Accepting request 1297689 from devel:kubic

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1297689
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/traefik?expand=0&rev=39

90-traefik.conf

@@ -0,0 +1,9 @@
+#
+# Increase the maximum UDP Buffer size to prevent dropping
+# incoming packaets by the kernel
+#
+# https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
+#
+
+net.core.rmem_max=7500000
+net.core.wmem_max=7500000

_service

@@ -1,6 +1,5 @@
 <services>
-  <service name="download_files" mode="manual">
-  </service>
+  <service name="download_files" mode="manual" />
   <service name="go_modules" mode="manual">
     <param name="archive">traefik*.src.tar.gz</param>
     <param name="basename">./</param>

traefik-user.conf

@@ -1,3 +1,3 @@
 #Type Name            ID   GECOS                                       Home directory Shell
-u     traefik         -    "HTTP reverse proxy and load balancer"      /etc/traefik      -
+u     traefik         -    "HTTP reverse proxy and load balancer"      /var/lib/traefik      -
 m     traefik         traefik

traefik-v3.1.2.src.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d8cada1d42e2fad4cbe15b75e8db21647b520ffd49dd09814cc1131c3fe02d00
-size 11491439

traefik-v3.5.0.src.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e5db23a9f9b8bc2c3a334fda83ba8291a8246e9d37f4e332f02fb86c5db6f7ba
+size 15201674

traefik.changes

@@ -1,3 +1,465 @@
+-------------------------------------------------------------------
+Tue Jul 29 10:00:18 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Version 3.5.0
+
+Please read the migration guide:
+https://doc.traefik.io/traefik/migration/v3/#v350
+
+Enhancements:
+  * acme
+    - Add acme.httpChallenge.delay option
+    - Allow configuration of ACME provider http timeout
+    - OCSP stapling
+  * healthcheck
+    - Add unhealthy Interval to the health check configuration
+    - Add url option to healthcheck command
+  * k8s/gatewayapi
+    - Bump sigs.k8s.io/gateway-api to v1.3.0
+  * k8s/ingress
+    - Make the behavior of prefix matching in Ingress consistent with
+    Kubernetes doc
+  * k8s
+    - NGINX Ingress Provider
+  * middleware,authentication
+    - Handle context canceled in ForwardAuth middleware
+  * plugins
+    - Ability to enable unsafe in yaegi through plugin manifest
+  * tls
+    - Introduce X25519MLKEM768 for Post-Quantum-Secure TLS
+  * webui
+    - Improve visualization for StatusRewrites option of errors middleware
+    - Migrate Traefik Proxy dashboard UI to React
+
+Bug fixes:
+  * healthcheck
+    - Revert 11711 adding url param to healthcheck command
+  * logs,metrics,tracing,accesslogs,otel
+    - Add missing resource attributes detectors
+  * logs,tracing,k8s,otel
+    - Add k8s resource attributes automatically
+  * metrics,otel
+    - Add resourceAttributes option to OTel metrics
+  * middleware,tracing
+    - Introduce trace verbosity config and produce less spans by default
+
+- Synchronized changelog with boo tickets and cve entries
+
+-------------------------------------------------------------------
+Fri Jul 25 05:48:31 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Version 3.4.5
+  * logs
+    - Redact logged install configuration (gh#traefik/traefik#11907 by jspdown)
+  * plugins
+    - Fix client arbitrary file access during archive extraction zipslip
+      (gh#traefik/traefik#11911 by odaysec)
+  * server
+    - Disable MPTCP by default (gh#traefik/traefik#11918 by rtribotte)
+  * http3
+    - Bump github.com/quic-go/quic-go to v0.54.0 (gh#traefik/traefik#11919 by GreyXor)
+
+-------------------------------------------------------------------
+Tue Jul 22 13:38:51 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Fixed boo#1246094 bad logrotate configuration allows potential escalation
+  from traefik to root
+
+- Disabled MPTCP which caused issues (see gh#traefik/traefik#11869
+
+- Version 3.4.4
+  - k8s/gatewayapi
+    * Respect service.nativelb=false annotation when nativeLBByDefault is
+      enabled (gh#traefik/traefik#11847 by sdelicata)
+  - service
+    * Fix concurrent access to balancer status map in WRR and P2C 
+      strategies (gh#traefik/traefik#11887 by kevinpollet)
+
+-------------------------------------------------------------------
+Thu Jun 26 15:05:31 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Version 3.4.3
+  - http3
+    * Bump quic-go to v.0.49.0
+  - middleware
+    * Do not log redis sentinel username and password
+
+-------------------------------------------------------------------
+Fri Jun  6 15:50:50 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Improved logging
+- Added logrotate configuration
+- Allow reloading the traefik-service via systemctl
+
+-------------------------------------------------------------------
+Fri Jun  6 13:26:41 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Removed manual download service and manual checksum verification
+
+-------------------------------------------------------------------
+Fri Jun  6 08:48:27 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Version 3.4.1
+
+  - fix for CVE-2025-47952 boo#1243818
+  - docker
+    * Do not warn network missing if connected to a container network
+      (#11698 by holysoles)
+  - k8s/crd
+    * Fix CEL validation for RootCA in ServersTransport (#11775 by rtribotte)
+  - middleware
+    * Scope the rate limit counter key by source and by middleware
+      (#11753 by aromeyer)
+  - server
+    * Use routing path in v3 matchers (#11790 by kevinpollet)
+  - service
+    * Make P2C strategy thread-safe (#11762 by lbenguigui)
+  - webui
+    * Do not display RemoveHeader option when not defined (#11782 by kevinpollet)
+
+-------------------------------------------------------------------
+Tue May 13 04:44:40 UTC 2025 - Eric Torres <eric.torres@its-et.me>
+
+- Important: please read the migration guide in regards to v3.4.0 changes
+
+- Version 3.4.0 changes
+  - acme
+    * Add acme.profile and acme.emailAddresses options (#11597 by ldez)
+  - docker,ecs,docker/swarm,consulcatalog,nomad
+    * Allow configuring server URLs with label providers (#11374 by yelvert)
+  - k8s/crd
+    * Improve CEL validation on Ingress CRD resources (#11311 by mloiseleur)
+    * Remove default load-balancing strategy from CRD (#11701 by kevinpollet)
+    * Restrict regex validation of HTTP status codes for Ingress CRD resources (#11670 by jnoordsij)
+  - k8s/gatewayapi
+    * Set rule priority in Gateway API TLSRoute (#11443 by augustozanellato)
+  - k8s/ingress
+    * Add ingress status for ClusterIP and NodePort Service Type (#11100 by mlec1)
+  - middleware,authentication
+    * Add option to preserve request method in forwardAuth (#11473 by an09mous)
+  - middleware
+    * Support rewriting status codes in error page middleware (#11520 by sevensolutions)
+    * Add Redis rate limiter (#10211 by longquan0104)
+  - service
+    * Add p2c load-balancing strategy for servers load-balancer (#11547 by rtribotte)
+  - sticky-session
+    * Support domain configuration for sticky cookies (#11556 by jleal52)
+  - tls,k8s/crd,service
+    * Allow root CA to be added through config maps (#11475 by Nelwhix)
+  - tls
+    * Add support to disable session ticket (#11609 by avdhoot)
+  - udp
+    * Add support for UDP routing in systemd socket activation (#11022 by tsiid)
+  - webui
+    * Add auto webui theme option and default to it (#11455 by zizzfizzix)
+  - Replace experimental maps and slices with stdlib (#11350 by Juneezee)
+  - Bump github.com/redis/go-redis/v9 to v9.7.3 (#11687 by kevinpollet)
+
+-------------------------------------------------------------------
+Sat Apr 19 22:05:31 UTC 2025 - Eric Torres <eric.torres@its-et.me>
+
+- Important: Please read the migration guide in regards to v3.3.6 changes
+
+- Version 3.3.6 changes
+  * The incoming request path is now cleaned before being used to
+    match the router rules and sent to the backends. Any /../, /./ or duplicate
+    slash segments in the request path is interpreted and/or collapsed.
+  * Bump golang.org/x/net to v0.38.0
+    Fix for boo#1241731 and boo#1241733: CVE-2025-22872
+  - Bump golang.org/x/oauth2 to v0.28.0
+      Fix for boo#1239228 CVE-2025-22868
+
+-------------------------------------------------------------------
+Sat Apr 19 22:04:38 UTC 2025 - Eric Torres <eric.torres@its-et.me>
+
+- Please read the migration guide in regards to v3.3.5 changes
+
+- Version 3.3.5 changes
+  - k8s/gatewayapi
+    * Set scheme to https with BackendTLSPolicy (#11586 by rtribotte)
+  - middleware
+    * Revert compress middleware algorithms priority to v2 behavior (#11641 by rtribotte)
+    * Do not abort request when response content-type is malformed (#11628 by kevinpollet)
+    * Compress data on flush when compression is not started (#11583 by kevinpollet)
+  * Updates
+    - Bump github.com/go-jose/go-jose/v4 to v4.0.5
+      fix boo#1237621 CVE-2025-27144
+    - Bump github.com/golang-jwt/jwt to v4.5.2 and v5.2.2
+      fix boo#1240454 CVE-2025-30204
+    - Bump x/crypto to v0.35.0
+      fix for boo#1239383 CVE-2025-22869, boo#1239363 CVE-2025-22869
+
+-------------------------------------------------------------------
+Mon Mar 31 00:02:54 UTC 2025 - Eric Torres <eric.torres@its-et.me>
+
+- Change traefik user's home directory to /var/lib/traefik. This
+  will allow traefik to store data for plugins from https://plugins.traefik.io/plugins
+  without permission issues
+
+  This change will reflect on existing installations automatically
+
+-------------------------------------------------------------------
+Mon Mar 10 00:27:19 UTC 2025 - Eric Torres <eric.torres@its-et.me>
+
+- Version 3.3.4 changes
+  - fastproxy
+    * Bump github.com/valyala/fasthttp to v1.58.0 (#11526 by kevinpollet)
+    * Add WebSocket headers if they are present in the request (#11522 by kevinpollet)
+    * Chunked responses does not have a Content-Length header (#11514 by kevinpollet)
+  - metrics, otel
+    * Change request duration metric unit from millisecond to second (#11523 by rtribotte)
+  - sticky-session
+    * Fix double hash in sticky cookie (#11518 by juliens)
+  - tracing
+    * Use ResourceAttributes instead of GlobalAttributes (#11515 by bruno-de-queiroz)
+    * Fix panic when calling Tracer (#11479 by basgys)
+
+- Upgrade fixed boo#1235167
+- Package mentioned in boo#1235270 CVE-2024-45338 has been upgraded
+
+-------------------------------------------------------------------
+Mon Mar 10 00:25:30 UTC 2025 - Eric Torres <eric.torres@its-et.me>
+
+- Version 3.3.3 changes
+  - api
+    * Do not create observability model by default (#11476 by rtribotte)
+  - fastproxy
+    * Fix content-length header assertion (#11498 by kevinpollet)
+    * Handle responses without content length header (#11458 by rtribotte)
+  - k8s/crd, k8s
+    * Add missing headerField in Middleware CRD (#11499 by jspdown)
+  - tracing, accesslogs
+    * Bring back TraceID and SpanID fields in access logs (#11450 by rtribotte)
+
+-------------------------------------------------------------------
+Tue Jan 21 13:30:26 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Fix possible privilege escalation when mofing the acme.json file to the new
+  location. Thanks Johannes Segitz (fix for boo#1235408)
+
+- Version 3.3.2
+  - fastproxy
+    * Do not read response body for HEAD requests (gh#traefik/traefik#11442)
+  - metrics,tracing,accesslogs
+    * Fix observability configuration on EntryPoints (gh#traefik/traefik#11446)
+  - webui
+    * Set content-type when serving webui index  (gh#traefik/traefik#11428)
+
+-------------------------------------------------------------------
+Sun Jan 12 16:50:31 UTC 2025 - Eric Torres <eric.torres@its-et.me>
+
+- Version 3.3.1 changes
+  - acme
+    * Add options to control ACME propagation checks (#11241 by ldez)
+  - api
+    * Add support dump API endpoint (#11328 by mmatur)
+  - http
+    * Set Host header in HTTP provider request (#11237 by nikonhub)
+  - k8s/crd, k8s
+    * Make the IngressRoute kind optional (#11177 by skirtan1)
+  - k8s/ingress, sticky-session, k8s/crd,k8s
+    * Support serving endpoints (#11121 by BZValoche)
+    * Fix fenced server status computation (#11361 by kevinpollet)
+  - logs, accesslogs
+    * OpenTelemetry Logs and Access Logs (#11319 by rtribotte)
+    * Add experimental flag for OTLP logs integration (#11335 by kevinpollet)
+  - metrics, tracing, accesslogs
+    * Manage observability at entrypoint and router level (#11308 by rtribotte)
+  - middleware, authentication
+    * Add an option to preserve the ForwardAuth Server Location header (#11318 by Nelwhix)
+    * Only calculate basic auth hashes once for concurrent requests (#11143 by michelheusschen)
+    * Send request body to authorization server for forward auth (#11097 by kyo-ke)
+  - plugins
+    * Add AbortOnPluginFailure option to abort startup on plugin load failure (#11228 by bmagic)
+  - sticky-session
+    * Configurable path for sticky cookies (#11165 by IIpragmaII)
+  - webui, api
+    * Configurable API & Dashboard base path (#11250 by rtribotte)
+
+-------------------------------------------------------------------
+Tue Jan  7 15:47:17 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Version 3.2.5
+  - websocket,server 
+    * Disable http2 connect setting for websocket by default 
+      (gh#traefik/traefik#11412)
+
+-------------------------------------------------------------------
+Mon Jan  6 12:57:27 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Version 3.2.4
+  - acme
+    * Update go-acme/lego to v4.21.0 (gh#traefik/traefik#11368)
+  - k8s/gatewayapi
+    * Support empty value for core Kubernetes API group (gh#traefik/traefik#11386)
+  - middleware
+    * Fix typo in basicauth note (gh#traefik/traefik#11397)
+  - service
+    * Configure ErrorLog in httputil.ReverseProxy (gh#traefik/traefik#11344)
+  - tls
+    * Upgrade github.com/spiffe/go-spiffe/v2 to v2.4.0 (gh#traefik/traefik#11385)
+  - Remove duplicate github.com/coreos/go-systemd dependency (gh#traefik/traefik#11354)
+  - Bump golang.org/x/net to v0.33.0 (gh#traefik/traefik#11365)
+    mentioned in boo#1235256 CVE-2024-45338
+
+-------------------------------------------------------------------
+Mon Dec 16 13:27:07 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Version 3.2.3 
+  - Fix for boo#1234513 CVE-2024-4533
+  - acme
+    * Update go-acme/lego to v4.20.4 (gh#traefik/traefik#11295)
+  - http3
+    * Update github.com/quic-go/quic-go to v0.48.2 (gh#traefik/traefik#11320)
+  - docker,docker/swarm
+    * Rename traefik.docker.* labels for Docker Swarm to traefik.swarm.* (gh#traefik/traefik#11247)
+  - plugins
+    * Fix WASM settings (gh#traefik/traefik#11321)
+  - rules
+    * Fix models mechanism for default rule syntax (gh#traefik/traefik#11300)
+  - server
+    * Update golang.org/x dependencies (gh#traefik/traefik#11336, CVE-2024-45337, boo#1234502)
+
+-------------------------------------------------------------------
+Thu Nov 21 15:19:14 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- golang-jwt has been updated to version 4.5.1 to fix CVE-2024-51744 and boo#1232940
+
+- Version 3.2.1 changes
+  - acme
+    * Update go-acme/lego to v4.20.2 (gh#traefik/traefik#11263 by ldez)
+  - logs
+    * Change level of peeking first byte error log to DEBUG for Postgres 
+      (gh#traefik/traefik#11270 by rtribotte)
+  - k8s/ingress,k8s
+    * Fix HostRegexp config for rule syntax v2 (gh#traefik/traefik#11288 by kevinpollet)
+  - logs Change level of peeking first byte error log to DEBUG for Postgres
+    (gh#traefik/traefik#11270 by rtribotte, gh#traefik/traefik#11254 by rtribotte)
+  - service
+    * Fix internal handlers ServiceBuilder composition (gh#traefik/traefik#11281 by juliens)
+  - service,fastproxy Fix case problem for websocket upgrade
+    (gh#traefik/traefik#11246 by juliens)
+  - server
+    * Change level of peeking first byte error log to DEBUG (gh#traefik/traefik#11254 by rtribotte)
+    * Apply keepalive config to h2c entrypoints (gh#traefik/traefik#11276 by davefu113)
+  - middleware,server
+    * Drop untrusted X-Forwarded-Prefix header (gh#traefik/traefik#11253 by rtribotte)
+
+-------------------------------------------------------------------
+Thu Oct 31 01:26:24 UTC 2024 - Eric Torres <eric.torres@its-et.me>
+
+- Update from 3.1.6 to 3.2.0
+
+- Important: please read the migration guide when migrating to version 3.2.0
+
+- Version 3.2.0 changes
+  - acme
+      * Remove same email requirement for certresolvers (#11019 by Emrio)
+      * Add support for custom CA certificates by certificate resolver (#10816 by ldez)
+      * Add 30 day certificatesDuration step (#10970 by luker983)
+  - docker
+      * Support HTTP BasicAuth for docker and swarm endpoint (#10776 by 985492783)
+  - k8s, k8s/gatewayapi
+      * Add supported features to the Gateway API GatewayClass status (#11056 by rtribotte)
+      * Update sigs.k8s.io/gateway-api to v1.2.0-rc1 (#11124 by rtribotte)
+      * Add support for backend protocol selection in HTTP and GRPC routes (#11051 by rtribotte)
+      * Improve Kubernetes GatewayAPI TCPRoute and TLSRoute support (#11042 by rtribotte)
+      * Support HTTPRoute destination port matching (#11134 by kevinpollet)
+      * Bump sigs.k8s.io/gateway-api to v1.2.0-rc2 (#11131 by kevinpollet)
+      * Add support for Gateway API BackendTLSPolicies (#11009 by rtribotte)
+      * Support NativeLB option in GatewayAPI provider (#11147 by rtribotte)
+      * Support ResponseHeaderModifier filter (#10987 by kevinpollet)
+      * Support GRPC routes (#10975 by kevinpollet)
+      * Bump sigs.k8s.io/gateway-api to v1.2.0 (#11167 by rtribotte)
+      * Ensuring Gateway API reflected Traefik resource name unicity (#11222 by rtribotte)
+      * Preserve GRPCRoute filters order (#11199 by kevinpollet)
+      * Support http and https appProtocol for Kubernetes Service (#11176 by WillDaSilva)
+      * Avoid updating Accepted status for routes matching no Gateways (#11170 by rtribotte)
+      * Do not update gateway status when not selected by a gateway class (#11169 by kevinpollet)
+      * Document nativeLBByDefault annotation on Kubernetes Gateway provider (#11209 by mloiseleur)
+  - k8s/crd, k8s
+      * Detail CRD update with v3.2 in the migration guide (#11164 by mloiseleur)
+  - k8s/gatewayapi
+      * Add missing RBAC in the migration guide (#11189 by mloiseleur)
+  - k8s
+      * Fix instructions for downloading CRDs of Gateway API v1.2 (#11191 by mloiseleur)
+  - metrics, otel
+      * Allow setting service.name for OTLP metrics (#10917 by cmartell-at-ocp)
+  - middleware
+      * Record trace id and EntryPoint span id into access log (#10921 by weijiany)
+      * Support LogUserHeader with forwardAuth middleware (#10833 by GaleHuang)
+      * Add encodings option to the compression middleware (#10943 by wollomatic)
+      * Add support for ipv6 subnet in ipStrategy (#9747 by michal-kralik)
+  - nomad
+      * Support for watching instead of polling Nomad (#10997 by deverton-godaddy)
+  - server
+      * Introduce a fast proxy mode to improve HTTP/1.1 performances with backends (#11122 by kevinpollet)
+      * Configurable max request header size (#10995 by lucasrod16)
+  - service
+      * Add mirrorBody option to HTTP mirroring (#11032 by MatteoPaier)
+      * Add an option to preserve server path (#11192 by mmatur)
+      * Detect and drop broken conns in the fastproxy pool (#11212 by kevinpollet)
+  - Merge branch v3.1 into v3.2 (#11219 by kevinpollet)
+  - Merge branch v3.1 into master (#11153 by kevinpollet)
+
+- Version 3.1.7 changes
+  - k8s
+    * Preserve HTTPRoute filters order (#11198 by kevinpollet)
+  - Merge branch v2.11 into v3.1
+
+-------------------------------------------------------------------
+Wed Oct 16 03:46:25 UTC 2024 - Eric Torres <eric.torres@its-et.me>
+
+- Update from 3.1.4 to 3.1.6
+
+- Version 3.1.6 changes
+  - middleware
+    * Reuse compression writers (#11168 by michelheusschen)
+    * Use correct default weight in Accept-Encoding (#11084 by michelheusschen)
+  - plugins
+    * Close wasm middleware to prevent memory leak (#11151 by ttys3)
+
+- Version 3.1.5 changes
+  - k8s, ingress
+    * Disable IngressClass lookup when disableClusterScopeResources is enabled (#11111 by jnoordsij)
+  - server
+    * Rework condition to not log on timeout (#11132 by rtribotte)
+  - Merge branch v2.11 into v3.1
+
+-------------------------------------------------------------------
+Tue Sep 24 00:25:39 UTC 2024 - Eric Torres <eric.torres@its-et.me>
+
+- Update to version 3.1.4
+  - Fixes CVE-2024-45410, boo#1230842
+  - k8s, ingress, rules, crd
+    * Allow configuring rule syntax with Kubernetes Ingress annotation
+    * Re-allow empty configuration for Kubernetes Ingress provider
+    * Remove mentions about APIVersion traefik.io/v1
+    * Update quick-start-with-kubernetes.md to include required permissions
+  - middlewares, metrics
+    * Wrap capture for services used by pieces of middleware
+    * Mention missing metrics removal in the migration guide
+    * Guess Datadog socket type when prefix is unix
+  - plugins
+    * Removes goexport dependency and adds _initialize
+  - tracing
+    * Fix tracing documentation
+    * OTLP doc + potential panic
+
+- Update ldflags to point to correct traefik version (v3 instead of v2)
+
+-------------------------------------------------------------------
+Thu Sep 12 14:50:28 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Moved /etc/traefik/acme.json to /var/lib/traefik/acme.json to allow traefik
+  running with "ProtectSystem=full" write access to the certificate store.
+
+  The acme.json file will be automatically moved and the configuration will be
+  updated accordingly.
+
+- Added /usr/lib/sysctl.d/90-itraefik.conf to increase UDP Buffer sizes as explained
+   at https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
+
 -------------------------------------------------------------------
 Wed Aug  7 08:03:10 UTC 2024 - Johannes Weberhofer <jweberhofer@weberhofer.at>
 

traefik.logrotate

@@ -0,0 +1,20 @@
+/var/log/traefik/*.log {
+    su traefik traefik
+
+    weekly
+    maxsize 32G
+    notifempty
+    missingok
+
+    rotate 128
+    dateext
+    dateformat -%Y%m%d-%H%M
+    compress
+    compresscmd xz
+
+    create 644 traefik traefik
+    postrotate
+      systemctl reload traefik.service
+    endscript
+}
+

traefik.service

@@ -9,6 +9,7 @@ AssertPathExists=/etc/traefik/traefik.yml
 [Service]
 Type=notify
 ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.yml
+ExecReload=kill -HUP $MAINPID ; kill -USR1 $MAINPID
 User=traefik
 WorkingDirectory=~
 Restart=always

traefik.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package traefik
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
 %define buildmode pie
 %endif
 Name:           traefik
-Version:        3.1.2
+Version:        3.5.0
 Release:        0
 Summary:        The Cloud Native Application Proxy
 License:        MIT
@@ -36,11 +36,14 @@ Source1:        vendor.tar.gz
 Source2:        %{name}.service
 Source3:        %{name}.yml
 Source4:        %{name}-user.conf
+Source5:        90-%{name}.conf
+Source6:        %{name}.logrotate
 BuildRequires:  go-bindata
 BuildRequires:  golang-packaging
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  sysuser-tools
 BuildRequires:  (golang(API) >= 1.22)
+Requires:       logrotate
 Recommends:     podman
 Conflicts:      traefik2
 Provides:       group(%{name})
@@ -58,8 +61,7 @@ Etcd, Rancher, Amazon ECS) and configures itself automatically and dynamically.
 Pointing Traefik at your orchestrator should be the only configuration step you need.
 
 %prep
-%setup -q -c %{name}-%{version} -b0 -a1
-%autopatch -p1
+%autosetup -c %{name}-%{version} -b0 -a1 -p1
 
 %build
 %sysusers_generate_pre %{SOURCE4} %{name} %{name}-user.conf
@@ -72,9 +74,9 @@ build_date=$(date -u -d @${SOURCE_DATE_EPOCH:-$(date +%%s)} +"%%Y%%m%%d")
 CGO_ENABLED=1 GOGC=off go build \
   -buildmode=%{buildmode} \
   -mod=vendor \
-  -ldflags "-X github.com/traefik/traefik/v2/pkg/version.Version=%{version} \
-            -X github.com/traefik/traefik/v2/pkg/version.Codename='' \
-            -X github.com/traefik/traefik/v2/pkg/version.BuildDate=${build_date}" \
+  -ldflags "-X github.com/traefik/traefik/v3/pkg/version.Version=%{version} \
+            -X github.com/traefik/traefik/v3/pkg/version.Codename='' \
+            -X github.com/traefik/traefik/v3/pkg/version.BuildDate=${build_date}" \
   -installsuffix nocgo \
   -o traefik \
   ./cmd/traefik
@@ -94,17 +96,75 @@ ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/%{name}.yml
 mkdir -p %{buildroot}%{_sysconfdir}/%{name}/conf.d
 
+# install configuration to increase UDP buffer sizes
+install -D -p -m 0644 %{SOURCE5} %{buildroot}%{_prefix}/lib/sysctl.d/90-%{name}.conf
+
+# acme storage
+install -d -m 0700 %{buildroot}%{_localstatedir}/lib/%{name}
+touch  %{buildroot}%{_localstatedir}/lib/%{name}/acme.json
+
 # logging
 mkdir -p %{buildroot}%{_localstatedir}/log/%{name}
 
+mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
+install -m 644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/logrotate.d/traefik
+
 %pre -f %{name}.pre
 %service_add_pre %{name}.service
 
 %post
 %service_add_post %{name}.service
 %{fillup_only -n %{name}}
-# fix ownership for config and logging directory
-chown -R traefik: %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name}
+
+# prepare ownership for operations as root user
+chown -R root: %{_sysconfdir}/%{name}
+chown root: %{_localstatedir}/lib/%{name}
+
+if [ -e "%{_sysconfdir}/%{name}/acme.json" ] ; then
+	# try to move acme.json file from old directory to the new location
+	if [ -L "%{_sysconfdir}/%{name}/acme.json" ] ; then
+		echo "Delete the symbolic link %{_sysconfdir}/%{name}/acme.json" 1>&2
+		echo "The ACME file must be placed in %{_localstatedir}/lib/traefik" 1>&2
+		exit 0
+	fi
+	if [ -s "%{_sysconfdir}/%{name}/acme.json" ] ; then
+		if [ -s "%{_localstatedir}/lib/%{name}/acme.json" ] ; then
+			# if not-empty acme.json files exists on old and new location, write warning
+			echo "A non-empty acme.json file exists in:" 1>&2
+			echo "%{_sysconfdir}/%{name} and %{_localstatedir}/lib/%{name}" 1>&2
+			echo "Please clean up this situation and place the correct file in %{_localstatedir}/lib/%{name}" 1>&2
+		else
+			# if not-empty acme.json exists on old location and no file or empty file exists on new location
+			# move it to the new location
+			mv %{_sysconfdir}/%{name}/acme.json %{_localstatedir}/lib/%{name}/acme.json
+			sed -i -e 's|%{_sysconfdir}/traefik/acme.json|%{_localstatedir}/lib/traefik/acme.json|' %{_sysconfdir}/%{name}/%{name}.yml
+		fi
+	else
+		# remove empty acme.json file from old location
+		rm "%{_sysconfdir}/%{name}/acme.json"
+		sed -i -e 's|%{_sysconfdir}/traefik/acme.json|%{_localstatedir}/lib/traefik/acme.json|' %{_sysconfdir}/%{name}/%{name}.yml
+	fi
+fi
+# set correct permissions
+chmod 0750 %{_sysconfdir}/%{name} %{_sysconfdir}/%{name}/conf.d
+find %{_sysconfdir}/%{name} -type d -exec chmod 0750 {} \;
+find %{_sysconfdir}/%{name} -type f -exec chmod 0640 {} \;
+
+chmod 0700 %{_localstatedir}/lib/%{name}
+chmod 0600 %{_localstatedir}/lib/%{name}/*
+
+# set ownership for normal operation
+chown -R root:traefik %{_sysconfdir}/%{name}
+chown -R traefik: %{_localstatedir}/lib/%{name}
+chown -R traefik: %{_localstatedir}/log/%{name}
+
+# update traefik user's home directory
+sysuser_homedir="$(getent passwd traefik | cut -d: -f6)"
+
+if [ "${sysuser_homedir}" != "%{_localstatedir}/lib/%{name}" ]; then
+    usermod --home %{_localstatedir}/lib/%{name} traefik
+    echo "Updated traefik home directory to %{_localstatedir}/lib/%{name}" 1>&2
+fi
 
 %preun
 %service_del_preun %{name}.service
@@ -121,12 +181,20 @@ chown -R traefik: %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name}
 
 %{_unitdir}/%{name}.service
 %{_sbindir}/rc%{name}
+%{_prefix}/lib/sysctl.d/90-%{name}.conf
 
-%defattr(0660, traefik, traefik, 0750)
+# config files are owned by root but can be read by traefik
+%defattr(0640, root, traefik, 0750)
 %dir %{_sysconfdir}/%{name}
 %dir %{_sysconfdir}/%{name}/conf.d
-
 %config(noreplace) %{_sysconfdir}/%{name}/%{name}.yml
+
+# certificates are visible for traefik only
+%defattr(0600, traefik, traefik, 0700)
+%dir %{_localstatedir}/lib/%{name}
+%config(noreplace) %{_localstatedir}/lib/%{name}/acme.json
+
 %dir %{_localstatedir}/log/%{name}
+%config(noreplace) %{_sysconfdir}/logrotate.d/traefik
 
 %changelog

traefik.yml

@@ -56,6 +56,10 @@ log:
   # Set traefik's log-level
   # Default: ERROR
   #level: DEBUG
+  #
+  # Set a filePath if you want to send traefik logs to a file instead of
+  # the systemd journal. Access logs are handled seperately
+  #filePath: /var/log/traefik/traefik.log
 
 
 # ------------------------------------------------------------------------
@@ -65,9 +69,9 @@ log:
 # ------------------------------------------------------------------------
 #accessLog:
   # ------------------------------------------------------------------------
-  # Set the filepath for the traefik log-file.
+  # Set the filepath for the access log file.
   # Default: os.Stdout
-  #filePath: /var/log/traefik/traefik.log
+  #filePath: /var/log/traefik/access.log
   # ------------------------------------------------------------------------
   # Write logs in the 'common' or 'json' format.
   # Default: common
@@ -147,7 +151,13 @@ providers:
 #  letsencryptResolver:
 #    acme:
 #      email: your@email
-#      storage: /etc/traefik/acme.json
+#      storage: /var/lib/traefik/acme.json
 #      httpChallenge:
 #        entryPoint: web
+#  acmeDnsResolver:
+#    acme:
+#      email: your@email
+#      storage: /var/lib/traefik/acme-dns.json
+#      dnsChallenge:
+#        provider: ???????
 

vendor.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:3e0427bab18e00c659433a0650bb27731acc18f54308005fb8fb2d8181230d41
-size 23188316
+oid sha256:8ac11193d7a544aad9c5348de9efcf6d02e370251f4220102b1fa18f15edf706
+size 26521318