Replace Nginx proxy with Traefik (#3409)

* Replace Nginx with Traefik * Comment Traefik dashboard commands and ports * Fix cvat service port * Simplify traefik dashboard instructions * Add license to docker-compose files * Update all mentions of CVAT_HOST in the docs * Add link to Traefik documentation on router rules * Return base CVAT port to 8080 * Fix spelling in documentation * Fix port indentaion in docker-compose file * Fix Traefik dashboard config * Update changelog * Adapt serverless dockerfile * Update analytics dockerfile * Update analytics docker compose file * Fix linting issues * fixed linter issues Co-authored-by: Andrey Zhavoronkov <andrey.zhavoronkov@intel.com>
cvat-ai · Jul 26, 2021 · 6055be4 · 6055be4
1 parent f4382fe
commit 6055be4
Show file tree

Hide file tree

Showing 10 changed files with 179 additions and 363 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,6 +24,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Update to Django 3.1.12 (<https://github.com/openvinotoolkit/cvat/pull/3378>)
 - Updated visibility for removable points in AI tools (<https://github.com/openvinotoolkit/cvat/pull/3417>)
 - Updated UI handling for IOG serverless function (<https://github.com/openvinotoolkit/cvat/pull/3417>)
+- Changed Nginx proxy to Traefik in `docker-compose.yml` (<https://github.com/openvinotoolkit/cvat/pull/3409>)
+- Simplify the process of deploying CVAT with HTTPS (<https://github.com/openvinotoolkit/cvat/pull/3409>)
 
 ### Deprecated
 

diff --git a/components/analytics/docker-compose.analytics.yml b/components/analytics/docker-compose.analytics.yml
@@ -1,12 +1,10 @@
 version: '3.3'
 services:
-  cvat_elasticsearch:
+  elasticsearch:
     container_name: cvat_elasticsearch
     image: cvat_elasticsearch
     networks:
-      default:
-        aliases:
-          - elasticsearch
+      - cvat
     build:
       context: ./components/analytics/elasticsearch
       args:
@@ -15,18 +13,16 @@ services:
       - cvat_events:/usr/share/elasticsearch/data
     restart: always
 
-  cvat_kibana:
+  kibana:
     container_name: cvat_kibana
     image: cvat_kibana
     networks:
-      default:
-        aliases:
-          - kibana
+      - cvat
     build:
       context: ./components/analytics/kibana
       args:
         ELK_VERSION: 6.4.0
-    depends_on: ['cvat_elasticsearch']
+    depends_on: ['elasticsearch']
     restart: always
 
   cvat_kibana_setup:
@@ -35,6 +31,8 @@ services:
     volumes: ['./components/analytics/kibana:/home/django/kibana:ro']
     depends_on: ['cvat']
     working_dir: '/home/django'
+    networks:
+      - cvat
     entrypoint:
       [
         'bash',
@@ -56,13 +54,11 @@ services:
     environment:
       no_proxy: elasticsearch,kibana,${no_proxy}
 
-  cvat_logstash:
+  logstash:
     container_name: cvat_logstash
     image: cvat_logstash
     networks:
-      default:
-        aliases:
-          - logstash
+      - cvat
     build:
       context: ./components/analytics/logstash
       args:
@@ -73,7 +69,7 @@ services:
       LOGSTASH_OUTPUT_HOST: elasticsearch:9200
       LOGSTASH_OUTPUT_USER:
       LOGSTASH_OUTPUT_PASS:
-    depends_on: ['cvat_elasticsearch']
+    depends_on: ['elasticsearch']
     restart: always
 
   cvat:

diff --git a/components/serverless/docker-compose.serverless.yml b/components/serverless/docker-compose.serverless.yml
@@ -1,13 +1,11 @@
 version: '3.3'
 services:
-  serverless:
+  nuclio:
     container_name: nuclio
     image: quay.io/nuclio/dashboard:1.5.16-amd64
     restart: always
     networks:
-      default:
-        aliases:
-          - nuclio
+      - cvat
     volumes:
       - /tmp:/tmp
       - /var/run/docker.sock:/var/run/docker.sock

diff --git a/cvat_proxy/conf.d/cvat.conf.template b/cvat_proxy/conf.d/cvat.conf.template
diff --git a/cvat_proxy/nginx.conf b/cvat_proxy/nginx.conf
diff --git a/docker-compose.https.yml b/docker-compose.https.yml
@@ -0,0 +1,41 @@
+# Copyright (C) 2018-2021 Intel Corporation
+#
+# SPDX-License-Identifier: MIT
+
+version: '3.3'
+
+services:
+  cvat:
+    labels:
+      - traefik.http.routers.cvat.entrypoints=websecure
+      - traefik.http.routers.cvat.tls.certresolver=lets-encrypt
+
+  cvat_ui:
+    labels:
+      - traefik.http.routers.cvat-ui.entrypoints=websecure
+      - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt
+
+  traefik:
+    image: traefik:v2.4
+    container_name: traefik
+    command:
+      - "--providers.docker.exposedByDefault=false"
+      - "--providers.docker.network=cvat"
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
+      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
+      - "--entryPoints.websecure.address=:443"
+      - "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
+      - "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
+      - "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
+      # Uncomment to get Traefik dashboard
+      # - "--entryPoints.dashboard.address=:8090"
+      # - "--api.dashboard=true"
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - cvat_letsencrypt:/letsencrypt
+
+volumes:
+  cvat_letsencrypt:
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,34 +1,29 @@
-#
 # Copyright (C) 2018-2021 Intel Corporation
 #
 # SPDX-License-Identifier: MIT
-#
+
 version: '3.3'
 
 services:
   cvat_db:
     container_name: cvat_db
     image: postgres:10-alpine
-    networks:
-      default:
-        aliases:
-          - db
     restart: always
     environment:
       POSTGRES_USER: root
       POSTGRES_DB: cvat
       POSTGRES_HOST_AUTH_METHOD: trust
     volumes:
       - cvat_db:/var/lib/postgresql/data
+    networks:
+      - cvat
 
   cvat_redis:
     container_name: cvat_redis
     image: redis:4.0-alpine
-    networks:
-      default:
-        aliases:
-          - redis
     restart: always
+    networks:
+      - cvat
 
   cvat:
     container_name: cvat
@@ -43,47 +38,61 @@ services:
       CVAT_REDIS_HOST: 'cvat_redis'
       CVAT_POSTGRES_HOST: 'cvat_db'
       ADAPTIVE_AUTO_ANNOTATION: 'false'
+    labels:
+      - traefik.enable=true
+      - traefik.http.services.cvat.loadbalancer.server.port=8080
+      - traefik.http.routers.cvat.rule=Host(`${CVAT_HOST:-localhost}`) &&
+          PathPrefix(`/api/`, `/git/`, `/opencv/`, `/analytics/`, `/static/`, `/admin`, `/documentation/`, `/django-rq`)
+      - traefik.http.routers.cvat.entrypoints=web
     volumes:
       - cvat_data:/home/django/data
       - cvat_keys:/home/django/keys
       - cvat_logs:/home/django/logs
+    networks:
+      - cvat
 
   cvat_ui:
     container_name: cvat_ui
     image: openvino/cvat_ui
     restart: always
-    networks:
-      default:
-        aliases:
-          - ui
     depends_on:
       - cvat
-
-  cvat_proxy:
-    container_name: cvat_proxy
-    image: nginx:stable-alpine
-    restart: always
-    depends_on:
+    labels:
+      - traefik.enable=true
+      - traefik.http.services.cvat-ui.loadbalancer.server.port=80
+      - traefik.http.routers.cvat-ui.rule=Host(`${CVAT_HOST:-localhost}`)
+      - traefik.http.routers.cvat-ui.entrypoints=web
+    networks:
       - cvat
-      - cvat_ui
-    environment:
-      CVAT_HOST: localhost
+
+  traefik:
+    image: traefik:v2.4
+    container_name: traefik
+    command:
+      - "--providers.docker.exposedByDefault=false"
+      - "--providers.docker.network=cvat"
+      - "--entryPoints.web.address=:8080"
+    # Uncomment to get Traefik dashboard
+    #   - "--entryPoints.dashboard.address=:8090"
+    #   - "--api.dashboard=true"
+    # labels:
+    #   - traefik.enable=true
+    #   - traefik.http.routers.dashboard.entrypoints=dashboard
+    #   - traefik.http.routers.dashboard.service=api@internal
+    #   - traefik.http.routers.dashboard.rule=Host(`${CVAT_HOST:-localhost}`)
     ports:
-      - '8080:80'
+      - 8080:8080
+      - 8090:8090
     volumes:
-      - ./cvat_proxy/nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./cvat_proxy/conf.d/cvat.conf.template:/etc/nginx/conf.d/cvat.conf.template:ro
-    command: /bin/sh -c "envsubst '$$CVAT_HOST' < /etc/nginx/conf.d/cvat.conf.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
-
-networks:
-  default:
-    ipam:
-      driver: default
-      config:
-        - subnet: 172.28.0.0/24
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - cvat
 
 volumes:
   cvat_db:
   cvat_data:
   cvat_keys:
   cvat_logs:
+
+networks:
+  cvat:
diff --git a/site/content/en/docs/administration/basics/AWS-Deployment-Guide.md b/site/content/en/docs/administration/basics/AWS-Deployment-Guide.md
@@ -21,14 +21,11 @@ There are two ways of deploying the CVAT.
    [installation instructions](/docs/administration/basics/installation/).
    The additional step is to add a [security group and rule to allow incoming connections](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html).
 
-For any of above, don't forget to add exposed AWS public IP address or hostname to `docker-compose.override.yml`:
+For any of above, don't forget to set the `CVAT_HOST` environemnt variable to the exposed
+AWS public IP address or hostname:
 
 ```
-version: "2.3"
-services:
-  cvat_proxy:
-    environment:
-      CVAT_HOST: your-instance.amazonaws.com
+export CVAT_HOST=your-instance.amazonaws.com
 ```
 
 In case of problems with using hostname, you can also use the public IPV4 instead of hostname.
@@ -37,5 +34,4 @@ the public IPV4 and hostname changes with every stop and reboot.
 To address this efficiently, avoid using spot instances that cannot be stopped,
 since copying the EBS to an AMI and restarting it throws problems.
 On the other hand, when a regular instance is stopped and restarted,
-the new hostname/IPV4 can be used in the `CVAT_HOST` variable in the `docker-compose.override.yml`
-and the build can happen instantly with CVAT tasks being available through the new IPV4.
+the new hostname/IPV4 can be used to set the  `CVAT_HOST` environment variable.