release: 🚀 publish v23.2.0

traefik/Changelog.md

@@ -1,5 +1,129 @@
 # Change Log
 
+## 23.2.0  ![AppVersion: v2.10.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.4&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm)
+
+**Release date:** 2023-07-13
+
+* release: :rocket: publish v23.2.0
+* feat: ✨ add support for traefik v3.0.0-beta3 and openTelemetry
+* feat: add pod_name as default in values.yaml
+* fix: ingressclass name should be customizable (#864)
+* chore(deps): update traefik docker tag to v2.10.4
+* fix: 🐛 traefik or metrics port can be disabled
+* feat: disable allowPrivilegeEscalation
+* fix: 🐛 update traefik.containo.us CRDs to v2.10
+* chore(tests): 🔧 use more accurate asserts on refactor'd isNull test
+* chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.11.3
+* ⬆️ Upgrade traefik Docker tag to v2.10.3
+
+### Default value changes
+
+```diff
+diff --git a/traefik/values.yaml b/traefik/values.yaml
+index 345bbd8..947ba56 100644
+--- a/traefik/values.yaml
++++ b/traefik/values.yaml
+@@ -105,12 +105,14 @@ podDisruptionBudget:
+ ingressClass:
+   enabled: true
+   isDefaultClass: true
++  # name: my-custom-class
+
+ # Traefik experimental features
+ experimental:
+-  v3:
++  #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3"
++  #v3:
+     # -- Enable traefik version 3
+-    enabled: false
++  #  enabled: false 
+   plugins:
+     # -- Enable traefik experimental plugins
+     enabled: false
+@@ -461,6 +463,10 @@ metrics:
+ ## Tracing
+ # -- https://doc.traefik.io/traefik/observability/tracing/overview/
+ tracing: {}
++  #  openTelemetry: # traefik v3+ only
++  #    grpc: {}
++  #    insecure: true
++  #    address: localhost:4317
+   # instana:
+   #   localAgentHost: 127.0.0.1
+   #   localAgentPort: 42699
+@@ -517,7 +523,15 @@ additionalArguments: []
+ #  - "--log.level=DEBUG"
+
+ # -- Environment variables to be passed to Traefik's binary
+-env: []
++env:
++  - name: POD_NAME
++    valueFrom:
++      fieldRef:
++        fieldPath: metadata.name
++  - name: POD_NAMESPACE
++    valueFrom:
++      fieldRef:
++        fieldPath: metadata.namespace
+ # - name: SOME_VAR
+ #   value: some-var-value
+ # - name: SOME_VAR_FROM_CONFIG_MAP
+@@ -563,7 +577,7 @@ ports:
+     # NodePort.
+     #
+     # -- You SHOULD NOT expose the traefik port on production deployments.
+-    # If you want to access it from outside of your cluster,
++    # If you want to access it from outside your cluster,
+     # use `kubectl port-forward` or create a secure ingress
+     expose: false
+     # -- The exposed port for this service
+@@ -571,7 +585,7 @@ ports:
+     # -- The port protocol (TCP/UDP)
+     protocol: TCP
+   web:
+-    ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint.
++    ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
+     # asDefault: true
+     port: 8000
+     # hostPort: 8000
+@@ -600,7 +614,7 @@ ports:
+     #   trustedIPs: []
+     #   insecure: false
+   websecure:
+-    ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint.
++    ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
+     # asDefault: true
+     port: 8443
+     # hostPort: 8443
+@@ -666,7 +680,7 @@ ports:
+     # NodePort.
+     #
+     # -- You may not want to expose the metrics port on production deployments.
+-    # If you want to access it from outside of your cluster,
++    # If you want to access it from outside your cluster,
+     # use `kubectl port-forward` or create a secure ingress
+     expose: false
+     # -- The exposed port for this service
+@@ -880,14 +894,15 @@ topologySpreadConstraints: []
+ priorityClassName: ""
+
+ # -- Set the container security context
+-# -- To run the container with ports below 1024 this will need to be adjust to run as root
++# -- To run the container with ports below 1024 this will need to be adjusted to run as root
+ securityContext:
+   capabilities:
+     drop: [ALL]
+   readOnlyRootFilesystem: true
++  allowPrivilegeEscalation: false
+
+ podSecurityContext:
+-  # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and
++  # /!\ When setting fsGroup, Kubernetes will recursively change ownership and
+   # permissions for the contents of each volume to match the fsGroup. This can
+   # be an issue when storing sensitive content like TLS Certificates /!\
+   # fsGroup: 65532
+```
+
 ## 23.1.0  ![AppVersion: v2.10.1](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.1&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm)
 
 **Release date:** 2023-06-06

traefik/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: traefik
 description: A Traefik based Kubernetes ingress controller
 type: application
-version: 23.1.0
+version: 23.2.0
 # renovate: image=traefik
 appVersion: v2.10.4
 kubeVersion: ">=1.16.0-0"
@@ -28,13 +28,14 @@ maintainers:
 icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png
 annotations:
   artifacthub.io/changes: |
-    - "release: 🚀 publish v23.1.0"
-    - "feat: ✨ add a warning when labelSelector don't match"
-    - "feat: add optional `appProtocol` field on Service ports"
-    - "feat: ➖ remove Traefik Hub v1 integration"
-    - "feat: allow specifying service loadBalancerClass"
-    - "feat: common labels for all resources"
-    - "fix: 🐛 use k8s version for hpa api version"
-    - "fix: 🐛 http3 support on traefik v3"
-    - "fix: use `targetPort` instead of `port` on ServiceMonitor"
-    - "doc: added values README via helm-docs cli"
+    - "release: :rocket: publish v23.2.0"
+    - "feat: ✨ add support for traefik v3.0.0-beta3 and openTelemetry"
+    - "feat: add pod_name as default in values.yaml"
+    - "fix: ingressclass name should be customizable (#864)"
+    - "chore(deps): update traefik docker tag to v2.10.4"
+    - "fix: 🐛 traefik or metrics port can be disabled"
+    - "feat: disable allowPrivilegeEscalation"
+    - "fix: 🐛 update traefik.containo.us CRDs to v2.10"
+    - "chore(tests): 🔧 use more accurate asserts on refactor'd isNull test"
+    - "chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.11.3"
+    - "⬆️ Upgrade traefik Docker tag to v2.10.3"

traefik/VALUES.md

@@ -1,6 +1,6 @@
 # traefik
 
-![Version: 23.1.0](https://img.shields.io/badge/Version-23.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.10.1](https://img.shields.io/badge/AppVersion-v2.10.1-informational?style=flat-square)
+![Version: 23.2.0](https://img.shields.io/badge/Version-23.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.10.4](https://img.shields.io/badge/AppVersion-v2.10.4-informational?style=flat-square)
 
 A Traefik based Kubernetes ingress controller
 
@@ -51,10 +51,11 @@ Kubernetes: `>=1.16.0-0`
 | deployment.replicas | int | `1` | Number of pods of the deployment (only applies when kind == Deployment) |
 | deployment.shareProcessNamespace | bool | `false` | Use process namespace sharing |
 | deployment.terminationGracePeriodSeconds | int | `60` | Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down |
-| env | list | `[]` | Environment variables to be passed to Traefik's binary |
+| env | list | `[{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}]` | Environment variables to be passed to Traefik's binary |
 | envFrom | list | `[]` | Environment variables to be passed to Traefik's binary from configMaps or secrets |
 | experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD |
 | experimental.kubernetesGateway.gateway.enabled | bool | `true` | Enable traefik regular kubernetes gateway |
+| experimental.plugins | object | `{"enabled":false}` | Enable traefik version 3  enabled: false  |
 | experimental.plugins.enabled | bool | `false` | Enable traefik experimental plugins |
 | extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template)  In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. |
 | globalArguments | list | `["--global.checknewversion","--global.sendanonymoususage"]` | Global command arguments to be passed to all traefik's pods |
@@ -97,11 +98,11 @@ Kubernetes: `>=1.16.0-0`
 | podSecurityContext.runAsNonRoot | bool | `true` | Specifies whether the containers should run as a non-root user. |
 | podSecurityContext.runAsUser | int | `65532` | The ID of the user for all containers in the pod to run as. |
 | podSecurityPolicy | object | `{"enabled":false}` | Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding |
-| ports.metrics.expose | bool | `false` | You may not want to expose the metrics port on production deployments. If you want to access it from outside of your cluster, use `kubectl port-forward` or create a secure ingress |
+| ports.metrics.expose | bool | `false` | You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
 | ports.metrics.exposedPort | int | `9100` | The exposed port for this service |
 | ports.metrics.port | int | `9100` | When using hostNetwork, use another port to avoid conflict with node exporter: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
 | ports.metrics.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
-| ports.traefik.expose | bool | `false` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside of your cluster, use `kubectl port-forward` or create a secure ingress |
+| ports.traefik.expose | bool | `false` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
 | ports.traefik.exposedPort | int | `9000` | The exposed port for this service |
 | ports.traefik.port | int | `9000` |  |
 | ports.traefik.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
@@ -137,7 +138,7 @@ Kubernetes: `>=1.16.0-0`
 | readinessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. |
 | readinessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. |
 | resources | object | `{}` | The resources parameter defines CPU and memory requirements and limits for Traefik's containers. |
-| securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | To run the container with ports below 1024 this will need to be adjust to run as root |
+| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | To run the container with ports below 1024 this will need to be adjusted to run as root |
 | service.annotations | object | `{}` | Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) |
 | service.annotationsTCP | object | `{}` | Additional annotations for TCP service only |
 | service.annotationsUDP | object | `{}` | Additional annotations for UDP service only |