoint=ping" - - "--api.dashboard=true" - - "--log.level=${OPS_TRAEFIK_LOGLEVEL}" - - "--accesslog=false" - - "--metrics.prometheus=true" - - "--metrics.prometheus.addEntryPointsLabels=true" - - "--metrics.prometheus.addServicesLabels=true" - - "--entryPoints.metrics.address=:8082" - - "--entryPoints.postgres.address=:5432" - - "--metrics.prometheus.entryPoint=metrics" - - "--entryPoints.http.address=:80" - - "--entrypoints.http.http.redirections.entrypoint.to=https" - - "--entrypoints.http.http.redirections.entrypoint.scheme=https" - - "--entrypoints.http.http.redirections.entrypoint.permanent=true" - - "--entryPoints.http.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.http.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.address=:443" - - "--entryPoints.https.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.smtp.address=:25" - - "--providers.swarm.endpoint=unix:///var/run/docker.sock" - - "--providers.swarm.exposedByDefault=false" - - "--core.defaultRuleSyntax=v2" - - "--tracing.serviceName=ops-traefik" - - "--tracing.otlp.http.endpoint=http://otel-collector:4318/v1/traces" - - "--providers.swarm.constraints=!LabelRegex(`io.simcore.zone`, `.+`)" - - "--entryPoints.https.forwardedHeaders.insecure" - - "--providers.file.directory=/etc/traefik/" - - "--providers.file.watch=true" - deploy: - replicas: ${OPS_TRAEFIK_REPLICAS} - placement: - constraints: - - node.labels.traefik==true - volumes: - - /etc/traefik_certs:/etc/traefik_certs diff --git a/services/traefik/docker-compose.yml.j2 b/services/traefik/docker-compose.yml.j2 index f1dcd143..743490de 100644 --- a/services/traefik/docker-compose.yml.j2 +++ b/services/traefik/docker-compose.yml.j2 @@ -2,46 +2,7 @@ services: traefik: image: "traefik:v3.4.0" init: true - command: - - "--api=true" - - "--ping=true" - - "--entryPoints.ping.address=:9082" - - "--ping.entryPoint=ping" - - "--api.dashboard=true" - - "--accesslog=true" - - "--accesslog.format=json" - - "--accesslog.fields.defaultmode=keep" - - "--accesslog.fields.names.ClientUsername=keep" - - "--accesslog.fields.headers.defaultmode=keep" - - "--accesslog.fields.headers.names.User-Agent=keep" - - "--accesslog.fields.headers.names.Authorization=drop" - - "--accesslog.fields.headers.names.Content-Type=keep" - - "--log.level=${OPS_TRAEFIK_LOGLEVEL}" - - "--metrics.prometheus=true" - - "--metrics.prometheus.addEntryPointsLabels=true" - - "--metrics.prometheus.addServicesLabels=true" - - "--entryPoints.metrics.address=:8082" - - "--metrics.prometheus.entryPoint=metrics" - - "--entryPoints.http.address=:80" - - "--entryPoints.http.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.http.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entrypoints.http.http.redirections.entrypoint.to=https" - - "--entrypoints.http.http.redirections.entrypoint.scheme=https" - - "--entrypoints.http.http.redirections.entrypoint.permanent=true" - - '--entryPoints.postgres.address=:5432' - - '--entryPoints.postgres2.address=:5433' - - "--entryPoints.https.address=:443" - - "--entryPoints.https.transport.respondingTimeouts.writeTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--entryPoints.https.transport.respondingTimeouts.readTimeout=21600s" #6h, for https://github.com/traefik/traefik/issues/10805 - - "--providers.swarm.endpoint=unix:///var/run/docker.sock" - - "--providers.swarm.exposedByDefault=false" - # so that internal services are not picked up - - "--providers.swarm.constraints=!LabelRegex(`io.simcore.zone`, `${TRAEFIK_SIMCORE_ZONE}`)" - - "--core.defaultRuleSyntax=v2" - - "--tracing=true" - - "--tracing.addinternals" - - "--tracing.otlp=true" - - "--tracing.otlp.http=true" + dns: 8.8.8.8 healthcheck: # NOTE: this healthcheck to check if traefik is up and running must be run on the ping entrypoint defined in command! test: traefik healthcheck --ping --ping.entryPoint=ping --entryPoints.ping.address=:9082 @@ -57,18 +18,25 @@ services: - target: 443 published: 443 mode: host + {% if OPS_TRAEFIK_EXPOSE_POSTGRES|lower == "true" %} - target: 5432 published: 5432 mode: host - - target: 5433 - published: 5433 + {% endif %} + {% if OPS_TRAEFIK_EXPOSE_RABBITMQ|lower == "true" %} + - target: 5672 + published: 5672 mode: host + {% endif %} configs: - source: traefik_dynamic_config.yml target: /etc/traefik/dynamic_conf.yml + env_file: + - .env volumes: # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock + - /etc/traefik_certs:/etc/traefik_certs deploy: # mode: global replicas: ${OPS_TRAEFIK_REPLICAS} @@ -86,6 +54,7 @@ services: cpus: '1.000' placement: constraints: + - node.labels.traefik==true - node.role == manager labels: - traefik.enable=true @@ -161,7 +130,13 @@ services: - traefik.http.middlewares.strip-www.redirectregex.regex=^(https?)://www\.(.+) - traefik.http.middlewares.strip-www.redirectregex.replacement=$${1}://$${2} - traefik.http.middlewares.strip-www.redirectregex.permanent=true - + # + {% if OPS_TRAEFIK_EXPOSE_RABBITMQ|lower == "true" %} + - "--entryPoints.rabbitmq.address=:${RABBIT_EXTERNAL_PORT}" + {% endif %} + {% if OPS_TRAEFIK_EXPOSE_REDIS|lower == "true" %} + - "--entryPoints.redis.address=:${REDIS_EXTERNAL_PORT}" + {% endif %} ### # Domain redirects @@ -190,13 +165,14 @@ services: - traefik.http.routers.{{ from_domain_no_dots }}.tls=true {% endfor %} - networks: public: null monitored: null whoami: image: "containous/whoami" + dns: # Add this always for AWS, otherwise we get "No such image: " for docker services + 8.8.8.8 deploy: placement: constraints: diff --git a/services/traefik/template.env b/services/traefik/template.env index 5fa3ed4c..f8ba9dce 100644 --- a/services/traefik/template.env +++ b/services/traefik/template.env @@ -4,7 +4,6 @@ MACHINE_FQDN=${MACHINE_FQDN} TRAEFIK_USER=${SERVICES_USER} TRAEFIK_SIMCORE_ZONE=${TRAEFIK_SIMCORE_ZONE} TRAEFIK_PASSWORD='${TRAEFIK_PASSWORD}' -TRAEFIK_SIMCORE_ZONE=${TRAEFIK_SIMCORE_ZONE} TRAEFIK_IPWHITELIST_SOURCERANGE='${TRAEFIK_IPWHITELIST_SOURCERANGE}' MONITORING_DOMAIN=${MONITORING_DOMAIN} @@ -23,16 +22,15 @@ RFC2136_POLLING_INTERVAL=${RFC2136_POLLING_INTERVAL} ROUTE53_DNS_CHALLANGE_ACCESS_KEY=${ROUTE53_DNS_CHALLANGE_ACCESS_KEY} ROUTE53_DNS_CHALLANGE_SECRET_KEY=${ROUTE53_DNS_CHALLANGE_SECRET_KEY} +REDIS_EXTERNAL_PORT=${REDIS_EXTERNAL_PORT} +RABBIT_EXTERNAL_PORT=${RABBIT_EXTERNAL_PORT} + + STORAGE_DOMAIN=${STORAGE_DOMAIN} REGISTRY_DOMAIN=${REGISTRY_DOMAIN} S3_ENDPOINT=${S3_ENDPOINT} -OPS_TRAEFIK_REPLICAS=${OPS_TRAEFIK_REPLICAS} OSPARC_DEVOPS_MAIL_ADRESS=${OSPARC_DEVOPS_MAIL_ADRESS} DEPLOYMENT_FQDNS='${DEPLOYMENT_FQDNS}' -CERTIFICATE_GENERATION_FQDNS='${CERTIFICATE_GENERATION_FQDNS}' -CERTIFICATE_RESOLVE_DNS_CHALLANGE_IP=${CERTIFICATE_RESOLVE_DNS_CHALLANGE_IP} -OPS_TRAEFIK_LETSENCRYPT_ACME_CA_SERVER=${OPS_TRAEFIK_LETSENCRYPT_ACME_CA_SERVER} -OPS_TRAEFIK_LOGLEVEL=${OPS_TRAEFIK_LOGLEVEL} DEPLOYMENT_FQDNS_WWW_CAPTURE_TRAEFIK_RULE='${DEPLOYMENT_FQDNS_WWW_CAPTURE_TRAEFIK_RULE}' PUBLIC_NETWORK=${PUBLIC_NETWORK} MONITORED_NETWORK=${MONITORED_NETWORK} @@ -44,5 +42,61 @@ TRAEFIK_DOMAINS_REDIRECT_FROM=${TRAEFIK_DOMAINS_REDIRECT_FROM} TRAEFIK_DOMAINS_REDIRECT_TO=${TRAEFIK_DOMAINS_REDIRECT_TO} TRAEFIK_DOMAINS_REDIRECT_IS_PERMANENT=${TRAEFIK_DOMAINS_REDIRECT_IS_PERMANENT} -REDIS_EXTERNAL_PORT=${REDIS_EXTERNAL_PORT} -RABBIT_EXTERNAL_PORT=${RABBIT_EXTERNAL_PORT} +TRACING_OPENTELEMETRY_COLLECTOR_ENDPOINT=${TRACING_OPENTELEMETRY_COLLECTOR_ENDPOINT} +TRACING_OPENTELEMETRY_COLLECTOR_PORT=${TRACING_OPENTELEMETRY_COLLECTOR_PORT} +OPS_TRAEFIK_ACCESSLOG_ENABLED=${OPS_TRAEFIK_ACCESSLOG_ENABLED} +OPS_TRAEFIK_EXPOSE_RABBIT=${OPS_TRAEFIK_EXPOSE_RABBIT} +OPS_TRAEFIK_EXPOSE_POSTGRES=${OPS_TRAEFIK_EXPOSE_POSTGRES} +OPS_TRAEFIK_REPLICAS=${OPS_TRAEFIK_REPLICAS} +OPS_TRAEFIK_LOGLEVEL="${OPS_TRAEFIK_LOGLEVEL}" + +################ TRAEFIK OPTIONS +# Attention: Traefik normalizes the environment variable key-value pairs by lowercasing them. +# Core Configuration +TRAEFIK_API_DASHBOARD=true +TRAEFIK_API_INSECURE=true +TRAEFIK_CORE_DEFAULTRULESYNTAX="v2" + +# Logging +TRAEFIK_LOG_FORMAT="json" +TRAEFIK_ACCESSLOG_FORMAT="json" +TRAEFIK_ACCESSLOG_FIELDS_DEFAULTMODE="keep" +TRAEFIK_ACCESSLOG_FIELDS_NAMES_CLIENTUSERNAME="keep" +TRAEFIK_ACCESSLOG_FIELDS_HEADERS_DEFAULTMODE="keep" +TRAEFIK_ACCESSLOG_FIELDS_HEADERS_NAMES_USERAGENT="keep" +TRAEFIK_ACCESSLOG_FIELDS_HEADERS_NAMES_AUTHORIZATION="drop" +TRAEFIK_ACCESSLOG_FIELDS_HEADERS_NAMES_CONTENTTYPE="keep" +TRAEFIK_ACCESSLOG="${OPS_TRAEFIK_ACCESSLOG_ENABLED}" +# Metrics +TRAEFIK_METRICS_PROMETHEUS_ADDENTRYPOINTSLABELS=true +TRAEFIK_METRICS_PROMETHEUS_ADDSERVICESLABELS=true +TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT="metrics" + +# EntryPoints +TRAEFIK_ENTRYPOINTS_HTTP_ADDRESS=":80" +TRAEFIK_ENTRYPOINTS_HTTP_HTTP_REDIRECTIONS_ENTRYPOINT_TO="https" +TRAEFIK_ENTRYPOINTS_HTTP_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME="https" +TRAEFIK_ENTRYPOINTS_HTTP_HTTP_REDIRECTIONS_ENTRYPOINT_PERMANENT=true +TRAEFIK_ENTRYPOINTS_HTTP_TRANSPORT_RESPONDINGTIMEOUTS_WRITETIMEOUT="21600s" +TRAEFIK_ENTRYPOINTS_HTTP_TRANSPORT_RESPONDINGTIMEOUTS_READTIMEOUT="21600s" +TRAEFIK_ENTRYPOINTS_RABBIT_ADDRESS=":5672" +TRAEFIK_ENTRYPOINTS_HTTPS_ADDRESS=":443" +TRAEFIK_ENTRYPOINTS_HTTPS_TRANSPORT_RESPONDINGTIMEOUTS_WRITETIMEOUT="21600s" +TRAEFIK_ENTRYPOINTS_HTTPS_TRANSPORT_RESPONDINGTIMEOUTS_READTIMEOUT="21600s" +TRAEFIK_ENTRYPOINTS_PING_ADDRESS=":9082" +TRAEFIK_PING_ENTRYPOINT="ping" +TRAEFIK_PING=true +TRAEFIK_ENTRYPOINTS_METRICS_ADDRESS=":8082" +TRAEFIK_ENTRYPOINTS_POSTGRES_ADDRESS=":5432" + +# Providers +TRAEFIK_PROVIDERS_SWARM_ENDPOINT="unix:///var/run/docker.sock" +TRAEFIK_PROVIDERS_SWARM_EXPOSEDBYDEFAULT=false +TRAEFIK_PROVIDERS_SWARM_CONSTRAINTS="!LabelRegex(`io.simcore.zone`, `${TRAEFIK_SIMCORE_ZONE}`)" +TRAEFIK_PROVIDERS_FILE_DIRECTORY="/etc/traefik/dynamic" +TRAEFIK_PROVIDERS_FILE_WATCH=true + +# Tracing +TRAEFIK_TRACING_ADDINTERNALS=false +TRAEFIK_TRACING_OTLP_HTTP_ENDPOINT="${TRACING_OPENTELEMETRY_COLLECTOR_ENDPOINT}:${TRACING_OPENTELEMETRY_COLLECTOR_PORT}" +TRAEFIK_TRACING_SERVICENAME=ops-traefik