From b80f89e3db78be011381ca81b58c4f046ccbea47 Mon Sep 17 00:00:00 2001 From: Andrew Savinykh <658865+AndrewSav@users.noreply.github.com> Date: Fri, 16 Oct 2020 01:12:04 +1300 Subject: [PATCH 01/14] Adding details about the default TLS options to the documentation --- docs/content/https/tls.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/docs/content/https/tls.md b/docs/content/https/tls.md index a0f667d48..71fd50222 100644 --- a/docs/content/https/tls.md +++ b/docs/content/https/tls.md @@ -134,14 +134,23 @@ If no default certificate is provided, Traefik generates and uses a self-signed The TLS options allow one to configure some parameters of the TLS connection. +!!! important "'default' TLS Option" + + The `default` option is special. + When no tls options are specified in a tls router, the `default` option is used. + When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one. + Conversely, for cross-provider references, for example, when referencing the file provider from a docker label, + you must specify the provider namespace, for example: + `traefik.http.routers.myrouter.tls.options=myoptions@file` + !!! important "TLSOptions in Kubernetes" When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that, - if not explicitly overwritten, should apply to all ingresses. To achieve that, you'll have to - create a TLSOptions CR with the name `default`. There may exist only one TLSOption with the - name `default` (across all namespaces) - otherwise they will be dropped. - To explicitly use a different TLSOption (and using the Kubernetes Ingress resources) you'll - have to add an annotation to the Ingress in the following form: + if not explicitly overwritten, should apply to all ingresses. + To achieve that, you'll have to create a TLSOptions CR with the name `default`. + There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped. + To explicitly use a different TLSOption (and using the Kubernetes Ingress resources) + you'll have to add an annotation to the Ingress in the following form: `traefik.ingress.kubernetes.io/router.tls.options: -@kubernetescrd` ### Minimum TLS Version From b1ba42410b03f9052f05dd7b9fc275e36f18dbfc Mon Sep 17 00:00:00 2001 From: Andrew Savinykh <658865+AndrewSav@users.noreply.github.com> Date: Fri, 16 Oct 2020 01:54:04 +1300 Subject: [PATCH 02/14] Moving Provider Namespace documentation topic to Configuration Discovery section --- docs/content/middlewares/overview.md | 105 ++------------------------- docs/content/providers/overview.md | 100 +++++++++++++++++++++++++ 2 files changed, 105 insertions(+), 100 deletions(-) diff --git a/docs/content/middlewares/overview.md b/docs/content/middlewares/overview.md index 557811d41..f2b44fd14 100644 --- a/docs/content/middlewares/overview.md +++ b/docs/content/middlewares/overview.md @@ -11,6 +11,11 @@ There are several available middleware in Traefik, some can modify the request, Pieces of middleware can be combined in chains to fit every scenario. +!!! warning "Provider Namespace" + + Be aware of the concept of Providers Namespace described in the [Configuration Discovery](../providers/overview.md#provider-namespace) section. + It also applies to Middlewares. + ## Configuration Example ```yaml tab="Docker" @@ -128,106 +133,6 @@ http: - url: "http://127.0.0.1:80" ``` -## Provider Namespace - -When you declare a middleware, it lives in its provider's namespace. -For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace. - -If you use multiple providers and wish to reference a middleware declared in another provider -(aka referencing a cross-provider middleware), -then you'll have to append to the middleware name, the `@` separator, followed by the provider name. - -```text -@ -``` - -!!! important "Kubernetes Namespace" - - As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace" - with the "kubernetes namespace" of a resource when in the context of a cross-provider usage. - In this case, since the definition of the middleware is not in kubernetes, - specifying a "kubernetes namespace" when referring to the resource does not make any sense, - and therefore this specification would be ignored even if present. - On the other hand, if you declare the middleware as a Custom Resource in Kubernetes and use the - non-crd Ingress objects, you'll have to add the kubernetes namespace of the middleware to the - annotation like this `-@kubernetescrd`. - -!!! abstract "Referencing a Middleware from Another Provider" - - Declaring the add-foo-prefix in the file provider. - - ```toml tab="File (TOML)" - [http.middlewares] - [http.middlewares.add-foo-prefix.addPrefix] - prefix = "/foo" - ``` - - ```yaml tab="File (YAML)" - http: - middlewares: - add-foo-prefix: - addPrefix: - prefix: "/foo" - ``` - - Using the add-foo-prefix middleware from other providers: - - ```yaml tab="Docker" - your-container: # - image: your-docker-image - - labels: - # Attach add-foo-prefix@file middleware (declared in file) - - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file" - ``` - - ```yaml tab="Kubernetes Ingress Route" - apiVersion: traefik.containo.us/v1alpha1 - kind: IngressRoute - metadata: - name: ingressroutestripprefix - - spec: - entryPoints: - - web - routes: - - match: Host(`example.com`) - kind: Rule - services: - - name: whoami - port: 80 - middlewares: - - name: add-foo-prefix@file - # namespace: bar - # A namespace specification such as above is ignored - # when the cross-provider syntax is used. - ``` - - ```yaml tab="Kubernetes Ingress" - apiVersion: traefik.containo.us/v1alpha1 - kind: Middleware - metadata: - name: stripprefix - namespace: appspace - spec: - stripPrefix: - prefixes: - - /stripit - - --- - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: ingress - namespace: appspace - annotations: - # referencing a middleware from Kubernetes CRD provider: - # -@kubernetescrd - "traefik.ingress.kubernetes.io/router.middlewares": appspace-stripprefix@kubernetescrd - spec: - # ... regular ingress definition - ``` - ## Available Middlewares | Middleware | Purpose | Area | diff --git a/docs/content/providers/overview.md b/docs/content/providers/overview.md index a3b26b028..7aa1fa1e8 100644 --- a/docs/content/providers/overview.md +++ b/docs/content/providers/overview.md @@ -22,6 +22,106 @@ Even if each provider is different, we can categorize them in four groups: - Annotation based (a separate object, with annotations, defines the characteristics of the container) - File based (the good old configuration file) +## Provider Namespace + +When you declare certain objects, in Traefik dynamic configuration, +such as middleware, service, TLS options or servers transport, they live in its provider's namespace. +For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace. + +If you use multiple providers and wish to reference such an object declared in another provider +(aka referencing a cross-provider object, e.g. middleware), then you'll have to append the `@` separator, +followed by the provider name to the object name. + +```text +@ +``` + +!!! important "Kubernetes Namespace" + + As Kubernetes also has its own notion of namespace, + one should not confuse the "provider namespace" with the "kubernetes namespace" of a resource when in the context of a cross-provider usage. + In this case, since the definition of a traefik dynamic configuration object is not in kubernetes, + specifying a "kubernetes namespace" when referring to the resource does not make any sense, + and therefore this specification would be ignored even if present. + On the other hand, if you, say, declare a middleware as a Custom Resource in Kubernetes and use the non-crd Ingress objects, + you'll have to add the Kubernetes namespace of the middleware to the annotation like this `-@kubernetescrd`. + +!!! abstract "Referencing a Traedik dynamic configuration object from Another Provider" + + Declaring the add-foo-prefix in the file provider. + + ```toml tab="File (TOML)" + [http.middlewares] + [http.middlewares.add-foo-prefix.addPrefix] + prefix = "/foo" + ``` + + ```yaml tab="File (YAML)" + http: + middlewares: + add-foo-prefix: + addPrefix: + prefix: "/foo" + ``` + + Using the add-foo-prefix middleware from other providers: + + ```yaml tab="Docker" + your-container: # + image: your-docker-image + + labels: + # Attach add-foo-prefix@file middleware (declared in file) + - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file" + ``` + + ```yaml tab="Kubernetes Ingress Route" + apiVersion: traefik.containo.us/v1alpha1 + kind: IngressRoute + metadata: + name: ingressroutestripprefix + + spec: + entryPoints: + - web + routes: + - match: Host(`example.com`) + kind: Rule + services: + - name: whoami + port: 80 + middlewares: + - name: add-foo-prefix@file + # namespace: bar + # A namespace specification such as above is ignored + # when the cross-provider syntax is used. + ``` + + ```yaml tab="Kubernetes Ingress" + apiVersion: traefik.containo.us/v1alpha1 + kind: Middleware + metadata: + name: stripprefix + namespace: appspace + spec: + stripPrefix: + prefixes: + - /stripit + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: ingress + namespace: appspace + annotations: + # referencing a middleware from Kubernetes CRD provider: + # -@kubernetescrd + "traefik.ingress.kubernetes.io/router.middlewares": appspace-stripprefix@kubernetescrd + spec: + # ... regular ingress definition + ``` + ## Supported Providers Below is the list of the currently supported providers in Traefik. From c07301473bda16d9a177c0e3690372c29d266663 Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Fri, 16 Oct 2020 11:02:03 +0200 Subject: [PATCH 03/14] fix: update Yaegi to v0.9.4 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index cde763cb7..1bbfb839f 100644 --- a/go.mod +++ b/go.mod @@ -73,7 +73,7 @@ require ( github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154 github.com/tinylib/msgp v1.0.2 // indirect github.com/traefik/paerser v0.1.0 - github.com/traefik/yaegi v0.9.0 + github.com/traefik/yaegi v0.9.3 github.com/uber/jaeger-client-go v2.25.0+incompatible github.com/uber/jaeger-lib v2.2.0+incompatible github.com/unrolled/render v1.0.2 diff --git a/go.sum b/go.sum index aacc0dc1f..34de58846 100644 --- a/go.sum +++ b/go.sum @@ -766,8 +766,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5 h1:LnC5Kc github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/traefik/paerser v0.1.0 h1:B4v1tbvd8YnHsA7spwHKEWJoGrRP+2jYpIozsCMHhl0= github.com/traefik/paerser v0.1.0/go.mod h1:yYnAgdEC2wJH5CgG75qGWC8SsFDEapg09o9RrA6FfrE= -github.com/traefik/yaegi v0.9.0 h1:v9of1gq/5gR/XeohnboeCNGSJnw1CqiYf6xyBwQSNqI= -github.com/traefik/yaegi v0.9.0/go.mod h1:FAYnRlZyuVlEkvnkHq3bvJ1lW5be6XuwgLdkYgYG6Lk= +github.com/traefik/yaegi v0.9.3 h1:R9PZt0lB2LqspX4hGUQLq+c4sWBVVHPSKN7AxHnEs5E= +github.com/traefik/yaegi v0.9.3/go.mod h1:FAYnRlZyuVlEkvnkHq3bvJ1lW5be6XuwgLdkYgYG6Lk= github.com/transip/gotransip/v6 v6.2.0 h1:0Z+qVsyeiQdWfcAUeJyF0IEKAPvhJwwpwPi2WGtBIiE= github.com/transip/gotransip/v6 v6.2.0/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= From 2e8d99c5b8e51451e5001b80c6025a128ed398a8 Mon Sep 17 00:00:00 2001 From: Neil McAllister Date: Fri, 16 Oct 2020 02:20:05 -0700 Subject: [PATCH 04/14] Revise Traefik Pilot documentation section --- .../assets/styles/product-switcher.css | 2 +- docs/content/plugins/index.md | 49 +++++++ docs/content/plugins/overview.md | 38 ------ docs/content/plugins/using-plugins.md | 122 ------------------ docs/mkdocs.yml | 4 +- docs/theme/partials/product-switcher.html | 12 ++ 6 files changed, 63 insertions(+), 164 deletions(-) create mode 100644 docs/content/plugins/index.md delete mode 100644 docs/content/plugins/overview.md delete mode 100644 docs/content/plugins/using-plugins.md diff --git a/docs/content/assets/styles/product-switcher.css b/docs/content/assets/styles/product-switcher.css index fa6c6c472..abd5de885 100644 --- a/docs/content/assets/styles/product-switcher.css +++ b/docs/content/assets/styles/product-switcher.css @@ -20,5 +20,5 @@ .product-switcher .nav-dropdown-menu--products .nav-dropdown-menu-wrapper { width: auto; - height: auto; + height: 335px; } diff --git a/docs/content/plugins/index.md b/docs/content/plugins/index.md new file mode 100644 index 000000000..ac3330dbe --- /dev/null +++ b/docs/content/plugins/index.md @@ -0,0 +1,49 @@ +# Plugins and Traefik Pilot + +Traefik Pilot is a software-as-a-service (SaaS) platform that connects to Traefik to extend its capabilities. +It offers a number of features to enhance observability and control of Traefik through a global control plane and dashboard, including: + +* Metrics for network activity of Traefik proxies and groups of proxies +* Alerts for service health issues and security vulnerabilities +* Plugins that extend the functionality of Traefik + +!!! important "Learn More About Traefik Pilot" + This section is intended only as a brief overview for Traefik users who are not familiar with Traefik Pilot. + To explore all that Traefik Pilot has to offer, please consult the [Traefik Pilot Documentation](https://doc.traefik.io/traefik-pilot/) + +!!! Note "Prerequisites" + Traefik Pilot is compatible with Traefik Proxy 2.3 or later. + +## Connecting to Traefik Pilot + +To connect your Traefik proxies to Traefik Pilot, login or create an account at the [Traefik Pilot homepage](https://pilot.traefik.io) and choose **Register New Traefik Instance**. + +To complete the connection, Traefik Pilot will issue a token that must be added to your Traefik static configuration, according to the instructions provided by the Traefik Pilot dashboard. +For more information, consult the [Quick Start Guide](https://doc.traefik.io/traefik-pilot/connecting/) + +Health and security alerts for registered Traefik instances can be enabled from the Preferences in your [Traefik Pilot Profile](https://pilot.traefik.io/profile). + +## Plugins + +Plugins are available to any Traefik proxies that are connected to Traefik Pilot. +They are a powerful feature for extending Traefik with custom features and behaviors. + +You can browse community-contributed plugins from the catalog in the [Traefik Pilot Dashboard](https://pilot.traefik.io/plugins). + +To add a new plugin to a Traefik instance, you must modify that instance's static configuration. +The code to be added is provided for you when you choose **Install the Plugin** from the Traefik Pilot dashboard. +To learn more about Traefik plugins, consult the [documentation](https://doc.traefik.io/traefik-pilot/plugins/overview/). + +!!! danger "Experimental Features" + Plugins can potentially modify the behavior of Traefik in unforeseen ways. + Exercise caution when adding new plugins to production Traefik instances. + +## Build Your Own Plugins + +Traefik users can create their own plugins and contribute them to the Traefik Pilot catalog to share them with the community. + +Traefik plugins are loaded dynamically. +They need not be compiled, and no complex toolchain is necessary to build them. +The experience of implementing a Traefik plugin is comparable to writing a web browser extension. + +To learn more and see code for example Traefik plugins, please see the [developer documentation](https://doc.traefik.io/traefik-pilot/plugins/plugin-dev/). diff --git a/docs/content/plugins/overview.md b/docs/content/plugins/overview.md deleted file mode 100644 index 2ebd9977b..000000000 --- a/docs/content/plugins/overview.md +++ /dev/null @@ -1,38 +0,0 @@ -# Plugins and Traefik Pilot - -Overview -{: .subtitle} - -Traefik Pilot is a software-as-a-service (SaaS) platform that connects to Traefik to extend its capabilities. -It does this through *plugins*, which are dynamically loaded components that enable new features. - -For example, Traefik plugins can add features to modify requests or headers, issue redirects, add authentication, and so on, providing similar functionality to Traefik [middlewares](https://doc.traefik.io/traefik/middlewares/overview/). - -Traefik Pilot can also monitor connected Traefik instances and issue alerts when one is not responding, or when it is subject to security vulnerabilities. - -!!! note "Availability" - Plugins are available for Traefik v2.3.0-rc1 and later. - -!!! danger "Experimental Features" - Plugins can potentially modify the behavior of Traefik in unforeseen ways. - Exercise caution when adding new plugins to production Traefik instances. - -## Connecting to Traefik Pilot - -Plugins are available when a Traefik instance is connected to Traefik Pilot. - -To register a new instance and begin working with plugins, login or create an account at the [Traefik Pilot homepage](https://pilot.traefik.io) and choose **Register New Instance**. - -To complete the connection, Traefik Pilot will issue a token that must be added to your Traefik static configuration by following the instructions provided. - -!!! note "Enabling Alerts" - Health and security alerts for registered Traefik instances can be enabled from the Preferences in your [Traefik Pilot Profile](https://pilot.traefik.io/profile). - -## Creating Plugins - -Traefik users can create their own plugins and contribute them to the Traefik Pilot catalog to share them with the community. - -Plugins are written in [Go](https://golang.org/) and their code is executed by an [embedded Go interpreter](https://github.com/traefik/yaegi). -There is no need to compile binaries and all plugins are 100% cross-platform. - -To learn more and see code for example Traefik plugins, please see the [developer documentation](https://github.com/traefik/plugindemo). diff --git a/docs/content/plugins/using-plugins.md b/docs/content/plugins/using-plugins.md deleted file mode 100644 index 592262166..000000000 --- a/docs/content/plugins/using-plugins.md +++ /dev/null @@ -1,122 +0,0 @@ -# Using Plugins - -Plugins are available to any instance of Traefik v2.3 or later that is [registered](overview.md#connecting-to-traefik-pilot) with Traefik Pilot. -Plugins are hosted on GitHub, but you can browse plugins to add to your registered Traefik instances from the Traefik Pilot UI. - -!!! danger "Experimental Features" - Plugins can potentially modify the behavior of Traefik in unforeseen ways. - Exercise caution when adding new plugins to production Traefik instances. - -## Add a Plugin - -To add a new plugin to a Traefik instance, you must modify that instance's static configuration. -The code to be added is provided by the Traefik Pilot UI when you choose **Install the Plugin**. - -In the example below, we add the [`blockpath`](http://github.com/traefik/plugin-blockpath) and [`rewritebody`](https://github.com/traefik/plugin-rewritebody) plugins: - -```toml tab="File (TOML)" -[entryPoints] - [entryPoints.web] - address = ":80" - -[pilot] - token = "xxxxxxxxx" - -[experimental.plugins] - [experimental.plugins.block] - modulename = "github.com/traefik/plugin-blockpath" - version = "v0.2.0" - - [experimental.plugins.rewrite] - modulename = "github.com/traefik/plugin-rewritebody" - version = "v0.3.0" -``` - -```yaml tab="File (YAML)" -entryPoints: - web: - address: :80 - -pilot: - token: xxxxxxxxx - -experimental: - plugins: - block: - modulename: github.com/traefik/plugin-blockpath - version: v0.2.0 - rewrite: - modulename: github.com/traefik/plugin-rewritebody - version: v0.3.0 -``` - -```bash tab="CLI" ---entryPoints.web.address=:80 ---pilot.token=xxxxxxxxx ---experimental.plugins.block.modulename=github.com/traefik/plugin-blockpath ---experimental.plugins.block.version=v0.2.0 ---experimental.plugins.rewrite.modulename=github.com/traefik/plugin-rewritebody ---experimental.plugins.rewrite.version=v0.3.0 -``` - -## Configuring Plugins - -Some plugins will need to be configured by adding a dynamic configuration. -For the `bodyrewrite` plugin, for example: - -```yaml tab="Docker" -labels: - - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex=example" - - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement=test" -``` - -```yaml tab="Kubernetes" -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: my-rewritebody -spec: - plugin: - rewrite: - rewrites: - - regex: example - replacement: test -``` - -```yaml tab="Consul Catalog" -- "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex=example" -- "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement=test" -``` - -```json tab="Marathon" -"labels": { - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex": "example", - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement": "test" -} -``` - -```yaml tab="Rancher" -labels: - - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex=example" - - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement=test" -``` - -```toml tab="File (TOML)" -[http.middlewares] -  [http.middlewares.my-rewritebody.plugin.rewrite] - lastModified = true - [[http.middlewares.my-rewritebody.plugin.rewrite.rewrites]] -    regex = "example" - replacement = "test" -``` - -```yaml tab="File (YAML)" -http: - middlewares: - my-rewritebody: - plugin: - rewrite: - rewrites: - - regex: example - replacement: test -``` diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 6613bfc93..e869b5583 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -133,9 +133,7 @@ nav: - 'Retry': 'middlewares/retry.md' - 'StripPrefix': 'middlewares/stripprefix.md' - 'StripPrefixRegex': 'middlewares/stripprefixregex.md' - - 'Plugins & Traefik Pilot': - - 'Overview': 'plugins/overview.md' - - 'Using Plugins': 'plugins/using-plugins.md' + - 'Plugins & Traefik Pilot': 'plugins/index.md' - 'Operations': - 'CLI': 'operations/cli.md' - 'Dashboard' : 'operations/dashboard.md' diff --git a/docs/theme/partials/product-switcher.html b/docs/theme/partials/product-switcher.html index 83293a90a..4c7f2401e 100644 --- a/docs/theme/partials/product-switcher.html +++ b/docs/theme/partials/product-switcher.html @@ -43,6 +43,18 @@ +
+
+ Traefik Pilot Documentation +
+ +
Traefik Pilot
+
+ Monitor and Manage your Traefik Instances +
+ +
+ From 04c07227f2c2a6af341f5250915b2b5847c8e1d6 Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Mon, 19 Oct 2020 10:28:03 +0200 Subject: [PATCH 05/14] fix: Consul Catalog address documentation. --- docs/content/providers/consul-catalog.md | 8 ++++---- docs/content/reference/static-configuration/cli-ref.md | 2 +- docs/content/reference/static-configuration/env-ref.md | 2 +- pkg/provider/consulcatalog/consul_catalog.go | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/content/providers/consul-catalog.md b/docs/content/providers/consul-catalog.md index 5cdd633ca..8981e37e2 100644 --- a/docs/content/providers/consul-catalog.md +++ b/docs/content/providers/consul-catalog.md @@ -164,12 +164,12 @@ Defines the Consul server endpoint. #### `address` -_Optional, Default="http://127.0.0.1:8500"_ +_Optional, Default="127.0.0.1:8500"_ ```toml tab="File (TOML)" [providers.consulCatalog] [providers.consulCatalog.endpoint] - address = "http://127.0.0.1:8500" + address = "127.0.0.1:8500" # ... ``` @@ -177,12 +177,12 @@ _Optional, Default="http://127.0.0.1:8500"_ providers: consulCatalog: endpoint: - address: http://127.0.0.1:8500 + address: 127.0.0.1:8500 # ... ``` ```bash tab="CLI" ---providers.consulcatalog.endpoint.address=http://127.0.0.1:8500 +--providers.consulcatalog.endpoint.address=127.0.0.1:8500 # ... ``` diff --git a/docs/content/reference/static-configuration/cli-ref.md b/docs/content/reference/static-configuration/cli-ref.md index 964019f78..d7486781a 100644 --- a/docs/content/reference/static-configuration/cli-ref.md +++ b/docs/content/reference/static-configuration/cli-ref.md @@ -340,7 +340,7 @@ Constraints is an expression that Traefik matches against the container's labels Default rule. (Default: ```Host(`{{ normalize .Name }}`)```) `--providers.consulcatalog.endpoint.address`: -The address of the Consul server (Default: ```http://127.0.0.1:8500```) +The address of the Consul server (Default: ```127.0.0.1:8500```) `--providers.consulcatalog.endpoint.datacenter`: Data center to use. If not provided, the default agent data center is used diff --git a/docs/content/reference/static-configuration/env-ref.md b/docs/content/reference/static-configuration/env-ref.md index bdb2aa31e..885c29111 100644 --- a/docs/content/reference/static-configuration/env-ref.md +++ b/docs/content/reference/static-configuration/env-ref.md @@ -313,7 +313,7 @@ Constraints is an expression that Traefik matches against the container's labels Default rule. (Default: ```Host(`{{ normalize .Name }}`)```) `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_ADDRESS`: -The address of the Consul server (Default: ```http://127.0.0.1:8500```) +The address of the Consul server (Default: ```127.0.0.1:8500```) `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_DATACENTER`: Data center to use. If not provided, the default agent data center is used diff --git a/pkg/provider/consulcatalog/consul_catalog.go b/pkg/provider/consulcatalog/consul_catalog.go index 55ecaad1a..6023d8486 100644 --- a/pkg/provider/consulcatalog/consul_catalog.go +++ b/pkg/provider/consulcatalog/consul_catalog.go @@ -66,7 +66,7 @@ type EndpointConfig struct { // SetDefaults sets the default values. func (c *EndpointConfig) SetDefaults() { - c.Address = "http://127.0.0.1:8500" + c.Address = "127.0.0.1:8500" } // EndpointHTTPAuthConfig holds configurations of the authentication. From 3e61d1f233ebdf015eaf59e2c253fb8a1f79dbe9 Mon Sep 17 00:00:00 2001 From: Romain Date: Mon, 19 Oct 2020 20:22:04 +0200 Subject: [PATCH 06/14] Prepare release v2.3.2 --- .gitignore | 1 + CHANGELOG.md | 20 +++++++++ .../accesslog/logger_formatters_test.go | 44 ++++++++++--------- script/gcg/traefik-bugfix.toml | 6 +-- 4 files changed, 47 insertions(+), 24 deletions(-) diff --git a/.gitignore b/.gitignore index 425f92309..b2025089a 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ cover.out vendor/ plugins-storage/ +traefik_changelog.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 7dfc90665..088c82e28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,23 @@ +## [v2.3.2](https://github.com/traefik/traefik/tree/v2.3.2) (2020-10-19) +[All Commits](https://github.com/traefik/traefik/compare/v2.3.1...v2.3.2) + +**Bug fixes:** +- **[acme]** fix: restrict protocol for TLS Challenge. ([#7400](https://github.com/traefik/traefik/pull/7400) by [ldez](https://github.com/ldez)) +- **[acme]** fix: use provider keytype instead of account keytype. ([#7387](https://github.com/traefik/traefik/pull/7387) by [mmatur](https://github.com/mmatur)) +- **[acme]** acme: Fix race condition in LocalStore during saving. ([#7355](https://github.com/traefik/traefik/pull/7355) by [walkline](https://github.com/walkline)) +- **[plugins]** fix: update Yaegi to v0.9.4 ([#7426](https://github.com/traefik/traefik/pull/7426) by [ldez](https://github.com/ldez)) +- **[udp]** fix: udp json struct tag ([#7375](https://github.com/traefik/traefik/pull/7375) by [mschneider82](https://github.com/mschneider82)) + +**Documentation:** +- **[consulcatalog]** fix: Consul Catalog address documentation. ([#7429](https://github.com/traefik/traefik/pull/7429) by [ldez](https://github.com/ldez)) +- **[middleware]** Moving Provider Namespace documentation topic to Configuration Discovery section ([#7423](https://github.com/traefik/traefik/pull/7423) by [AndrewSav](https://github.com/AndrewSav)) +- **[pilot]** fix: pilot static configuration documentation ([#7399](https://github.com/traefik/traefik/pull/7399) by [jbdoumenjou](https://github.com/jbdoumenjou)) +- **[plugins]** Revise Traefik Pilot documentation section ([#7427](https://github.com/traefik/traefik/pull/7427) by [PCM2](https://github.com/PCM2)) +- **[tls]** Adding details about the default TLS options to the documentation ([#7422](https://github.com/traefik/traefik/pull/7422) by [AndrewSav](https://github.com/AndrewSav)) +- doc: add YAML sample. ([#7397](https://github.com/traefik/traefik/pull/7397) by [ldez](https://github.com/ldez)) +- Fix containous links in readme ([#7394](https://github.com/traefik/traefik/pull/7394) by [kevinpollet](https://github.com/kevinpollet)) +- Fix broken logo ([#7390](https://github.com/traefik/traefik/pull/7390) by [Bencey](https://github.com/Bencey)) + ## [v2.3.1](https://github.com/traefik/traefik/tree/v2.3.1) (2020-09-28) [All Commits](https://github.com/traefik/traefik/compare/v2.3.0...v2.3.1) diff --git a/pkg/middlewares/accesslog/logger_formatters_test.go b/pkg/middlewares/accesslog/logger_formatters_test.go index 79b2273f1..4e764045e 100644 --- a/pkg/middlewares/accesslog/logger_formatters_test.go +++ b/pkg/middlewares/accesslog/logger_formatters_test.go @@ -60,27 +60,29 @@ func TestCommonLogFormatter_Format(t *testing.T) { expectedLog: `10.0.0.1 - Client [10/Nov/2009:23:00:00 +0000] "GET /foo http" 123 132 "referer" "agent" - "foo" "http://10.0.0.2/toto" 123000ms `, }, - { - name: "all data with local time", - data: map[string]interface{}{ - StartLocal: time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC), - Duration: 123 * time.Second, - ClientHost: "10.0.0.1", - ClientUsername: "Client", - RequestMethod: http.MethodGet, - RequestPath: "/foo", - RequestProtocol: "http", - OriginStatus: 123, - OriginContentSize: 132, - RequestRefererHeader: "referer", - RequestUserAgentHeader: "agent", - RequestCount: nil, - RouterName: "foo", - ServiceURL: "http://10.0.0.2/toto", - }, - expectedLog: `10.0.0.1 - Client [10/Nov/2009:14:00:00 -0900] "GET /foo http" 123 132 "referer" "agent" - "foo" "http://10.0.0.2/toto" 123000ms -`, - }, + /* + { + name: "all data with local time", + data: map[string]interface{}{ + StartLocal: time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC), + Duration: 123 * time.Second, + ClientHost: "10.0.0.1", + ClientUsername: "Client", + RequestMethod: http.MethodGet, + RequestPath: "/foo", + RequestProtocol: "http", + OriginStatus: 123, + OriginContentSize: 132, + RequestRefererHeader: "referer", + RequestUserAgentHeader: "agent", + RequestCount: nil, + RouterName: "foo", + ServiceURL: "http://10.0.0.2/toto", + }, + expectedLog: `10.0.0.1 - Client [10/Nov/2009:14:00:00 -0900] "GET /foo http" 123 132 "referer" "agent" - "foo" "http://10.0.0.2/toto" 123000ms + `, + }, + */ } // Set timezone to Alaska to have a constant behavior diff --git a/script/gcg/traefik-bugfix.toml b/script/gcg/traefik-bugfix.toml index 12a46dbef..88ed4b137 100644 --- a/script/gcg/traefik-bugfix.toml +++ b/script/gcg/traefik-bugfix.toml @@ -4,11 +4,11 @@ RepositoryName = "traefik" OutputType = "file" FileName = "traefik_changelog.md" -# example new bugfix v2.3.1 +# example new bugfix v2.3.2 CurrentRef = "v2.3" -PreviousRef = "v2.3.0" +PreviousRef = "v2.3.1" BaseBranch = "v2.3" -FutureCurrentRefName = "v2.3.1" +FutureCurrentRefName = "v2.3.2" ThresholdPreviousRef = 10 ThresholdCurrentRef = 10 From 2683df7b5b412dcec0abaaf090ee6ceb886bb044 Mon Sep 17 00:00:00 2001 From: Romain Date: Tue, 20 Oct 2020 14:16:04 +0200 Subject: [PATCH 07/14] Fix ingress documentation --- docs/content/routing/entrypoints.md | 26 +- .../routing/providers/kubernetes-ingress.md | 417 ++++++++++++++++-- 2 files changed, 405 insertions(+), 38 deletions(-) diff --git a/docs/content/routing/entrypoints.md b/docs/content/routing/entrypoints.md index dc6d97d55..444b2f57a 100644 --- a/docs/content/routing/entrypoints.md +++ b/docs/content/routing/entrypoints.md @@ -212,8 +212,8 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar ``` ```bash tab="CLI" - entrypoints.specificIPv4.address=192.168.2.7:8888 - entrypoints.specificIPv6.address=[2001:db8::1]:8888 + --entrypoints.specificIPv4.address=192.168.2.7:8888 + --entrypoints.specificIPv6.address=[2001:db8::1]:8888 ``` Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go. @@ -745,8 +745,8 @@ entryPoints: ``` ```bash tab="CLI" -entrypoints.websecure.address=:443 -entrypoints.websecure.http.middlewares=auth@file,strip@file +--entrypoints.websecure.address=:443 +--entrypoints.websecure.http.middlewares=auth@file,strip@file ``` ### TLS @@ -792,13 +792,13 @@ entryPoints: ``` ```bash tab="CLI" -entrypoints.websecure.address=:443 -entrypoints.websecure.http.tls.options=foobar -entrypoints.websecure.http.tls.certResolver=leresolver -entrypoints.websecure.http.tls.domains[0].main=example.com -entrypoints.websecure.http.tls.domains[0].sans=foo.example.com,bar.example.com -entrypoints.websecure.http.tls.domains[1].main=test.com -entrypoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com +--entrypoints.websecure.address=:443 +--entrypoints.websecure.http.tls.options=foobar +--entrypoints.websecure.http.tls.certResolver=leresolver +--entrypoints.websecure.http.tls.domains[0].main=example.com +--entrypoints.websecure.http.tls.domains[0].sans=foo.example.com,bar.example.com +--entrypoints.websecure.http.tls.domains[1].main=test.com +--entrypoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com ``` ??? example "Let's Encrypt" @@ -821,6 +821,6 @@ entrypoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com ``` ```bash tab="CLI" - entrypoints.websecure.address=:443 - entrypoints.websecure.http.tls.certResolver=leresolver + --entrypoints.websecure.address=:443 + --entrypoints.websecure.http.tls.certResolver=leresolver ``` diff --git a/docs/content/routing/providers/kubernetes-ingress.md b/docs/content/routing/providers/kubernetes-ingress.md index d4b982198..8b79402f8 100644 --- a/docs/content/routing/providers/kubernetes-ingress.md +++ b/docs/content/routing/providers/kubernetes-ingress.md @@ -114,16 +114,11 @@ which in turn will create the resulting routers, services, handlers, etc. - name: traefik image: traefik:v2.3 args: - - --log.level=DEBUG - - --api - - --api.insecure - --entrypoints.web.address=:80 - --providers.kubernetesingress ports: - name: web containerPort: 80 - - name: admin - containerPort: 8080 --- apiVersion: v1 @@ -139,10 +134,6 @@ which in turn will create the resulting routers, services, handlers, etc. port: 80 name: web targetPort: 80 - - protocol: TCP - port: 8080 - name: admin - targetPort: 8080 ``` ```yaml tab="Whoami" @@ -340,27 +331,379 @@ Please see [this documentation](https://kubernetes.io/docs/concepts/services-net ## TLS -### Communication Between Traefik and Pods +### Enabling TLS via HTTP Options on Entrypoint -Traefik automatically requests endpoint information based on the service provided in the ingress spec. -Although Traefik will connect directly to the endpoints (pods), -it still checks the service port to see if TLS communication is required. +TLS can be enabled through the [HTTP options](../entrypoints.md#tls) of an Entrypoint: -There are 3 ways to configure Traefik to use https to communicate with pods: +```bash tab="CLI" +# Static configuration +--entrypoints.websecure.address=:443 +--entrypoints.websecure.http.tls +``` -1. If the service port defined in the ingress spec is `443` (note that you can still use `targetPort` to use a different port on your pod). -1. If the service port defined in the ingress spec has a name that starts with https (such as `https-api`, `https-web` or just `https`). -1. If the ingress spec includes the annotation `traefik.ingress.kubernetes.io/service.serversscheme: https`. +```toml tab="File (TOML)" +# Static configuration +[entryPoints.websecure] + address = ":443" -If either of those configuration options exist, then the backend communication protocol is assumed to be TLS, -and will connect via TLS automatically. + [entryPoints.websecure.http.tls] +``` -!!! info +```yaml tab="File (YAML)" +# Static configuration +entryPoints: + websecure: + address: ':443' + http: + tls: {} +``` + +This way, any Ingress attached to this Entrypoint will have TLS termination by default. + +??? example "Configuring Kubernetes Ingress Controller with TLS on Entrypoint" - Please note that by enabling TLS communication between traefik and your pods, - you will have to have trusted certificates that have the proper trust chain and IP subject name. - If this is not an option, you may need to skip TLS certificate verification. - See the [insecureSkipVerify](../../routing/overview.md#insecureskipverify) setting for more details. + ```yaml tab="RBAC" + --- + kind: ClusterRole + apiVersion: rbac.authorization.k8s.io/v1beta1 + metadata: + name: traefik-ingress-controller + rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + + --- + kind: ClusterRoleBinding + apiVersion: rbac.authorization.k8s.io/v1beta1 + metadata: + name: traefik-ingress-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller + subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: default + ``` + + ```yaml tab="Ingress" + kind: Ingress + apiVersion: networking.k8s.io/v1beta1 + metadata: + name: myingress + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + + spec: + rules: + - host: example.com + http: + paths: + - path: /bar + backend: + serviceName: whoami + servicePort: 80 + - path: /foo + backend: + serviceName: whoami + servicePort: 80 + ``` + + ```yaml tab="Traefik" + apiVersion: v1 + kind: ServiceAccount + metadata: + name: traefik-ingress-controller + + --- + kind: Deployment + apiVersion: apps/v1 + metadata: + name: traefik + labels: + app: traefik + + spec: + replicas: 1 + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller + containers: + - name: traefik + image: traefik:v2.3 + args: + - --entrypoints.websecure.address=:443 + - --entrypoints.websecure.http.tls + - --providers.kubernetesingress + ports: + - name: websecure + containerPort: 443 + + --- + apiVersion: v1 + kind: Service + metadata: + name: traefik + spec: + type: LoadBalancer + selector: + app: traefik + ports: + - protocol: TCP + port: 443 + name: websecure + targetPort: 443 + ``` + + ```yaml tab="Whoami" + kind: Deployment + apiVersion: apps/v1 + metadata: + name: whoami + labels: + app: traefiklabs + name: whoami + + spec: + replicas: 2 + selector: + matchLabels: + app: traefiklabs + task: whoami + template: + metadata: + labels: + app: traefiklabs + task: whoami + spec: + containers: + - name: whoami + image: traefik/whoami + ports: + - containerPort: 80 + + --- + apiVersion: v1 + kind: Service + metadata: + name: whoami + + spec: + ports: + - name: http + port: 80 + selector: + app: traefiklabs + task: whoami + ``` + +### Enabling TLS via Annotations + +To enable TLS on the underlying router created from an Ingress, one should configure it through annotations: +```yaml +traefik.ingress.kubernetes.io/router.tls: "true" +``` + +For more options, please refer to the available [annotations](#on-ingress). + +??? example "Configuring Kubernetes Ingress Controller with TLS" + + ```yaml tab="RBAC" + --- + kind: ClusterRole + apiVersion: rbac.authorization.k8s.io/v1beta1 + metadata: + name: traefik-ingress-controller + rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + + --- + kind: ClusterRoleBinding + apiVersion: rbac.authorization.k8s.io/v1beta1 + metadata: + name: traefik-ingress-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller + subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: default + ``` + + ```yaml tab="Ingress" + kind: Ingress + apiVersion: networking.k8s.io/v1beta1 + metadata: + name: myingress + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: true + + spec: + rules: + - host: example.com + http: + paths: + - path: /bar + backend: + serviceName: whoami + servicePort: 80 + - path: /foo + backend: + serviceName: whoami + servicePort: 80 + ``` + + ```yaml tab="Traefik" + apiVersion: v1 + kind: ServiceAccount + metadata: + name: traefik-ingress-controller + + --- + kind: Deployment + apiVersion: apps/v1 + metadata: + name: traefik + labels: + app: traefik + + spec: + replicas: 1 + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller + containers: + - name: traefik + image: traefik:v2.3 + args: + - --entrypoints.websecure.address=:443 + - --providers.kubernetesingress + ports: + - name: websecure + containerPort: 443 + + --- + apiVersion: v1 + kind: Service + metadata: + name: traefik + spec: + type: LoadBalancer + selector: + app: traefik + ports: + - protocol: TCP + port: 443 + name: websecure + targetPort: 443 + ``` + + ```yaml tab="Whoami" + kind: Deployment + apiVersion: apps/v1 + metadata: + name: whoami + labels: + app: traefiklabs + name: whoami + + spec: + replicas: 2 + selector: + matchLabels: + app: traefiklabs + task: whoami + template: + metadata: + labels: + app: traefiklabs + task: whoami + spec: + containers: + - name: whoami + image: traefik/whoami + ports: + - containerPort: 80 + + --- + apiVersion: v1 + kind: Service + metadata: + name: whoami + + spec: + ports: + - name: http + port: 80 + selector: + app: traefiklabs + task: whoami + ``` ### Certificates Management @@ -382,7 +725,9 @@ and will connect via TLS automatically. backend: serviceName: service1 servicePort: 80 - + # Only selects which certificate(s) should be loaded from the secret, in order to terminate TLS. + # Doesn't enable TLS for that ingress (hence for the underlying router). + # Please see the TLS annotations on ingress made for that purpose. tls: - secretName: supersecret ``` @@ -405,6 +750,28 @@ TLS certificates can be managed in Secrets objects. Only TLS certificates provided by users can be stored in Kubernetes Secrets. [Let's Encrypt](../../https/acme.md) certificates cannot be managed in Kubernetes Secrets yet. +### Communication Between Traefik and Pods + +Traefik automatically requests endpoint information based on the service provided in the ingress spec. +Although Traefik will connect directly to the endpoints (pods), +it still checks the service port to see if TLS communication is required. + +There are 3 ways to configure Traefik to use https to communicate with pods: + +1. If the service port defined in the ingress spec is `443` (note that you can still use `targetPort` to use a different port on your pod). +1. If the service port defined in the ingress spec has a name that starts with https (such as `https-api`, `https-web` or just `https`). +1. If the ingress spec includes the annotation `traefik.ingress.kubernetes.io/service.serversscheme: https`. + +If either of those configuration options exist, then the backend communication protocol is assumed to be TLS, +and will connect via TLS automatically. + +!!! info + + Please note that by enabling TLS communication between traefik and your pods, + you will have to have trusted certificates that have the proper trust chain and IP subject name. + If this is not an option, you may need to skip TLS certificate verification. + See the [insecureSkipVerify](../../routing/overview.md#insecureskipverify) setting for more details. + ## Global Default Backend Ingresses Ingresses can be created that look like the following: From 228270414c7e248e7f5a55925e6161576b18cdc1 Mon Sep 17 00:00:00 2001 From: Yeri Pratama Date: Wed, 21 Oct 2020 00:02:04 +0700 Subject: [PATCH 08/14] fix typo in providers overview documentation --- docs/content/providers/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/providers/overview.md b/docs/content/providers/overview.md index 7aa1fa1e8..758afedc3 100644 --- a/docs/content/providers/overview.md +++ b/docs/content/providers/overview.md @@ -46,7 +46,7 @@ followed by the provider name to the object name. On the other hand, if you, say, declare a middleware as a Custom Resource in Kubernetes and use the non-crd Ingress objects, you'll have to add the Kubernetes namespace of the middleware to the annotation like this `-@kubernetescrd`. -!!! abstract "Referencing a Traedik dynamic configuration object from Another Provider" +!!! abstract "Referencing a Traefik dynamic configuration object from Another Provider" Declaring the add-foo-prefix in the file provider. From 721896ba70be6185a15354394d9c4c2867bb716e Mon Sep 17 00:00:00 2001 From: Tom Matthews Date: Tue, 20 Oct 2020 22:02:04 +0100 Subject: [PATCH 09/14] Resolve broken URLs causing make docs to fail --- docs/content/contributing/maintainers.md | 2 +- docs/content/providers/docker.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/contributing/maintainers.md b/docs/content/contributing/maintainers.md index 9c4dde672..ac13e8b8d 100644 --- a/docs/content/contributing/maintainers.md +++ b/docs/content/contributing/maintainers.md @@ -11,7 +11,7 @@ * Ludovic Fernandez [@ldez](https://github.com/ldez) * Julien Salleyron [@juliens](https://github.com/juliens) * Nicolas Mengin [@nmengin](https://github.com/nmengin) -* Marco Jantke [@marco-jantke](https://github.com/marco-jantke) +* Marco Jantke [@mjantke](https://github.com/mjeri) * Michaël Matur [@mmatur](https://github.com/mmatur) * Gérald Croës [@geraldcroes](https://github.com/geraldcroes) * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou) diff --git a/docs/content/providers/docker.md b/docs/content/providers/docker.md index fa9254730..5b1b455ee 100644 --- a/docs/content/providers/docker.md +++ b/docs/content/providers/docker.md @@ -144,8 +144,8 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`] Accessing the Docker API without any restriction is a security concern: If Traefik is attacked, then the attacker might get access to the underlying host. {: #security-note } - - As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)): + + As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/#docker-daemon-attack-surface)): !!! quote [...] only **trusted** users should be allowed to control your Docker daemon [...] From 6ad79dcd456339027c99bd9476ccbaaa33c3cc87 Mon Sep 17 00:00:00 2001 From: Tom Matthews Date: Thu, 22 Oct 2020 10:36:03 +0100 Subject: [PATCH 10/14] Clarify time-based field units --- docs/content/observability/access-logs.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/observability/access-logs.md b/docs/content/observability/access-logs.md index 294182fb5..502123917 100644 --- a/docs/content/observability/access-logs.md +++ b/docs/content/observability/access-logs.md @@ -74,7 +74,7 @@ The available filters are: - `statusCodes`, to limit the access logs to requests with a status codes in the specified range - `retryAttempts`, to keep the access logs when at least one retry has happened -- `minDuration`, to keep access logs when requests take longer than the specified duration +- `minDuration`, to keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)) ```toml tab="File (TOML)" # Configuring Multiple Filters @@ -198,7 +198,7 @@ accessLog: | `RequestScheme` | The HTTP scheme requested `http` or `https`. | | `RequestLine` | `RequestMethod` + `RequestPath` + `RequestProtocol` | | `RequestContentSize` | The number of bytes in the request entity (a.k.a. body) sent by the client. | - | `OriginDuration` | The time taken by the origin server ('upstream') to return its response. | + | `OriginDuration` | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. | | `OriginContentSize` | The content length specified by the origin server, or 0 if unspecified. | | `OriginStatus` | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent. | | `OriginStatusLine` | `OriginStatus` + Status code explanation | @@ -207,7 +207,7 @@ accessLog: | `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. | | `RequestCount` | The number of requests received since the Traefik instance started. | | `GzipRatio` | The response body compression ratio achieved. | - | `Overhead` | The processing time overhead caused by Traefik. | + | `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. | | `RetryAttempts` | The amount of attempts the request was retried. | ## Log Rotation From 582d2540af90cc3c3e7b10425f80fec6467d2575 Mon Sep 17 00:00:00 2001 From: Kevin Crawley <3759919+notsureifkevin@users.noreply.github.com> Date: Thu, 22 Oct 2020 05:08:05 -0500 Subject: [PATCH 11/14] add links to contributors guide --- docs/content/contributing/maintainers.md | 61 +------------------ .../contributing/submitting-pull-requests.md | 38 +----------- 2 files changed, 4 insertions(+), 95 deletions(-) diff --git a/docs/content/contributing/maintainers.md b/docs/content/contributing/maintainers.md index ac13e8b8d..1c00666a5 100644 --- a/docs/content/contributing/maintainers.md +++ b/docs/content/contributing/maintainers.md @@ -18,68 +18,13 @@ * Mathieu Lonjaret [@mpl](https://github.com/mpl) * Romain Tribotté [@rtribotte](https://github.com/rtribotte) -## Contributions Daily Meeting +## Issue Triage -* 3 Maintainers should attend to a Contributions Daily Meeting where we sort and label new issues ([is:issue label:status/0-needs-triage](https://github.com/traefik/traefik/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Astatus%2F0-needs-triage+)), and review every Pull Requests -* Every pull request should be checked during the Contributions Daily Meeting - * Even if it’s already assigned - * Even PR labelled with `contributor/waiting-for-corrections` or `contributor/waiting-for-feedback` -* Issues labeled with `priority/P0` and `priority/P1` should be assigned. -* Modifying an issue or a pull request (labels, assignees, milestone) is only possible: - * During the Contributions Daily Meeting - * By an assigned maintainer - * In case of emergency, if a change proposal is approved by 2 other maintainers (on Slack, Discord, Discourse, etc) +Issues and PRs are triaged daily and the process for triaging may be found under [triaging issues](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in our [contributors guide repository](https://github.com/traefik/contributors-guide). ## PR review process: -* The status `needs-design-review` is only used in complex/heavy/tricky PRs. -* From `1` to `2`: 1 comment that says “design LGTM” (by a senior maintainer). -* From `2` to `3`: 3 LGTM approvals by any maintainer. -* If needed, a specific maintainer familiar with a particular domain can be requested for the review. -* If a PR has been implemented in pair programming, one peer's LGTM goes into the review for free -* Amending someone else's pull request is authorized only in emergency, if a rebase is needed, or if the initial contributor is silent - -We use [PRM](https://github.com/ldez/prm) to manage locally pull requests. - -## Bots - -### [Myrmica Lobicornis](https://github.com/traefik/lobicornis/) - -Update and Merge Pull Request. - -The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot. - -By default, a squash-rebase merge will be carried out. -To preserve commits, add `bot/merge-method-rebase` before `status/3-needs-merge`. - -The status `status/4-merge-in-progress` is only used by the bot. - -If the bot is not able to perform the merge, the label `bot/need-human-merge` is added. -In such a situation, solve the conflicts/CI/... and then remove the label `bot/need-human-merge`. - -To prevent the bot from automatically merging a PR, add the label `bot/no-merge`. - -The label `bot/light-review` decreases the number of required LGTM from 3 to 1. - -This label is used when: - -* Updating the vendors from previously reviewed PRs -* Merging branches into the master -* Preparing the release - -### [Myrmica Bibikoffi](https://github.com/traefik/bibikoffi/) - -* closes stale issues [cron] - * use some criterion as number of days between creation, last update, labels, ... - -### [Myrmica Aloba](https://github.com/traefik/aloba) - -Manage GitHub labels. - -* Add labels on new PR [GitHub WebHook] -* Add milestone to a new PR based on a branch version (1.4, 1.3, ...) [GitHub WebHook] -* Add and remove `contributor/waiting-for-corrections` label when a review request changes [GitHub WebHook] -* Weekly report of PR status on Slack (CaptainPR) [cron] +The process for reviewing PRs may be found under [review guidelines](https://github.com/traefik/contributors-guide/blob/master/review_guidelines.md) in our contributors guide repository. ## Labels diff --git a/docs/content/contributing/submitting-pull-requests.md b/docs/content/contributing/submitting-pull-requests.md index b388e4fa0..4bec80a78 100644 --- a/docs/content/contributing/submitting-pull-requests.md +++ b/docs/content/contributing/submitting-pull-requests.md @@ -5,41 +5,5 @@ A Quick Guide for Efficient Contributions So you've decided to improve Traefik? Thank You! -Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves. -Let's go through the classic pitfalls to make sure everything is right. - -## Title - -The title must be short and descriptive. (~60 characters) - -## Description - -Follow the [pull request template](https://github.com/traefik/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible. - -Explain the conditions which led you to write this PR: give us context. -The context should lead to something, an idea or a problem that you’re facing. - -Remain clear and concise. - -Take time to polish the format of your message so we'll enjoy reading it and working on it. -Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)). - -## PR Content - -- Make it small. -- One feature per Pull Request. -- Write useful descriptions and titles. -- Avoid re-formatting code that is not on the path of your PR. -- Make sure the [code builds](building-testing.md). -- Make sure [all tests pass](building-testing.md). -- Add tests. -- Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial). - -!!! note "Third-Party Dependencies" - - If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated. - -!!! tip "10 Tips for Better Pull Requests" - - We enjoyed this article, maybe you will too! [10 tips for better pull requests](https://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/). +Please review the [guidelines on creating PRs](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md) for Traefik in our [contributors guide repository](https://github.com/traefik/contributors-guide). From fc97ea7ee0dc89460d364b078b43343a00211ed6 Mon Sep 17 00:00:00 2001 From: Romain Date: Thu, 22 Oct 2020 19:52:04 +0200 Subject: [PATCH 12/14] Use timezone without daylight saving time for logger formatter tests Co-authored-by: jbdoumenjou <925513+jbdoumenjou@users.noreply.github.com> --- .../accesslog/logger_formatters_test.go | 48 +++++++++---------- 1 file changed, 23 insertions(+), 25 deletions(-) diff --git a/pkg/middlewares/accesslog/logger_formatters_test.go b/pkg/middlewares/accesslog/logger_formatters_test.go index 4e764045e..1a7f69b5a 100644 --- a/pkg/middlewares/accesslog/logger_formatters_test.go +++ b/pkg/middlewares/accesslog/logger_formatters_test.go @@ -60,33 +60,31 @@ func TestCommonLogFormatter_Format(t *testing.T) { expectedLog: `10.0.0.1 - Client [10/Nov/2009:23:00:00 +0000] "GET /foo http" 123 132 "referer" "agent" - "foo" "http://10.0.0.2/toto" 123000ms `, }, - /* - { - name: "all data with local time", - data: map[string]interface{}{ - StartLocal: time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC), - Duration: 123 * time.Second, - ClientHost: "10.0.0.1", - ClientUsername: "Client", - RequestMethod: http.MethodGet, - RequestPath: "/foo", - RequestProtocol: "http", - OriginStatus: 123, - OriginContentSize: 132, - RequestRefererHeader: "referer", - RequestUserAgentHeader: "agent", - RequestCount: nil, - RouterName: "foo", - ServiceURL: "http://10.0.0.2/toto", - }, - expectedLog: `10.0.0.1 - Client [10/Nov/2009:14:00:00 -0900] "GET /foo http" 123 132 "referer" "agent" - "foo" "http://10.0.0.2/toto" 123000ms - `, - }, - */ + { + name: "all data with local time", + data: map[string]interface{}{ + StartLocal: time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC), + Duration: 123 * time.Second, + ClientHost: "10.0.0.1", + ClientUsername: "Client", + RequestMethod: http.MethodGet, + RequestPath: "/foo", + RequestProtocol: "http", + OriginStatus: 123, + OriginContentSize: 132, + RequestRefererHeader: "referer", + RequestUserAgentHeader: "agent", + RequestCount: nil, + RouterName: "foo", + ServiceURL: "http://10.0.0.2/toto", + }, + expectedLog: `10.0.0.1 - Client [10/Nov/2009:14:00:00 -0900] "GET /foo http" 123 132 "referer" "agent" - "foo" "http://10.0.0.2/toto" 123000ms +`, + }, } - // Set timezone to Alaska to have a constant behavior - os.Setenv("TZ", "US/Alaska") + // Set timezone to Etc/GMT+9 to have a constant behavior + os.Setenv("TZ", "Etc/GMT+9") for _, test := range testCases { test := test From 2dd5a53db2e5290753a44bfd6f6a90cf2a1d3647 Mon Sep 17 00:00:00 2001 From: Andrii Dembitskyi Date: Fri, 23 Oct 2020 12:00:05 +0300 Subject: [PATCH 13/14] Add missed tls config for yaml example --- docs/content/routing/overview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/routing/overview.md b/docs/content/routing/overview.md index 855eab336..58db1b5fb 100644 --- a/docs/content/routing/overview.md +++ b/docs/content/routing/overview.md @@ -228,6 +228,7 @@ http: to-whoami-tcp: service: whoami-tcp rule: HostSNI(`whoami-tcp.example.com`) + tls: {} services: whoami-tcp: From ea459e9af04aacd005bc36fffcfb42a778b77956 Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Fri, 23 Oct 2020 11:30:04 +0200 Subject: [PATCH 14/14] fix: update Yaegi to v0.9.4 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1bbfb839f..f7ee852d9 100644 --- a/go.mod +++ b/go.mod @@ -73,7 +73,7 @@ require ( github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154 github.com/tinylib/msgp v1.0.2 // indirect github.com/traefik/paerser v0.1.0 - github.com/traefik/yaegi v0.9.3 + github.com/traefik/yaegi v0.9.4 github.com/uber/jaeger-client-go v2.25.0+incompatible github.com/uber/jaeger-lib v2.2.0+incompatible github.com/unrolled/render v1.0.2 diff --git a/go.sum b/go.sum index 34de58846..f97907193 100644 --- a/go.sum +++ b/go.sum @@ -766,8 +766,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5 h1:LnC5Kc github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/traefik/paerser v0.1.0 h1:B4v1tbvd8YnHsA7spwHKEWJoGrRP+2jYpIozsCMHhl0= github.com/traefik/paerser v0.1.0/go.mod h1:yYnAgdEC2wJH5CgG75qGWC8SsFDEapg09o9RrA6FfrE= -github.com/traefik/yaegi v0.9.3 h1:R9PZt0lB2LqspX4hGUQLq+c4sWBVVHPSKN7AxHnEs5E= -github.com/traefik/yaegi v0.9.3/go.mod h1:FAYnRlZyuVlEkvnkHq3bvJ1lW5be6XuwgLdkYgYG6Lk= +github.com/traefik/yaegi v0.9.4 h1:ZyxSsvpzZTTTbvE2ODjRkOvq6kYT3dIZDqUfCZJYDtw= +github.com/traefik/yaegi v0.9.4/go.mod h1:FAYnRlZyuVlEkvnkHq3bvJ1lW5be6XuwgLdkYgYG6Lk= github.com/transip/gotransip/v6 v6.2.0 h1:0Z+qVsyeiQdWfcAUeJyF0IEKAPvhJwwpwPi2WGtBIiE= github.com/transip/gotransip/v6 v6.2.0/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=