Replace Nginx proxy with Traefik

CHANGELOG.md

@@ -20,6 +20,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Update of COCO format documentation (<https://github.com/openvinotoolkit/cvat/pull/3197>)
 - Updated Webpack Dev Server config to add proxxy (<https://github.com/openvinotoolkit/cvat/pull/3368>)
 - Update to Django 3.1.12 (<https://github.com/openvinotoolkit/cvat/pull/3378>)
+- Changed Nginx proxy to Traefik in `docker-compose.yml` (https://github.com/openvinotoolkit/cvat/pull/3409)
+- Simplify the process of deploying CVAT with HTTPS (https://github.com/openvinotoolkit/cvat/pull/3409)
 
 ### Deprecated
 

components/serverless/docker-compose.serverless.yml

@@ -1,13 +1,11 @@
 version: '3.3'
 services:
-  serverless:
+  nuclio:
     container_name: nuclio
     image: quay.io/nuclio/dashboard:1.5.16-amd64
     restart: always
     networks:
-      default:
-        aliases:
-          - nuclio
+      - cvat
     volumes:
       - /tmp:/tmp
       - /var/run/docker.sock:/var/run/docker.sock

docker-compose.https.yml

@@ -0,0 +1,41 @@
+# Copyright (C) 2018-2021 Intel Corporation
+#
+# SPDX-License-Identifier: MIT
+
+version: '3.3'
+
+services:
+  cvat:
+    labels:
+      - traefik.http.routers.cvat.entrypoints=websecure
+      - traefik.http.routers.cvat.tls.certresolver=lets-encrypt
+
+  cvat_ui:
+    labels:
+      - traefik.http.routers.cvat-ui.entrypoints=websecure
+      - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt
+
+  traefik:
+    image: traefik:v2.4
+    container_name: traefik
+    command:
+      - "--providers.docker.exposedByDefault=false"
+      - "--providers.docker.network=cvat"
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
+      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
+      - "--entryPoints.websecure.address=:443"
+      - "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
+      - "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
+      - "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
+      # Uncomment to get Traefik dashboard
+      # - "--entryPoints.dashboard.address=:8090"
+      # - "--api.dashboard=true"
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - cvat_letsencrypt:/letsencrypt
+
+volumes:
+  cvat_letsencrypt:

docker-compose.yml

@@ -1,34 +1,29 @@
-#
 # Copyright (C) 2018-2021 Intel Corporation
 #
 # SPDX-License-Identifier: MIT
-#
+
 version: '3.3'
 
 services:
   cvat_db:
     container_name: cvat_db
     image: postgres:10-alpine
-    networks:
-      default:
-        aliases:
-          - db
     restart: always
     environment:
       POSTGRES_USER: root
       POSTGRES_DB: cvat
       POSTGRES_HOST_AUTH_METHOD: trust
     volumes:
       - cvat_db:/var/lib/postgresql/data
+    networks:
+      - cvat
 
   cvat_redis:
     container_name: cvat_redis
     image: redis:4.0-alpine
-    networks:
-      default:
-        aliases:
-          - redis
     restart: always
+    networks:
+      - cvat
 
   cvat:
     container_name: cvat
@@ -43,47 +38,61 @@ services:
       CVAT_REDIS_HOST: 'cvat_redis'
       CVAT_POSTGRES_HOST: 'cvat_db'
       ADAPTIVE_AUTO_ANNOTATION: 'false'
+    labels:
+      - traefik.enable=true
+      - traefik.http.services.cvat.loadbalancer.server.port=8080
+      - traefik.http.routers.cvat.rule=Host(`${CVAT_HOST:-localhost}`) &&
+          PathPrefix(`/api/`, `/git/`, `/opencv/`, `/analytics/`, `/static/`, `/admin`, `/documentation/`, `/django-rq`)
+      - traefik.http.routers.cvat.entrypoints=web
     volumes:
       - cvat_data:/home/django/data
       - cvat_keys:/home/django/keys
       - cvat_logs:/home/django/logs
+    networks:
+      - cvat
 
   cvat_ui:
     container_name: cvat_ui
     image: openvino/cvat_ui
     restart: always
-    networks:
-      default:
-        aliases:
-          - ui
     depends_on:
       - cvat
-
-  cvat_proxy:
-    container_name: cvat_proxy
-    image: nginx:stable-alpine
-    restart: always
-    depends_on:
+    labels:
+      - traefik.enable=true
+      - traefik.http.services.cvat-ui.loadbalancer.server.port=80
+      - traefik.http.routers.cvat-ui.rule=Host(`${CVAT_HOST:-localhost}`)
+      - traefik.http.routers.cvat-ui.entrypoints=web
+    networks:
       - cvat
-      - cvat_ui
-    environment:
-      CVAT_HOST: localhost
+
+  traefik:
+    image: traefik:v2.4
+    container_name: traefik
+    command:
+      - "--providers.docker.exposedByDefault=false"
+      - "--providers.docker.network=cvat"
+      - "--entryPoints.web.address=:8080"
+    # Uncomment to get Traefik dashboard
+    #   - "--entryPoints.dashboard.address=:8090"
+    #   - "--api.dashboard=true"
+    # labels:
+    #   - traefik.enable=true
+    #   - traefik.http.routers.dashboard.entrypoints=dashboard
+    #   - traefik.http.routers.dashboard.service=api@internal
+    #   - traefik.http.routers.dashboard.rule=Host(`${CVAT_HOST:-localhost}`)
     ports:
-      - '8080:80'
+      - 8080:8080
+      - 8090:8090
     volumes:
-      - ./cvat_proxy/nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./cvat_proxy/conf.d/cvat.conf.template:/etc/nginx/conf.d/cvat.conf.template:ro
-    command: /bin/sh -c "envsubst '$$CVAT_HOST' < /etc/nginx/conf.d/cvat.conf.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
-
-networks:
-  default:
-    ipam:
-      driver: default
-      config:
-        - subnet: 172.28.0.0/24
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - cvat
 
 volumes:
   cvat_db:
   cvat_data:
   cvat_keys:
   cvat_logs:
+
+networks:
+  cvat:

site/content/en/docs/administration/basics/AWS-Deployment-Guide.md

@@ -21,14 +21,10 @@ There are two ways of deploying the CVAT.
    [installation instructions](/docs/administration/basics/installation/).
    The additional step is to add a [security group and rule to allow incoming connections](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html).
 
-For any of above, don't forget to add exposed AWS public IP address or hostname to `docker-compose.override.yml`:
+For any of above, don't forget to set the `CVAT_HOST` environemnt variable to the exposed AWS public IP address or hostname:
 
 ```
-version: "2.3"
-services:
-  cvat_proxy:
-    environment:
-      CVAT_HOST: your-instance.amazonaws.com
+export CVAT_HOST=your-instance.amazonaws.com
 ```
 
 In case of problems with using hostname, you can also use the public IPV4 instead of hostname.
@@ -37,5 +33,4 @@ the public IPV4 and hostname changes with every stop and reboot.
 To address this efficiently, avoid using spot instances that cannot be stopped,
 since copying the EBS to an AMI and restarting it throws problems.
 On the other hand, when a regular instance is stopped and restarted,
-the new hostname/IPV4 can be used in the `CVAT_HOST` variable in the `docker-compose.override.yml`
-and the build can happen instantly with CVAT tasks being available through the new IPV4.
+the new hostname/IPV4 can be used to set the  `CVAT_HOST` environment variable.