traefik/docs/content/observability/tracing/opentelemetry.md

title	description
Traefik OpenTelemetry Documentation	Traefik supports several tracing backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation.

OpenTelemetry

To enable the OpenTelemetry tracer:

tracing:
  otlp: {}

[tracing]
  [tracing.otlp]

--tracing.otlp=true

!!! info "The OpenTelemetry trace reporter will export traces to the collector using HTTP by default (http://localhost:4318/v1/traces), see the gRPC Section to use gRPC."

!!! info "Trace sampling"

By default, the OpenTelemetry trace reporter will sample 100% of traces.  
See [OpenTelemetry's SDK configuration](https://opentelemetry.io/docs/reference/specification/sdk-environment-variables/#general-sdk-configuration) to customize the sampling strategy.

HTTP configuration

Optional

This instructs the reporter to send spans to the OpenTelemetry Collector using HTTP.

tracing:
  otlp:
    http: {}

[tracing]
  [tracing.otlp.http]

--tracing.otlp.http=true

endpoint

Required, Default="http://localhost:4318/v1/traces", Format="<scheme>://<host>:<port><path>"

URL of the OpenTelemetry Collector to send spans to.

tracing:
  otlp:
    http:
      endpoint: http://localhost:4318/v1/traces

[tracing]
  [tracing.otlp.http]
    endpoint = "http://localhost:4318/v1/traces"

--tracing.otlp.http.endpoint=http://localhost:4318/v1/traces

tls

Optional

Defines the Client TLS configuration used by the reporter to send spans to the OpenTelemetry Collector.

ca

Optional

ca is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle.

tracing:
  otlp:
    http:
      tls:
        ca: path/to/ca.crt

[tracing.otlp.http.tls]
  ca = "path/to/ca.crt"

--tracing.otlp.http.tls.ca=path/to/ca.crt

cert

Optional

cert is the path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the key option is required.

tracing:
  otlp:
    http:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key

[tracing.otlp.http.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"

--tracing.otlp.http.tls.cert=path/to/foo.cert
--tracing.otlp.http.tls.key=path/to/foo.key

key

Optional

key is the path to the private key used for the secure connection to the OpenTelemetry Collector. When using this option, setting the cert option is required.

tracing:
  otlp:
    http:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key

[tracing.otlp.http.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"

--tracing.otlp.http.tls.cert=path/to/foo.cert
--tracing.otlp.http.tls.key=path/to/foo.key

insecureSkipVerify

Optional, Default=false

If insecureSkipVerify is true, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.

tracing:
  otlp:
    http:
      tls:
        insecureSkipVerify: true

[tracing.otlp.http.tls]
  insecureSkipVerify = true

--tracing.otlp.http.tls.insecureSkipVerify=true

gRPC configuration

Optional

This instructs the reporter to send spans to the OpenTelemetry Collector using gRPC.

tracing:
  otlp:
    grpc: {}

[tracing]
  [tracing.otlp.grpc]

--tracing.otlp.grpc=true

endpoint

Required, Default="localhost:4317", Format="<host>:<port>"

Address of the OpenTelemetry Collector to send spans to.

tracing:
  otlp:
    grpc:
      endpoint: localhost:4317

[tracing]
  [tracing.otlp.grpc]
    endpoint = "localhost:4317"

--tracing.otlp.grpc.endpoint=localhost:4317

insecure

Optional, Default=false

Allows reporter to send spans to the OpenTelemetry Collector without using a secured protocol.

tracing:
  otlp:
    grpc:
      insecure: true

[tracing]
  [tracing.otlp.grpc]
    insecure = true

--tracing.otlp.grpc.insecure=true

tls

Optional

Defines the Client TLS configuration used by the reporter to send spans to the OpenTelemetry Collector.

ca

Optional

ca is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle.

tracing:
  otlp:
    grpc:
      tls:
        ca: path/to/ca.crt

[tracing.otlp.grpc.tls]
  ca = "path/to/ca.crt"

--tracing.otlp.grpc.tls.ca=path/to/ca.crt

cert

Optional

cert is the path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the key option is required.

tracing:
  otlp:
    grpc:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key

[tracing.otlp.grpc.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"

--tracing.otlp.grpc.tls.cert=path/to/foo.cert
--tracing.otlp.grpc.tls.key=path/to/foo.key

key

Optional

key is the path to the private key used for the secure connection to the OpenTelemetry Collector. When using this option, setting the cert option is required.

tracing:
  otlp:
    grpc:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key

[tracing.otlp.grpc.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"

--tracing.otlp.grpc.tls.cert=path/to/foo.cert
--tracing.otlp.grpc.tls.key=path/to/foo.key

insecureSkipVerify

Optional, Default=false

If insecureSkipVerify is true, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.

tracing:
  otlp:
    grpc:
      tls:
        insecureSkipVerify: true

[tracing.otlp.grpc.tls]
  insecureSkipVerify = true

--tracing.otlp.grpc.tls.insecureSkipVerify=true