From 66a4cfd665f2afbc5897becff620a03837cff5c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20BUISSON?= Date: Thu, 13 Jul 2023 10:09:29 +0200 Subject: [PATCH] release: rocket publish v23.1.1 --- traefik/Changelog.md | 124 +++++++++++++++++++++++++++++++++++++++++++ traefik/Chart.yaml | 23 ++++---- traefik/VALUES.md | 11 ++-- 3 files changed, 142 insertions(+), 16 deletions(-) diff --git a/traefik/Changelog.md b/traefik/Changelog.md index 1b4df61e0..efda5f881 100644 --- a/traefik/Changelog.md +++ b/traefik/Changelog.md @@ -1,5 +1,129 @@ # Change Log +## 23.1.1 ![AppVersion: v2.10.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.4&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-07-13 + +* release: rocket publish v23.1.1 +* feat: ✨ add support for traefik v3.0.0-beta3 and openTelemetry +* feat: add pod_name as default in values.yaml +* fix: ingressclass name should be customizable (#864) +* chore(deps): update traefik docker tag to v2.10.4 +* fix: 🐛 traefik or metrics port can be disabled +* feat: disable allowPrivilegeEscalation +* fix: 🐛 update traefik.containo.us CRDs to v2.10 +* chore(tests): 🔧 use more accurate asserts on refactor'd isNull test +* chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.11.3 +* ⬆️ Upgrade traefik Docker tag to v2.10.3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 345bbd8..947ba56 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -105,12 +105,14 @@ podDisruptionBudget: + ingressClass: + enabled: true + isDefaultClass: true ++ # name: my-custom-class + + # Traefik experimental features + experimental: +- v3: ++ #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" ++ #v3: + # -- Enable traefik version 3 +- enabled: false ++ # enabled: false + plugins: + # -- Enable traefik experimental plugins + enabled: false +@@ -461,6 +463,10 @@ metrics: + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: {} ++ # openTelemetry: # traefik v3+ only ++ # grpc: {} ++ # insecure: true ++ # address: localhost:4317 + # instana: + # localAgentHost: 127.0.0.1 + # localAgentPort: 42699 +@@ -517,7 +523,15 @@ additionalArguments: [] + # - "--log.level=DEBUG" + + # -- Environment variables to be passed to Traefik's binary +-env: [] ++env: ++ - name: POD_NAME ++ valueFrom: ++ fieldRef: ++ fieldPath: metadata.name ++ - name: POD_NAMESPACE ++ valueFrom: ++ fieldRef: ++ fieldPath: metadata.namespace + # - name: SOME_VAR + # value: some-var-value + # - name: SOME_VAR_FROM_CONFIG_MAP +@@ -563,7 +577,7 @@ ports: + # NodePort. + # + # -- You SHOULD NOT expose the traefik port on production deployments. +- # If you want to access it from outside of your cluster, ++ # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # -- The exposed port for this service +@@ -571,7 +585,7 @@ ports: + # -- The port protocol (TCP/UDP) + protocol: TCP + web: +- ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 +@@ -600,7 +614,7 @@ ports: + # trustedIPs: [] + # insecure: false + websecure: +- ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 + # hostPort: 8443 +@@ -666,7 +680,7 @@ ports: + # NodePort. + # + # -- You may not want to expose the metrics port on production deployments. +- # If you want to access it from outside of your cluster, ++ # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # -- The exposed port for this service +@@ -880,14 +894,15 @@ topologySpreadConstraints: [] + priorityClassName: "" + + # -- Set the container security context +-# -- To run the container with ports below 1024 this will need to be adjust to run as root ++# -- To run the container with ports below 1024 this will need to be adjusted to run as root + securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true ++ allowPrivilegeEscalation: false + + podSecurityContext: +- # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and ++ # /!\ When setting fsGroup, Kubernetes will recursively change ownership and + # permissions for the contents of each volume to match the fsGroup. This can + # be an issue when storing sensitive content like TLS Certificates /!\ + # fsGroup: 65532 +``` + ## 23.1.0 ![AppVersion: v2.10.1](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.1&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) **Release date:** 2023-06-06 diff --git a/traefik/Chart.yaml b/traefik/Chart.yaml index 6b0af2198..20fda3544 100644 --- a/traefik/Chart.yaml +++ b/traefik/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: traefik description: A Traefik based Kubernetes ingress controller type: application -version: 23.1.0 +version: 23.1.1 # renovate: image=traefik appVersion: v2.10.4 kubeVersion: ">=1.16.0-0" @@ -28,13 +28,14 @@ maintainers: icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png annotations: artifacthub.io/changes: | - - "release: 🚀 publish v23.1.0" - - "feat: ✨ add a warning when labelSelector don't match" - - "feat: add optional `appProtocol` field on Service ports" - - "feat: ➖ remove Traefik Hub v1 integration" - - "feat: allow specifying service loadBalancerClass" - - "feat: common labels for all resources" - - "fix: 🐛 use k8s version for hpa api version" - - "fix: 🐛 http3 support on traefik v3" - - "fix: use `targetPort` instead of `port` on ServiceMonitor" - - "doc: added values README via helm-docs cli" + - "release: rocket publish v23.1.1" + - "feat: ✨ add support for traefik v3.0.0-beta3 and openTelemetry" + - "feat: add pod_name as default in values.yaml" + - "fix: ingressclass name should be customizable (#864)" + - "chore(deps): update traefik docker tag to v2.10.4" + - "fix: 🐛 traefik or metrics port can be disabled" + - "feat: disable allowPrivilegeEscalation" + - "fix: 🐛 update traefik.containo.us CRDs to v2.10" + - "chore(tests): 🔧 use more accurate asserts on refactor'd isNull test" + - "chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.11.3" + - "⬆️ Upgrade traefik Docker tag to v2.10.3" diff --git a/traefik/VALUES.md b/traefik/VALUES.md index 242867713..60513e390 100644 --- a/traefik/VALUES.md +++ b/traefik/VALUES.md @@ -1,6 +1,6 @@ # traefik -![Version: 23.1.0](https://img.shields.io/badge/Version-23.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.10.1](https://img.shields.io/badge/AppVersion-v2.10.1-informational?style=flat-square) +![Version: 23.1.1](https://img.shields.io/badge/Version-23.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.10.4](https://img.shields.io/badge/AppVersion-v2.10.4-informational?style=flat-square) A Traefik based Kubernetes ingress controller @@ -51,10 +51,11 @@ Kubernetes: `>=1.16.0-0` | deployment.replicas | int | `1` | Number of pods of the deployment (only applies when kind == Deployment) | | deployment.shareProcessNamespace | bool | `false` | Use process namespace sharing | | deployment.terminationGracePeriodSeconds | int | `60` | Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down | -| env | list | `[]` | Environment variables to be passed to Traefik's binary | +| env | list | `[{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}]` | Environment variables to be passed to Traefik's binary | | envFrom | list | `[]` | Environment variables to be passed to Traefik's binary from configMaps or secrets | | experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD | | experimental.kubernetesGateway.gateway.enabled | bool | `true` | Enable traefik regular kubernetes gateway | +| experimental.plugins | object | `{"enabled":false}` | Enable traefik version 3 enabled: false | | experimental.plugins.enabled | bool | `false` | Enable traefik experimental plugins | | extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. | | globalArguments | list | `["--global.checknewversion","--global.sendanonymoususage"]` | Global command arguments to be passed to all traefik's pods | @@ -97,11 +98,11 @@ Kubernetes: `>=1.16.0-0` | podSecurityContext.runAsNonRoot | bool | `true` | Specifies whether the containers should run as a non-root user. | | podSecurityContext.runAsUser | int | `65532` | The ID of the user for all containers in the pod to run as. | | podSecurityPolicy | object | `{"enabled":false}` | Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding | -| ports.metrics.expose | bool | `false` | You may not want to expose the metrics port on production deployments. If you want to access it from outside of your cluster, use `kubectl port-forward` or create a secure ingress | +| ports.metrics.expose | bool | `false` | You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress | | ports.metrics.exposedPort | int | `9100` | The exposed port for this service | | ports.metrics.port | int | `9100` | When using hostNetwork, use another port to avoid conflict with node exporter: https://github.com/prometheus/prometheus/wiki/Default-port-allocations | | ports.metrics.protocol | string | `"TCP"` | The port protocol (TCP/UDP) | -| ports.traefik.expose | bool | `false` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside of your cluster, use `kubectl port-forward` or create a secure ingress | +| ports.traefik.expose | bool | `false` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress | | ports.traefik.exposedPort | int | `9000` | The exposed port for this service | | ports.traefik.port | int | `9000` | | | ports.traefik.protocol | string | `"TCP"` | The port protocol (TCP/UDP) | @@ -137,7 +138,7 @@ Kubernetes: `>=1.16.0-0` | readinessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. | | readinessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. | | resources | object | `{}` | The resources parameter defines CPU and memory requirements and limits for Traefik's containers. | -| securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | To run the container with ports below 1024 this will need to be adjust to run as root | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | To run the container with ports below 1024 this will need to be adjusted to run as root | | service.annotations | object | `{}` | Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) | | service.annotationsTCP | object | `{}` | Additional annotations for TCP service only | | service.annotationsUDP | object | `{}` | Additional annotations for UDP service only |