Skip to content

OpenTelemetry

Traefik Proxy follows official OpenTelemetry semantic conventions v1.26.0.

To enable the OpenTelemetry tracer:

tracing:
  otlp: {}
[tracing]
  [tracing.otlp]
--tracing.otlp=true

Default protocol

The OpenTelemetry trace exporter will export traces to the collector using HTTPS by default to https://localhost:4318/v1/traces, see the gRPC Section to use gRPC.

Trace sampling

By default, the OpenTelemetry trace exporter will sample 100% of traces.
See OpenTelemetry's SDK configuration to customize the sampling strategy.

Propagation

Traefik supports the OTEL_PROPAGATORS env variable to set up the propragators. The supported propagators are:

  • tracecontext (default)
  • baggage (default)
  • b3
  • b3multi
  • jaeger
  • xray
  • ottrace

Example of configuration:

OTEL_PROPAGATORS=b3,jaeger

HTTP configuration

Optional

This instructs the exporter to send spans to the OpenTelemetry Collector using HTTP.

tracing:
  otlp:
    http: {}
[tracing]
  [tracing.otlp.http]
--tracing.otlp.http=true

endpoint

Optional, Default="https://localhost:4318/v1/traces", Format="<scheme>://<host>:<port><path>"

URL of the OpenTelemetry Collector to send spans to.

Insecure mode

To disable TLS, use http:// instead of https:// in the endpoint configuration.

tracing:
  otlp:
    http:
      endpoint: https://collector:4318/v1/traces
[tracing]
  [tracing.otlp.http]
    endpoint = "https://collector:4318/v1/traces"
--tracing.otlp.http.endpoint=https://collector:4318/v1/traces

headers

Optional, Default={}

Additional headers sent with traces by the exporter to the OpenTelemetry Collector.

tracing:
  otlp:
    http:
      headers:
        foo: bar
        baz: buz
[tracing]
  [tracing.otlp.http.headers]
    foo = "bar"
    baz = "buz"
--tracing.otlp.http.headers.foo=bar --tracing.otlp.http.headers.baz=buz

tls

Optional

Defines the Client TLS configuration used by the exporter to send spans to the OpenTelemetry Collector.

ca

Optional

ca is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle.

tracing:
  otlp:
    http:
      tls:
        ca: path/to/ca.crt
[tracing.otlp.http.tls]
  ca = "path/to/ca.crt"
--tracing.otlp.http.tls.ca=path/to/ca.crt
cert

Optional

cert is the path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the key option is required.

tracing:
  otlp:
    http:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
[tracing.otlp.http.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
--tracing.otlp.http.tls.cert=path/to/foo.cert
--tracing.otlp.http.tls.key=path/to/foo.key
key

Optional

key is the path to the private key used for the secure connection to the OpenTelemetry Collector. When using this option, setting the cert option is required.

tracing:
  otlp:
    http:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
[tracing.otlp.http.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
--tracing.otlp.http.tls.cert=path/to/foo.cert
--tracing.otlp.http.tls.key=path/to/foo.key
insecureSkipVerify

Optional, Default=false

If insecureSkipVerify is true, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.

tracing:
  otlp:
    http:
      tls:
        insecureSkipVerify: true
[tracing.otlp.http.tls]
  insecureSkipVerify = true
--tracing.otlp.http.tls.insecureSkipVerify=true

gRPC configuration

Optional

This instructs the exporter to send spans to the OpenTelemetry Collector using gRPC.

tracing:
  otlp:
    grpc: {}
[tracing]
  [tracing.otlp.grpc]
--tracing.otlp.grpc=true

endpoint

Required, Default="localhost:4317", Format="<host>:<port>"

Address of the OpenTelemetry Collector to send spans to.

tracing:
  otlp:
    grpc:
      endpoint: localhost:4317
[tracing]
  [tracing.otlp.grpc]
    endpoint = "localhost:4317"
--tracing.otlp.grpc.endpoint=localhost:4317

insecure

Optional, Default=false

Allows exporter to send spans to the OpenTelemetry Collector without using a secured protocol.

tracing:
  otlp:
    grpc:
      insecure: true
[tracing]
  [tracing.otlp.grpc]
    insecure = true
--tracing.otlp.grpc.insecure=true

headers

Optional, Default={}

Additional headers sent with traces by the exporter to the OpenTelemetry Collector.

tracing:
  otlp:
    grpc:
      headers:
        foo: bar
        baz: buz
[tracing]
  [tracing.otlp.grpc.headers]
    foo = "bar"
    baz = "buz"
--tracing.otlp.grpc.headers.foo=bar --tracing.otlp.grpc.headers.baz=buz

tls

Optional

Defines the Client TLS configuration used by the exporter to send spans to the OpenTelemetry Collector.

ca

Optional

ca is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle.

tracing:
  otlp:
    grpc:
      tls:
        ca: path/to/ca.crt
[tracing.otlp.grpc.tls]
  ca = "path/to/ca.crt"
--tracing.otlp.grpc.tls.ca=path/to/ca.crt
cert

Optional

cert is the path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the key option is required.

tracing:
  otlp:
    grpc:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
[tracing.otlp.grpc.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
--tracing.otlp.grpc.tls.cert=path/to/foo.cert
--tracing.otlp.grpc.tls.key=path/to/foo.key
key

Optional

key is the path to the private key used for the secure connection to the OpenTelemetry Collector. When using this option, setting the cert option is required.

tracing:
  otlp:
    grpc:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
[tracing.otlp.grpc.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
--tracing.otlp.grpc.tls.cert=path/to/foo.cert
--tracing.otlp.grpc.tls.key=path/to/foo.key
insecureSkipVerify

Optional, Default=false

If insecureSkipVerify is true, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.

tracing:
  otlp:
    grpc:
      tls:
        insecureSkipVerify: true
[tracing.otlp.grpc.tls]
  insecureSkipVerify = true
--tracing.otlp.grpc.tls.insecureSkipVerify=true