From c85f6f2f9e52bf6ba4d95e7d9e239f9a59d9752d Mon Sep 17 00:00:00 2001
From: pmc <740076875@qq.com>
Date: Tue, 28 Apr 2026 13:58:31 +0800
Subject: [PATCH] feat: enable Traefik access logs via HelmChartConfig

Adds k8s/traefik-config.yaml to enable JSON-format access logs on
the K3s built-in Traefik for diagnosing whether subv webhooks from
volcengine are dropped between ingress and Django, or simply not
sent. Drops Authorization/Cookie headers to avoid leaking secrets.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/deploy.yaml |  1 +
 k8s/traefik-config.yaml      | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 k8s/traefik-config.yaml

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 4262fa5..835a437 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -141,6 +141,7 @@ jobs:
               kubectl apply -f k8s/backend-deployment-prod.yaml
               kubectl apply -f k8s/admin-deployment-prod.yaml
               kubectl apply -f k8s/ingress.yaml
+              kubectl apply -f k8s/traefik-config.yaml
 
               # Preserve real client IP
               kubectl patch svc traefik -n kube-system -p '{"spec":{"externalTrafficPolicy":"Local"}}' 2>/dev/null || true
diff --git a/k8s/traefik-config.yaml b/k8s/traefik-config.yaml
new file mode 100644
index 0000000..41cbd35
--- /dev/null
+++ b/k8s/traefik-config.yaml
@@ -0,0 +1,17 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    logs:
+      access:
+        enabled: true
+        format: json
+        fields:
+          headers:
+            defaultmode: keep
+            names:
+              Authorization: drop
+              Cookie: drop