commit 5ec7c3afa7f940f2777403f72b040d90fed5ea10d6c497e8461f2c97a946f8d3 Author: Johannes Weberhofer Date: Fri Sep 13 13:00:38 2024 +0000 - Moved /etc/traefik/acme.json to /var/lib/traefik/acme.json to allow traefik running with "ProtectSystem=full" write access to the certificate store. The acme.json file will be automatically moved and the configuration will be updated accordingly. - Added /usr/lib/sysctl.d/90-itraefik.conf to increase UDP Buffer sizes as explained at https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes OBS-URL: https://build.opensuse.org/package/show/devel:kubic/traefik?expand=0&rev=49 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/90-traefik.conf b/90-traefik.conf new file mode 100644 index 0000000..f1804e5 --- /dev/null +++ b/90-traefik.conf @@ -0,0 +1,9 @@ +# +# Increase the maximum UDP Buffer size to prevent dropping +# incoming packaets by the kernel +# +# https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes +# + +net.core.rmem_max=7500000 +net.core.wmem_max=7500000 diff --git a/_service b/_service new file mode 100644 index 0000000..d1b13da --- /dev/null +++ b/_service @@ -0,0 +1,8 @@ + + + + + traefik*.src.tar.gz + ./ + + diff --git a/traefik-user.conf b/traefik-user.conf new file mode 100644 index 0000000..ef76ecc --- /dev/null +++ b/traefik-user.conf @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +u traefik - "HTTP reverse proxy and load balancer" /etc/traefik - +m traefik traefik diff --git a/traefik-v3.0.3.src.tar.gz b/traefik-v3.0.3.src.tar.gz new file mode 100644 index 0000000..21b4081 --- /dev/null +++ b/traefik-v3.0.3.src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4c0ac5053256bcd8d71ab311bae8505f65d802e04f59c44867de2898539de6d7 +size 11531116 diff --git a/traefik-v3.0.4.src.tar.gz b/traefik-v3.0.4.src.tar.gz new file mode 100644 index 0000000..960dc81 --- /dev/null +++ b/traefik-v3.0.4.src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6e9fff2f62ea01592e2530f36a7db6bb14cabd5161543d7b01faf48366a0ada8 +size 11531035 diff --git a/traefik-v3.1.0.src.tar.gz b/traefik-v3.1.0.src.tar.gz new file mode 100644 index 0000000..c595e5a --- /dev/null +++ b/traefik-v3.1.0.src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:266091d5c477afd8814bf0a94e07e79044f8e6092b71930b09cfa3046ef67b4e +size 11490625 diff --git a/traefik-v3.1.2.src.tar.gz b/traefik-v3.1.2.src.tar.gz new file mode 100644 index 0000000..0ac3c64 --- /dev/null +++ b/traefik-v3.1.2.src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8cada1d42e2fad4cbe15b75e8db21647b520ffd49dd09814cc1131c3fe02d00 +size 11491439 diff --git a/traefik.changes b/traefik.changes new file mode 100644 index 0000000..79d676c --- /dev/null +++ b/traefik.changes @@ -0,0 +1,564 @@ +------------------------------------------------------------------- +Thu Sep 12 14:50:28 UTC 2024 - Johannes Weberhofer + +- Moved /etc/traefik/acme.json to /var/lib/traefik/acme.json to allow traefik + running with "ProtectSystem=full" write access to the certificate store. + + The acme.json file will be automatically moved and the configuration will be + updated accordingly. + +- Added /usr/lib/sysctl.d/90-itraefik.conf to increase UDP Buffer sizes as explained + at https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes + +------------------------------------------------------------------- +Wed Aug 7 08:03:10 UTC 2024 - Johannes Weberhofer + +- Fixed service-file: set working directory, so that the /etc/traefik/acme.json + file can be written in /etc/traefik/acme.json + +- Update to version 3.1.1 + - Bug fixes: + * grpc: Bump google.golang.org/grpc to v1.64.1 + * k8s/gatewayapi: Do not update route status when nothing changed + * metrics + - Fix grafana dashboard to work with scrape interval greater than 15s + - Update open connections gauge with connections count + - Use ServiceName in traefik_service_server_up metric + * docker: Update to github.com/docker/docker v27.1.1 + * webui: Upgrade webui dependencies - fixes boo#1224308 and CVE-2024-4068 + +------------------------------------------------------------------- +Wed Jul 31 16:47:51 UTC 2024 - Johannes Weberhofer + +- Run traefik as traefik user, fixes boo#1227226 +- Added ACME confiuration template + +- Update to version 3.1.1 + - Bug fixes: + * k8s/gatewayapi + - Do not update route status when nothing changed + * metrics + - Fix grafana dashboard to work with scrape interval greater than 15s + - Update open connections gauge with connections count + - Use ServiceName in traefik_service_server_up metric + - Updates + +- Fix for CVE-2024-6104, boo#1227059 + +------------------------------------------------------------------- +Mon Jul 15 17:22:18 UTC 2024 - Johannes Weberhofer + +Important: Please read the migration guide +https://doc.traefik.io/traefik/v3.1/migration/v3/#v30-to-v31 + +- Update to version 3.1.0 + - enhancements: + * k8s/crd,k8s + - Support HealthCheck for ExternalName services + * k8s/ingress,k8s/crd,k8s + - Allow to use internal Node IPs for NodePort services + - Change log level from Warning to Info when ExternalName services + is enabled + * k8s/ingress,k8s/crd,k8s,k8s/gatewayapi + - Migrate to EndpointSlices API + * k8s,k8s/gatewayapi + - Bump Gateway API to v1.1.0 + - Compute HTTPRoute priorities + - Fix route attachments to gateways + - KubernetesGateway provider is no longer experimental + - Set Gateway HTTPRoute status + - Support HTTPRoute method and query param matching + - Support HTTPURLRewrite filter + - Support invalid HTTPRoute status + - Support ReferenceGrant for HTTPRoute backends + - Support RegularExpression for path matching + * middleware + - Add support for Zstandard to the compression middleware + * middleware,k8s,k8s/gatewayapi + - Improve HTTPRoute Redirect Filter with port and scheme + - Support HTTPRoute redirect port and scheme + * middleware + - Support Content-Security-Policy-Report-Only in the headers middleware + * plugins + - Add logs for plugins load + - Enhance wasm plugins + * server + - Support systemd socket-activation + - Bug fixes: + * healthcheck,k8s/crd,k8s + - Fix Healthcheck default value for ExternalName services + * k8s,k8s/gatewayapi + - Do not disable Gateway API provider if not enabled in experimental + - Retry on Gateway API resource status update + * middleware,metrics,tracing + - Upgrade to OpenTelemetry Semantic Conventions v1.26.0 + * otel + - Bump opentelemetry-go to v1.28 + * plugins + - Fix build only linux and darwin support wazergo + +------------------------------------------------------------------- +Thu Jul 4 08:50:50 UTC 2024 - Johannes Weberhofer + +- Update to version 3.0.4 + * Bug fixes: + - Fix for CVE-2024-39321 bsc#1227515 + - [ecs] Fix ECS config for OIDC + IRSA (gh#traefik/traefik#10814 by mmatur) + - [http3] Disable QUIC 0-RTT (gh#traefik/traefik#10867 by mmatur) + - [middleware,server] Remove interface names from IPv6 (gh#traefik/traefik#10813 by JeroenED) + +------------------------------------------------------------------- +Wed Jun 19 15:45:49 UTC 2024 - Johannes Weberhofer + +- Update to version 3.0.3 + * Updated libraries + +- Update to version 3.0.2 + * Bug fixes: + [logs] Bump OTel dependencies (#10763 by DrFaust92) + [logs] Append to log file if it exists (#10756 by lbenguigui) + [metrics] Fix service name label_replace in Grafana (#10758 by xdavidwu) + [middleware] Forward the correct status code when compression is disabled within the Brotli handler (#10780 by rtribotte) + [middleware] Support Accept-Encoding header weights with Compress middleware (#10777 by ldez) + + +------------------------------------------------------------------- +Wed May 29 08:20:42 UTC 2024 - Johannes Weberhofer + +- Fix in traefik.yml configuration file + +------------------------------------------------------------------- +Thu May 23 15:02:13 UTC 2024 - Johannes Weberhofer + +- Update to version 3.0.1 + * CVEs: + * CVE-2024-24788 (bsc#1224018): A malformed DNS message in response to a + query can cause the Lookup functions to get stuck in an infinite loop. + * Bug fixes: + * [k8s/ingress] Fix rule syntax version for all internal routers + (gh#traefik/traefik#10689 by HalloTschuess) + * [metrics,tracing] Allow empty configuration for OpenTelemetry metrics + and tracing (gh#traefik/traefik#10729 by rtribotte) + * [provider,tls] Bump tscert dependency to 28a91b69a046 + (gh#traefik/traefik#10668 by kevinpollet) + * [rules,tcp] Fix the rule syntax mechanism for TCP + (gh#traefik/traefik#10680 by lbenguigui) + * [tls,server] Remove deadlines when handling PostgreSQL connections + (gh#traefik/traefik#10675 by rtribotte) + * [webui] Add support for IP White list + (gh#traefik/traefik#10740 by davidbaptista) + +- Packaging: + * Use Traefik's src.tar.gz files containing a pre-built frontend to simplify the packaging process + * Fixes bsc#1224308 and bsc#1224384 + +- Removed allow-node-21.patch and prepare-sources.sh script + +------------------------------------------------------------------- +Mon May 6 12:59:25 UTC 2024 - Johannes Weberhofer + +- Moved configuraton from .toml to .yml config + +- Update to version 3.0.0 + * Announcment: https://traefik.io/blog/announcing-traefik-proxy-v3-rc/ + * added support for popular, emerging technologies—WebAssembly (Wasm), + OpenTelemetry, and Kubernetes Gateway API + * revamped some key parts of the routing rules + * added support for some leading edge technologies like HTTP/3, SPIFFE, and Tailscale + + * Migration guide: https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/ + + * Details: https://github.com/traefik/traefik/releases/tag/v3.0.0 + +------------------------------------------------------------------- +Fri May 3 15:14:17 UTC 2024 - Johannes Weberhofer + +- Added allow-node-21.patch to allow building with nodejs21, too +- Removed traefik-fix-int-overflow-with-go-generate-10452.patch + +- Update to version 2.11.2 + * Important + * Read the migration guide at https://doc.traefik.io/traefik/migration/v2/#v2112 + + * CVEs: + * GHSA-7f4j-64p6-5h5v (related to CVE-2023-45288) + * CVE-2024-28869 (bsc#1222825) + + * Bug fixes: + * [server] Revert LingeringTimeout and change default value for ReadTimeout + * [server] Set default ReadTimeout value to 60s + +- Update to version 2.11.1: + * Bug fixes: + * [acme,tls] Enforce handling of ACME-TLS/1 challenges + * [acme] Update go-acme/lego to v4.16.1 + * [acme] Close created file in ACME local store CheckFile func + * [docker,http3] Update to quic-go v0.42.0 and docker/cli v24.0.9 + * [docker,marathon,rancher,ecs,tls,nomad] Allow to configure TLSStore default generated certificate with labels + * [ecs] Adjust ECS network interface detection logi + * [logs,tls] Fix log when default TLSStore and TLSOptions are defined multiple times + * [middleware] Allow empty replacement with ReplacePathRegex middleware + * [plugins] Update Yaegi to v0.16.1 + * [provider,rules] Don't allow routers higher than internal ones + * [rules] Reserve priority range for internal router + * [server,tcp] Introduce Lingering Timeout + * [tcp] Enforce failure for TCP HostSNI with hostname + * [tracing] Bump Elastic APM to v2.4.8 + * [webui] Fix dashboard exposition through a router + * [webui] Display IPAllowlist middleware configuration in dashboard + * [webui] Make text more readable in dark mode + * [webui] Migrate to Quasar 2.x and Vue.js 3.x + * [webui] Add a horizontal scroll for the mobile view + +------------------------------------------------------------------- +Wed Mar 6 11:13:51 UTC 2024 - Johannes Weberhofer + +- Remove node_modules.sums left over by obs-service-node_modules + +------------------------------------------------------------------- +Tue Mar 5 10:54:13 UTC 2024 - Johannes Weberhofer + +- configuration changes: + * Enhanced default configuration file, including configs for http3 support. + * Docker configuration has been disabled per default, file provider has been enabled. + The directory for the file provider has been set to /etc/traefik/conf.d + * Prepared directories for logging in /var/log/traefik + * Enhanced default configuration file, including configs for http3 support. Settings + are disabled per default. + +- packaging general: + * Use standard source-download feature, modified _service file and removed _servicedata + * packagers can invoke `prepare-sources.sh` to doenload sources and prepare go-packages + as well as node_modules for the built process. + +- frontend packaging: + * The frontend will now be packaged on OBS to have reproduceable builds. + +- Go packaging: + * Added upstream patch traefik-fix-int-overflow-with-go-generate-10452.patch to + allow packaging on 32bit architectures gh#traefik/traefik#10451 + * Enabled CGO because there is no cross compilation needed in OSB (we build + packages for every distribution/architecture seperately). PIE can not be used + with CGO enabled for most architectures and is reported as failure sinc go 1.22. + See https://github.com/golang/go/issues/64875 + * Don't use pie-buildmode for ppc64 and s390x architectures + +- Update to version 2.11.0: + * Enhancements: + * [middleware] Deprecate IPWhiteList middleware in favor of IPAllowList + * [redis] Add Redis Sentinel support + * [server] Add KeepAliveMaxTime and KeepAliveMaxRequests features to entrypoints + * [sticky-session] Hash WRR sticky cookies + * Bug fixes: + * [acme] Update go-acme/lego to v4.15.0 + * [authentication] Fix NTLM and Kerberos + * [file] Fix file watcher + * [file] Update github.com/fsnotify/fsnotify to v1.7.0 + * [http3] Update quic-go to v0.40.1 + * [middleware,tcp] Add missing TCP IPAllowList middleware constructor + * [nomad] Update the Nomad API dependency to v1.7.2 + * [server] Fix ReadHeaderTimeout for PROXY protocol + * [webui] Fixes the Header Button + * [webui] Fix URL encode resource's id before calling API endpoints + +------------------------------------------------------------------- +Wed Feb 21 14:21:09 UTC 2024 - Johannes Weberhofer + +- Fixed packaging of UI + +------------------------------------------------------------------- +Fri Dec 08 12:51:12 UTC 2023 - alexandre.vicenzi@suse.com + +- Update to version 2.10.7: + * CVEs: + * CVE-2023-45283 (boo#1216943) + * CVE-2023-45284 (boo#1216944) + * CVE-2023-47124 (boo#1217806) + * CVE-2023-47633 (boo#1217807) + * CVE-2023-47106 (boo#1217804) + * GHSA-7v4p-328v-8v5g, CVE-2023-39325 (boo#1216109) + * Bug fixes: + * [accesslogs] Fix preflight response status in access logs + * [accesslogs] Move origin fields capture to service level + * [acme] Do not check for wildcard domains for non DNS challenge + * [acme] Remove backoff for http challenge (CVE-2023-47124) + * [acme] Update go-acme/lego to v4.14.0 + * [consul,consulcatalog] Update github.com/hashicorp/consul/api + * [http3] Update quic-go to v0.39.1 + * [k8s/crd] Fix multiple subsets endpoint + * [k8s/ingress,k8s/crd,k8s,hub] Clean code related to Hub + * [k8s/ingress,k8s] fix: avoid panic on resource backends + * [kv] Ignore ErrKeyNotFound error for the KV provider + * [logs] Fixed datadog logs json format issue + * [metrics] Enable Prometheus provider cleanup when only the router's metrics level is activated + * [middleware,authentication] Adjust forward auth to avoid connection leak + * [middleware,server] Improve CNAME flattening to avoid unnecessary error logging + * [middleware,tracing,plugins] fix: traceability of the middleware plugins + * [middleware] Allow X-Forwarded-For delete operation + * [middleware] Encode query semicolons + * [middleware] Fix stripPrefix middleware is not applied to retried attempts + * [middleware] Missing trailer with custom errors middleware + * [middleware] Support informational headers in middlewares redefining the response writer + * [plugins] Improve error messages related to plugins + * [provider] Refuse recursive requests (CVE-2023-47633) + * [server] Deny request with fragment in URL path (CVE-2023-47106) + * [server] Update x/net and grpc/grpc-go + * [tracing] Remove deprecated code usage for datadog tracer + * [tracing] Update DataDog tracing dependency to v1.50.1 + * [webui] Add missing accessControlAllowOriginListRegex to middleware view + * Fix false positive in url anonymization + * Misc: + * [webui] Updates the Hub tooltip content using a web component and adds an option to disable Hub button +- Update Go version (CVE-2023-45283, CVE-2023-45284, CVE-2023-39325) + +------------------------------------------------------------------- +Mon Jun 12 17:26:46 UTC 2023 - alexandre.vicenzi@suse.com + +- Update to version 2.10.1: + * CVEs + * CVE-2022-41724 (bsc#1208271) + * CVE-2023-24534 (bsc#1210127) + * CVE-2023-29013 (bsc#1210505) + * Enhancements + * [docker] Expose ContainerName in Docker provider + * [hub] Remove hub configuration out of experimental + * [k8s/crd] Introduce traefik.io API Group CRDs + * [k8s/ingress,k8s/crd,k8s] Native Kubernetes service load-balancing + * [middleware,metrics] Add prometheus metric requests_total with headers + * [nomad] Support multiple namespaces in the Nomad Provider + * [tracing] Add support to send DataDog traces via Unix Socket + * [webui] Display period setting of the RateLimit middleware in the webui + * [webui] Modify the Hub Button + * Bug fixes + * [docker] Expose ContainerName in Docker provider + * [docker] Only warn about missing docker network when network_mode is not host or container + * [ecs] Prevent panicking when a container has no network interfaces + * [file] Make file provider more resilient wrt first configuration + * [hub] hub: get out of experimental. + * [k8s/crd] Introduce traefik.io API Group CRDs + * [k8s/ingress,k8s/crd,k8s] Native Kubernetes service load-balancing + * [logs] Differentiate UDP stream and TCP connection in logs + * [metrics] Include user-defined default cert for traefik_tls_certs_not_after metric + * [middleware,metrics] Add prometheus metric requests_total with headers + * [middleware] Prevent from no rate limiting when average is zero + * [middleware] Prevents superfluous WriteHeader call in the error middleware + * [middleware] Sanitize X-Forwarded-Proto header in RedirectScheme middleware + * [nomad] Fix default configuration settings for Nomad Provider + * [nomad] Fix Nomad client TLS defaults + * [nomad] Support multiple namespaces in the Nomad Provider + * [plugins] Improve DeepCopy of PluginConf + * [server] Remove User-Agent header removal from ReverseProxy director func + * [tls,tcp] Adds the support for IPv6 in the TCP HostSNI matcher + * [tracing] Add support to send DataDog traces via Unix Socket + * [server] Update golang.org/x/net to v0.7.0 (CVE-2022-41724) +- Update Go version (CVE-2023-24534, CVE-2023-29013) + +------------------------------------------------------------------- +Tue Jan 17 09:48:46 UTC 2023 - alexandre.vicenzi@suse.com + +- Update to version 2.9.6: + * CVEs + * CVE-2022-23469 + * CVE-2022-46153 + * CVE-2022-41717 + * Bug fixes + * [acme] Update go-acme/lego to v4.9.1 + * [k8s/crd] Support of allowEmptyServices in TraefikService + * [logs] Remove logs of the request + * [plugins] Increase the timeout on plugin download + * [server] Update golang.org/x/net (CVE-2022-41717, bsc#1207208) + * [tls] Handle broken TLS conf better + * [tracing] Update DataDog tracing dependency to v1.43.1 + * [webui] Add missing serialNumber passTLSClientCert option to middleware panel + +------------------------------------------------------------------- +Mon Nov 28 12:10:58 UTC 2022 - alexandre.vicenzi@suse.com + +- Update to version 2.9.5: + * Enhancements + * [acme,tls] ACME Default Certificate + * [consul,etcd,zk,kv,redis] Update valkeyrie to v1.0.0 + * [consulcatalog,nomad] Support Nomad canary deployment + * [consulcatalog] Move consulcatalog provider to only use health apis + * [docker] Add support for reaching containers using host networking on Podman + * [docker] Use IPv6 address + * [docker] Add allowEmptyServices for Docker provider + * [ecs] Add support for ECS Anywhere + * [healthcheck] Add a method option to the service Health Check + * [http3] Upgrade quic-go to v0.28.0 + * [http] Start polling HTTP provider at the beginning + * [k8s/crd,plugins] Load plugin configuration field value from Kubernetes Secret + * [logs,tcp] Quiet down TCP RST packet error on read operation + * [metrics] Add traffic size metrics + * [middleware,pilot] Remove Pilot support + * [rules,tcp] Support ALPN for TCP + TLS routers + * [tcp,service,udp] Make the loadbalancers servers order random + * [tls] Change default TLS options for more security + * [tracing] Add Datadog GlobalTags support + * Bug fixes + * [logs,middleware] Create a new capture instance for each incoming request + * [acme] Update go-acme/lego to v4.9.0 + * [kv,redis] Fix Redis configuration type + * [logs,middleware,metrics] Handle capture on redefined http.responseWriters + * [middleware,k8s] Remove raw cert escape in PassTLSClientCert middleware + * [plugins] Update Yaegi to v0.14.3 + * Remove side effect on default transport tests + * [acme] Fix ACME panic + * [server] Update golang.org/x/net to latest version + * [consulcatalog] Fix UDP loadbalancer tags not being used with Consul Catalog + * [docker,rancher,ecs,provider] Simplify AddServer algorithm + * [plugins] Allow empty plugin configuration + * [rules] Fix query parameter matching with equal + * [server] Optimize websocket headers handling + * [plugins] Update Yaegi to v0.14.2 + * [server] Fix IPv6 addr with square brackets + * [webui,api] Display default TLS options in the dashboard + + +------------------------------------------------------------------- +Wed Sep 07 10:11:41 UTC 2022 - alexandre.vicenzi@suse.com + +- Update to version 2.8.4: + * Enhancements + * [consul,consulcatalog] Support multiple namespaces for Consul and ConsulCatalog providers + * [logs] Add destination address to debug log + * [middleware,provider,tls] Deprecate caOptional option in client TLS configuration + * [middleware] Support URL replacement in errors middleware + * [middleware] Allow config of additional CircuitBreaker params + * [provider] Implement Traefik provider for Nomad orchestrator + * [server] Allow HTTP/2 max concurrent stream configuration + * [tls,k8s/crd] Support certificates configuration in TLSStore CRD + * [webui,pilot,hub] Add Traefik Hub button and deprecate Pilot + * [webui,plugins] Reach the catalog of plugins from the Traefik dashboard + * Bug fixes + * [docker,docker/swarm] Fix Docker provider mem leak on operation retries + * [middleware] Fix retry middleware on panic + * [plugins] Allow Traefik starting even if plugin service is unavailable + * [marathon] Add missing context in backoff for Marathon + * [k8s/ingress,k8s] Place namespace before name in router key for Ingress + * [logs,middleware,tracing] Remove request dump from IPWhitelist debug log and tracing message + * [metrics] Control allocation and copy of labelNamesValues type + * [metrics] Fix service up gauge for Prometheus metrics + * [yaml] Add missing inline tag for YAML serialization + * [middleware,metrics] Improve performances when Prometheus metrics are enabled + * [middleware] Support forwarded websocket protocol in RedirectScheme + * [nomad] Use configured token in the Nomad client + * [metrics] Ensure Datadog client is cleanly stopped + * [healthcheck,service] Do not make multiple requests to the same URL for balancer healthcheck + * [healthcheck,service] Add log when missing path in health check + * [k8s/gatewayapi] Allow multiple listeners on same port in Gateway API provider + * [middleware] RedirectScheme redirects based on X-Forwarded-Proto header + * [rules] Fix HostRegexp and Query muxers + * [logs] Fix invalid placeholder in log message + +------------------------------------------------------------------- +Tue Jun 07 08:27:42 UTC 2022 - alexandre.vicenzi@suse.com + +- Update to version 2.7.0: + * Enhancements + * [consulcatalog] Watch for Consul events to rebuild the dynamic configuration + * [healthcheck] Add Failover service + * [http3] Configure advertised port using h3 server option + * [hub] Add Traefik Hub Integration + * [k8s/crd,k8s] Allow empty services in Kubernetes CRD + * [metrics] Support InfluxDB v2 metrics backend + * [plugins] Remove Pilot token setup constraint to use plugins + * [provider] Refactor configuration reload/throttling + * [rules,tcp] Add HostSNIRegexp rule matcher for TCP + * [tcp] Add muxer for TCP Routers + * [webui,pilot] Add Traefik Hub access and remove Pilot access + * [webui] Add a link to service on router detail view + * Bug fixes + * [hub] Skip Provide when TLS is nil + * [tcp] Fix TCP-TLS/HTTPS routing precedence + * [webui,hub] Use dedicated entrypoint for the tunnels + * [logs,k8s/crd] Fix log statement for ExternalName misconfig + * [tcp,service] Fix initial tcp lookup when address is not available + * [tls] Fix panic when getting certificates with non-existing store + * [acme] Fix RenewInterval computation in ACME provider + * [ecs,logs] Remove duplicate error logs + * [ecs] Filter out ECS anywhere instance IDs + * [middleware] Re-add missing writeheader call in flush + * [middleware] Fix bug for when custom page is large enough + * [middleware] Fix regexp handling in redirect middleware + * [plugins] Fix slice parsing for plugins + * [tls] Return TLS unrecognized_name error when no certificate is available + * [acme] Add domain to HTTP challenge errors + * [metrics] Fix metrics bucket key high cardinality + * [middleware,tls] Use CNAME for SNI check on host header + * [middleware,tracing] Rename Datadog span tags + * [tls] Apply the same approach as the rules system on the TLS configuration choice + +------------------------------------------------------------------- +Fri Feb 04 13:37:58 UTC 2022 - alexandre.vicenzi@suse.com + +- Update to version 2.6.0: + * Updated Kubernetes Gateway API provider + * Consul Enterprise support + * Consul Connect support + * Inflight request middleware for TCP routers + * HTTP/3 support (experimental) + * Added support for loading plugins directly from the filesystem (Local Plugins) + * Added ability to create Provider Plugins + * Added TCP Middleware + * Kubernetes 1.22 API changes + * Dropped support for Ingress API versions extensions/v1beta1 + * Updated Traefik Proxy CRDs to use API apiextensions.k8s.io/v1 + +------------------------------------------------------------------- +Wed Jul 28 15:46:39 UTC 2021 - alexandre.vicenzi@suse.com + +- Update to version 2.4.12: + * Get Kubernetes server version early + * Don't remove ingress config on API call failure + * Ratelimiter: use correct ttlSeconds value, and always call Set + * Check if defaultcertificate is defined in store + * Disable ExternalName Services by default on Kubernetes providers + * Fix: malformed Kubernetes resource names and references in tests + * Disable Cross-Namespace by default for IngressRoute provider + * Accesslog: support multiple values for a given header + * Ignore http 1.0 request host missing errors + * Headers Middleware: support http.CloseNotifier interface + * Detect certificates content modifications + * Update go-acme/lego to v4.4.0 + * Fix: ACME preferred chain. + * Remove error when HTTProutes is empty + * Fix incorrect behaviour with multi-port endpoint subsets + * Kubernetes ingress provider to search via all endpoints + * Fix plugin unzip call on windows + * Update Yaegi to v0.9.17 + * Bump paerser to v0.1.4 + * Create buffered signals channel + * Fix: use defaultEntryPoints when no entryPoint is defined in a TCPRouter + * Use a dynamic buffer to handle client Hello SNI detection + * Error span on 5xx only + +------------------------------------------------------------------- +Wed May 19 09:06:54 UTC 2021 - Bernhard Wiedemann + +- Allow to override build date with SOURCE_DATE_EPOCH + in order to make builds reproducible (boo#1047218) + +------------------------------------------------------------------- +Thu Apr 29 10:07:36 UTC 2021 - alexandre.vicenzi@suse.com + +- Update to version 2.4.8: + * Prepare release v2.4.8 + * Raise errors for non-ASCII domain names in a router's rules + * Adding an option to (de)activate Pilot integration into the Traefik dashboard + * Doc: improve basic auth middleware httpasswd example + * Add missing `traefik.` prefix across sample config + * Fix travis docker image pulling for docs + * updating docs to remove a no longer needed note + * Update to gateway-api v0.2.0 + * server: updating go-proxyproto with security bugfix from upstream + * Update go-acme/lego to v4.3.1 + +------------------------------------------------------------------- +Thu Jan 10 14:50:22 UTC 2019 - pgeorgiadis@suse.com + +- Initial package release to version 1.7.7: + * Check for watched namespace before getting kubernetes objects + * Allow empty path with App-root annotation + * kubernetes: sort and uniq TLS secrets + * Skip TLS section with no secret in Kubernetes ingress diff --git a/traefik.service b/traefik.service new file mode 100644 index 0000000..768ff25 --- /dev/null +++ b/traefik.service @@ -0,0 +1,22 @@ +[Unit] +Description=Traefik +Documentation=https://doc.traefik.io/traefik/ +After=network.target network-online.target +Requires=network-online.target +AssertFileIsExecutable=/usr/bin/traefik +AssertPathExists=/etc/traefik/traefik.yml + +[Service] +Type=notify +ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.yml +User=traefik +WorkingDirectory=~ +Restart=always +WatchdogSec=1s +PrivateTmp=true +ProtectSystem=full +AmbientCapabilities=CAP_NET_BIND_SERVICE +KillMode=mixed + +[Install] +WantedBy=multi-user.target diff --git a/traefik.spec b/traefik.spec new file mode 100644 index 0000000..53f7b35 --- /dev/null +++ b/traefik.spec @@ -0,0 +1,168 @@ +# +# spec file for package traefik +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define project github.com/traefik/traefik +%ifarch ppc64 s390x +%define buildmode default +%else +%define buildmode pie +%endif +Name: traefik +Version: 3.1.2 +Release: 0 +Summary: The Cloud Native Application Proxy +License: MIT +Group: Productivity/Networking/Web/Proxy +URL: https://traefik.io/ +# set the desired version in the spec-file +# download the source files and create the vendor tarball with "osc service mr" +Source0: https://github.com/traefik/traefik/releases/download/v%{version}/%{name}-v%{version}.src.tar.gz +Source1: vendor.tar.gz +Source2: %{name}.service +Source3: %{name}.yml +Source4: %{name}-user.conf +Source5: 90-%{name}.conf +BuildRequires: go-bindata +BuildRequires: golang-packaging +BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools +BuildRequires: (golang(API) >= 1.22) +Recommends: podman +Conflicts: traefik2 +Provides: group(%{name}) +Provides: user(%{name}) +%sysusers_requires +%{?systemd_requires} +%{go_provides} + +%description +Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer +that makes deploying microservices easy. Traefik integrates with your existing +infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul, +Etcd, Rancher, Amazon ECS) and configures itself automatically and dynamically. + +Pointing Traefik at your orchestrator should be the only configuration step you need. + +%prep +%setup -q -c %{name}-%{version} -b0 -a1 +%autopatch -p1 + +%build +%sysusers_generate_pre %{SOURCE4} %{name} %{name}-user.conf +%{goprep} %{project} +# see script/generate +go generate + +build_date=$(date -u -d @${SOURCE_DATE_EPOCH:-$(date +%%s)} +"%%Y%%m%%d") +# see script/binary +CGO_ENABLED=1 GOGC=off go build \ + -buildmode=%{buildmode} \ + -mod=vendor \ + -ldflags "-X github.com/traefik/traefik/v2/pkg/version.Version=%{version} \ + -X github.com/traefik/traefik/v2/pkg/version.Codename='' \ + -X github.com/traefik/traefik/v2/pkg/version.BuildDate=${build_date}" \ + -installsuffix nocgo \ + -o traefik \ + ./cmd/traefik + +%install +# system user +install -D -m 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/%{name}-user.conf + +install -d %{buildroot}/%{_sbindir} +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} + +# configuration +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/%{name}.yml +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/conf.d + +# install configuration to increase UDP buffer sizes +install -D -p -m 0644 %{SOURCE5} %{buildroot}%{_prefix}/lib/sysctl.d/90-%{name}.conf + +# acme storage +install -d -m 0700 %{buildroot}%{_localstatedir}/lib/%{name} +touch %{buildroot}%{_localstatedir}/lib/%{name}/acme.json + +# logging +mkdir -p %{buildroot}%{_localstatedir}/log/%{name} + +%pre -f %{name}.pre +%service_add_pre %{name}.service + +%post +%service_add_post %{name}.service +%{fillup_only -n %{name}} +# fix ownership for config and logging directory +chown -R traefik: %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name} + +# try to move acme.json file from old directory to new +if [ -e "%{_sysconfdir}/%{name}/acme.json" ] ; then + if [ -s "%{_sysconfdir}/%{name}/acme.json" ] ; then + if [ -s "%{_localstatedir}/lib/%{name}/acme.json" ] ; then + # if not-empty acme.json files exists on old and new location, write warning + echo "A non-empty acme.json file exists in:" 1>&2 + echo "%{_sysconfdir}/%{name} and %{_localstatedir}/lib/%{name}" 1>&2 + echo "Please clean up this situation and place the correct file in %{_localstatedir}/lib/%{name}" 1>&2 + else + # if not-empty acme.json exists on old location and no file or empty file exists on new location + # move it to the new location + mv "%{_sysconfdir}/%{name}/acme.json" "%{_localstatedir}/lib/%{name}/acme.json" + sed -i -e 's|%{_sysconfdir}/traefik/acme.json|%{_localstatedir}/lib/traefik/acme.json|' %{_sysconfdir}/%{name}/%{name}.yml + fi + else + # remove empty acme.json file from old location + rm "%{_sysconfdir}/%{name}/acme.json" + sed -i -e 's|%{_sysconfdir}/traefik/acme.json|%{_localstatedir}/lib/traefik/acme.json|' %{_sysconfdir}/%{name}/%{name}.yml + fi +fi + +# fix ownership for acme file +chown -R traefik: %{_localstatedir}/lib/%{name}/* + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service + +%files +%{_sysusersdir}/%{name}-user.conf + +%license LICENSE.md +%doc README.md SECURITY.md CONTRIBUTING.md +%{_bindir}/%{name} + +%{_unitdir}/%{name}.service +%{_sbindir}/rc%{name} +%{_prefix}/lib/sysctl.d/90-%{name}.conf + +%defattr(0600, traefik, traefik, 0700) +%dir %{_sysconfdir}/%{name} +%dir %{_sysconfdir}/%{name}/conf.d + +%dir %{_localstatedir}/lib/%{name} +%config(noreplace) %{_localstatedir}/lib/%{name}/acme.json + +%config(noreplace) %{_sysconfdir}/%{name}/%{name}.yml +%dir %{_localstatedir}/log/%{name} + +%changelog diff --git a/traefik.yml b/traefik.yml new file mode 100644 index 0000000..dc593d7 --- /dev/null +++ b/traefik.yml @@ -0,0 +1,153 @@ +# ------------------------------------------------------------------------ +# Configuration for Traefik v3 +# ------------------------------------------------------------------------ + +# ------------------------------------------------------------------------ +# Global configuration +# ------------------------------------------------------------------------ +global: + checkNewVersion: false + sendAnonymousUsage: false + +# ------------------------------------------------------------------------ +# TLS specific configuration +# ------------------------------------------------------------------------ +#tls: +# options: +# default: +# sniStrict: true + +# ------------------------------------------------------------------------ +# Entrypoints configuration +# https://doc.traefik.io/traefik/routing/entrypoints/ +# ------------------------------------------------------------------------ +entryPoints: + web: + address: ":80" + # ------------------------------------------------------------------------ + # Redirect all requests incoming from http to https + # websecure/https must be enabled to be use this configuration + # https://doc.traefik.io/traefik/routing/entrypoints/#redirection + # ------------------------------------------------------------------------ + #http: + # redirections: + # entryPoint: + # to: websecure + # scheme: https + + # ------------------------------------------------------------------------ + # Enable the https endpoint at port 443 + # ------------------------------------------------------------------------ + #websecure: + # address: :443 + + # ------------------------------------------------------------------------ + # Enable the http3 and advertize it at UDP port 443 + # ------------------------------------------------------------------------ + #http3: {} + + +# ------------------------------------------------------------------------ +# Traefik logs configuration +# Enabled if uncommented +# https://doc.traefik.io/traefik/observability/logs/ +# ------------------------------------------------------------------------ +log: + # Set traefik's log-level + # Default: ERROR + #level: DEBUG + + +# ------------------------------------------------------------------------ +# Traefik access-log destination and format +# uncomment to enable +# https://doc.traefik.io/traefik/observability/logs/ +# ------------------------------------------------------------------------ +#accessLog: + # ------------------------------------------------------------------------ + # Set the filepath for the traefik log-file. + # Default: os.Stdout + #filePath: /var/log/traefik/traefik.log + # ------------------------------------------------------------------------ + # Write logs in the 'common' or 'json' format. + # Default: common + #format: json + + +# ------------------------------------------------------------------------ +# API and dashboard configuration. +# Uncomment to enable +# https://doc.traefik.io/traefik/operations/api/ +# ------------------------------------------------------------------------ +api: + # ------------------------------------------------------------------------ + # Enable the API in insecure mode + # Default: false + insecure: false + # ------------------------------------------------------------------------ + # Enable the dashboard + # Default: true + dashboard: true + + +# ------------------------------------------------------------------------ +# Ping configuration +# https://doc.traefik.io/traefik/operations/ping/ +# -------------------------------------------------------------------------- +ping: +# -------------------------------------------------------------------------- + # Name of the related entry point + # Default: "traefik" + entryPoint: traefik + + +# -------------------------------------------------------------------------- +# Provider configuration +# -------------------------------------------------------------------------- +providers: + # ------------------------------------------------------------------------ + # Docker configuration provider + # Default: disabled + # https://doc.traefik.io/traefik/providers/docker/ + # ------------------------------------------------------------------------ + #docker: + # ---------------------------------------------------------------------- + # Docker server endpoint. Can be a tcp or a unix socket endpoint. + # Default: "unix:///var/run/docker.sock" + #endpoint: tcp://10.10.10.10:2375 + # ---------------------------------------------------------------------- + # defaultRule: Host(`{{ normalize .Name }}.docker.localhost`) + # ---------------------------------------------------------------------- + # Expose containers by default in traefik + # Default: true + #exposedByDefault: false + + # ------------------------------------------------------------------------ + # File configuration provider + # Default: disabled + # https://doc.traefik.io/traefik/providers/docker/ + # ------------------------------------------------------------------------ + file: + # ---------------------------------------------------------------------- + # Defines the path to the directory that contains the configuration files. + # Default: unset + directory: /etc/traefik/conf.d + # ---------------------------------------------------------------------- + # Set the watch option to true to allow Traefik to automatically + # watch for file changes + # Default: false + watch: true + +# -------------------------------------------------------------------------- +# ACME Certificate Resolvers configuration +# Default: not configured +# https://doc.traefik.io/traefik/https/acme/ +# -------------------------------------------------------------------------- +#certificatesResolvers: +# letsencryptResolver: +# acme: +# email: your@email +# storage: /var/lib/traefik/acme.json +# httpChallenge: +# entryPoint: web + diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..b3b6c29 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3e0427bab18e00c659433a0650bb27731acc18f54308005fb8fb2d8181230d41 +size 23188316