Merge branch v3.3 into master

MaxMood96 · Jan 8, 2025 · b0a7296 · b0a7296
2 parents 6d3a685 + a57e118
commit b0a7296
Show file tree

Hide file tree

Showing 14 changed files with 172 additions and 24 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.
 
 Documentation fixes or enhancements:
 - for Traefik v2: use branch v2.11
-- for Traefik v3: use branch v3.2
+- for Traefik v3: use branch v3.3
 
 Bug fixes:
 - for Traefik v2: use branch v2.11
-- for Traefik v3: use branch v3.2
+- for Traefik v3: use branch v3.3
 
 Enhancements:
 - for Traefik v2: we only accept bug fixes

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,11 +15,11 @@ env:
 jobs:
 
   build-webui:
-    if: github.ref_type == 'tag'
+    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
     uses: ./.github/workflows/template-webui.yaml
 
   build:
-    if: github.ref_type == 'tag'
+    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
     runs-on: ubuntu-latest
 
     strategy:
@@ -80,7 +80,7 @@ jobs:
           retention-days: 1
 
   release:
-    if: github.ref_type == 'tag'
+    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
     runs-on: ubuntu-latest
 
     needs:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,89 @@
+## [v3.3.1](/~https://github.com/traefik/traefik/tree/v3.3.1) (2025-01-07)
+[All Commits](/~https://github.com/traefik/traefik/compare/v3.3.0...v3.3.1)
+
+**Bug fixes:**
+- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11408](/~https://github.com/traefik/traefik/pull/11408) by [rtribotte](/~https://github.com/rtribotte))
+
+## [v3.2.5](/~https://github.com/traefik/traefik/tree/v3.2.5) (2025-01-07)
+[All Commits](/~https://github.com/traefik/traefik/compare/v3.2.4...v3.2.5)
+
+**Bug fixes:**
+- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11408](/~https://github.com/traefik/traefik/pull/11408) by [rtribotte](/~https://github.com/rtribotte))
+
+## [v2.11.18](/~https://github.com/traefik/traefik/tree/v2.11.18) (2025-01-07)
+[All Commits](/~https://github.com/traefik/traefik/compare/v2.11.17...v2.11.18)
+
+**Bug fixes:**
+- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11412](/~https://github.com/traefik/traefik/pull/11412) by [rtribotte](/~https://github.com/rtribotte))
+
+## [v3.3.0](/~https://github.com/traefik/traefik/tree/v3.3.0) (2025-01-06)
+[All Commits](/~https://github.com/traefik/traefik/compare/v3.2.0-rc1...v3.3.0)
+
+**Enhancements:**
+- **[acme]** Add options to control ACME propagation checks ([#11241](/~https://github.com/traefik/traefik/pull/11241) by [ldez](/~https://github.com/ldez))
+- **[api]** Add support dump API endpoint ([#11328](/~https://github.com/traefik/traefik/pull/11328) by [mmatur](/~https://github.com/mmatur))
+- **[http]** Set Host header in HTTP provider request ([#11237](/~https://github.com/traefik/traefik/pull/11237) by [nikonhub](/~https://github.com/nikonhub))
+- **[k8s/crd,k8s]** Make the IngressRoute kind optional ([#11177](/~https://github.com/traefik/traefik/pull/11177) by [skirtan1](/~https://github.com/skirtan1))
+- **[k8s/ingress,sticky-session,k8s/crd,k8s]** Support serving endpoints ([#11121](/~https://github.com/traefik/traefik/pull/11121) by [BZValoche](/~https://github.com/BZValoche))
+- **[logs,accesslogs]** OpenTelemetry Logs and Access Logs ([#11319](/~https://github.com/traefik/traefik/pull/11319) by [rtribotte](/~https://github.com/rtribotte))
+- **[logs,accesslogs]** Add experimental flag for OTLP logs integration ([#11335](/~https://github.com/traefik/traefik/pull/11335) by [kevinpollet](/~https://github.com/kevinpollet))
+- **[metrics,tracing,accesslogs]** Manage observability at entrypoint and router level ([#11308](/~https://github.com/traefik/traefik/pull/11308) by [rtribotte](/~https://github.com/rtribotte))
+- **[middleware,authentication]** Add an option to preserve the ForwardAuth Server Location header ([#11318](/~https://github.com/traefik/traefik/pull/11318) by [Nelwhix](/~https://github.com/Nelwhix))
+- **[middleware,authentication]** Only calculate basic auth hashes once for concurrent requests ([#11143](/~https://github.com/traefik/traefik/pull/11143) by [michelheusschen](/~https://github.com/michelheusschen))
+- **[middleware,authentication]** Send request body to authorization server for forward auth ([#11097](/~https://github.com/traefik/traefik/pull/11097) by [kyo-ke](/~https://github.com/kyo-ke))
+- **[plugins]** Add AbortOnPluginFailure option to abort startup on plugin load failure ([#11228](/~https://github.com/traefik/traefik/pull/11228) by [bmagic](/~https://github.com/bmagic))
+- **[sticky-session]** Configurable path for sticky cookies ([#11166](/~https://github.com/traefik/traefik/pull/11166) by [IIpragmaII](/~https://github.com/IIpragmaII))
+- **[webui,api]** Configurable API &amp; Dashboard base path ([#11250](/~https://github.com/traefik/traefik/pull/11250) by [rtribotte](/~https://github.com/rtribotte))
+
+**Bug fixes:**
+- **[k8s/ingress,k8s/crd]** Fix fenced server status computation ([#11361](/~https://github.com/traefik/traefik/pull/11361) by [kevinpollet](/~https://github.com/kevinpollet))
+
+**Documentation:**
+- Prepare release v3.3.0-rc2 ([#11362](/~https://github.com/traefik/traefik/pull/11362) by [rtribotte](/~https://github.com/rtribotte))
+- Prepare Release v3.3.0-rc1 ([#11349](/~https://github.com/traefik/traefik/pull/11349) by [rtribotte](/~https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v3.2 into v3.3 ([#11402](/~https://github.com/traefik/traefik/pull/11402) by [kevinpollet](/~https://github.com/kevinpollet))
+- Merge branch v3.2 into v3.3 ([#11393](/~https://github.com/traefik/traefik/pull/11393) by [mmatur](/~https://github.com/mmatur))
+- Merge branch v3.2 into v3.3 ([#11389](/~https://github.com/traefik/traefik/pull/11389) by [mmatur](/~https://github.com/mmatur))
+- Merge branch v3.2 into v3.3 ([#11367](/~https://github.com/traefik/traefik/pull/11367) by [kevinpollet](/~https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11340](/~https://github.com/traefik/traefik/pull/11340) by [kevinpollet](/~https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11293](/~https://github.com/traefik/traefik/pull/11293) by [kevinpollet](/~https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11239](/~https://github.com/traefik/traefik/pull/11239) by [kevinpollet](/~https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11187](/~https://github.com/traefik/traefik/pull/11187) by [kevinpollet](/~https://github.com/kevinpollet))
+
+## [v3.2.4](/~https://github.com/traefik/traefik/tree/v3.2.4) (2025-01-06)
+[All Commits](/~https://github.com/traefik/traefik/compare/v3.2.3...v3.2.4)
+
+**Bug fixes:**
+- **[k8s/gatewayapi]** Support empty value for core Kubernetes API group ([#11386](/~https://github.com/traefik/traefik/pull/11386) by [rtribotte](/~https://github.com/rtribotte))
+- **[tcp,k8s/crd]** Pass TLS bool from IngressRouteTCP to TCPService ([#11343](/~https://github.com/traefik/traefik/pull/11343) by [lipmem](/~https://github.com/lipmem))
+- **[tls]** Upgrade github.com/spiffe/go-spiffe/v2 to v2.4.0 ([#11385](/~https://github.com/traefik/traefik/pull/11385) by [mmatur](/~https://github.com/mmatur))
+- Remove duplicate github.com/coreos/go-systemd dependency ([#11354](/~https://github.com/traefik/traefik/pull/11354) by [Juneezee](/~https://github.com/Juneezee))
+
+**Documentation:**
+- **[k8s/gatewayapi]** Update Gateway API version support to v1.2.1 ([#11357](/~https://github.com/traefik/traefik/pull/11357) by [kevinpollet](/~https://github.com/kevinpollet))
+- Add @jnoordsij to maintainers ([#11352](/~https://github.com/traefik/traefik/pull/11352) by [emilevauge](/~https://github.com/emilevauge))
+
+**Misc:**
+- Merge branch v2.11 into v3.2 ([#11400](/~https://github.com/traefik/traefik/pull/11400) by [kevinpollet](/~https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.2 ([#11392](/~https://github.com/traefik/traefik/pull/11392) by [rtribotte](/~https://github.com/rtribotte))
+- Merge branch v2.11 into v3.2 ([#11388](/~https://github.com/traefik/traefik/pull/11388) by [mmatur](/~https://github.com/mmatur))
+- Merge branch v2.11 into v3.2 ([#11366](/~https://github.com/traefik/traefik/pull/11366) by [kevinpollet](/~https://github.com/kevinpollet))
+
+## [v2.11.17](/~https://github.com/traefik/traefik/tree/v2.11.17) (2025-01-06)
+[All Commits](/~https://github.com/traefik/traefik/compare/v2.11.16...v2.11.17)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.21.0 ([#11368](/~https://github.com/traefik/traefik/pull/11368) by [ldez](/~https://github.com/ldez))
+- **[middleware]** Fix typo in basicauth note ([#11397](/~https://github.com/traefik/traefik/pull/11397) by [tieje](/~https://github.com/tieje))
+- **[service]** Configure ErrorLog in httputil.ReverseProxy ([#11344](/~https://github.com/traefik/traefik/pull/11344) by [peacewalker122](/~https://github.com/peacewalker122))
+- Bump golang.org/x/net to v0.33.0 ([#11365](/~https://github.com/traefik/traefik/pull/11365) by [kevinpollet](/~https://github.com/kevinpollet))
+
+**Documentation:**
+- **[acme]** Fix allowACMEByPass TOML example ([#11370](/~https://github.com/traefik/traefik/pull/11370) by [hannesbraun](/~https://github.com/hannesbraun))
+- **[k8s/crd]** Update copyright for 2025 ([#11383](/~https://github.com/traefik/traefik/pull/11383) by [kevinpollet](/~https://github.com/kevinpollet))
+
 ## [v3.3.0-rc2](/~https://github.com/traefik/traefik/tree/v3.3.0-rc2) (2024-12-20)
 [All Commits](/~https://github.com/traefik/traefik/compare/v3.3.0-rc1...v3.3.0-rc2)
 

diff --git a/cmd/traefik/traefik.go b/cmd/traefik/traefik.go
@@ -26,6 +26,7 @@ import (
 	"github.com/traefik/traefik/v3/cmd"
 	"github.com/traefik/traefik/v3/cmd/healthcheck"
 	cmdVersion "github.com/traefik/traefik/v3/cmd/version"
+	_ "github.com/traefik/traefik/v3/init"
 	tcli "github.com/traefik/traefik/v3/pkg/cli"
 	"github.com/traefik/traefik/v3/pkg/collector"
 	"github.com/traefik/traefik/v3/pkg/config/dynamic"

diff --git a/docs/content/deprecation/releases.md b/docs/content/deprecation/releases.md
@@ -6,7 +6,8 @@ Below is a non-exhaustive list of versions and their maintenance status:
 
 | Version | Release Date | Community Support  |  
 |---------|--------------|--------------------|
-| 3.2     | Oct 28, 2024 | Yes                |
+| 3.3     | Jan 06, 2025 | Yes                |
+| 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 |
 | 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 |
 | 3.0     | Apr 29, 2024 | Ended Jul 15, 2024 |
 | 2.11    | Feb 12, 2024 | Ends  Apr 29, 2025 |

diff --git a/docs/content/middlewares/http/basicauth.md b/docs/content/middlewares/http/basicauth.md
@@ -21,7 +21,7 @@ The BasicAuth middleware grants access to services to authorized users only.
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
 #
-# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
+# Also note that dollar signs should NOT be doubled when they are not being evaluated (e.g. Ansible docker_container module).
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```

diff --git a/docs/content/migration/v3.md b/docs/content/migration/v3.md
@@ -173,7 +173,7 @@ please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instea
 ### ACME DNS Certificate Resolver
 
 In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated, 
-please use respectively `acme.dnsChallenge.propagation.delayBeforeCheck` and `acme.dnsChallenge.propagation.disableAllChecks` options instead.
+please use respectively `acme.dnsChallenge.propagation.delayBeforeChecks` and `acme.dnsChallenge.propagation.disableAllChecks` options instead.
 
 ### Tracing Global Attributes
 

diff --git a/init/init.go b/init/init.go
@@ -0,0 +1,21 @@
+package init
+
+import (
+	"os"
+	"strings"
+)
+
+// This makes use of the GODEBUG flag `http2xconnect` to deactivate the connect setting for HTTP2 by default.
+// This type of upgrade is yet incompatible with `net/http` http1 reverse proxy.
+// Please see /~https://github.com/golang/go/issues/71128#issuecomment-2574193636.
+func init() {
+	goDebug := os.Getenv("GODEBUG")
+	if strings.Contains(goDebug, "http2xconnect") {
+		return
+	}
+
+	if len(goDebug) > 0 {
+		goDebug += ","
+	}
+	os.Setenv("GODEBUG", goDebug+"http2xconnect=0")
+}
diff --git a/integration/websocket_test.go b/integration/websocket_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 	"github.com/traefik/traefik/v3/integration/try"
+	"golang.org/x/net/http2"
 	"golang.org/x/net/websocket"
 )
 
@@ -451,6 +452,44 @@ func (s *WebsocketSuite) TestSSLhttp2() {
 	assert.Equal(s.T(), "OK", string(msg))
 }
 
+func (s *WebsocketSuite) TestSettingEnableConnectProtocol() {
+	file := s.adaptFile("fixtures/websocket/config_https.toml", struct {
+		WebsocketServer string
+	}{
+		WebsocketServer: "http://127.0.0.1",
+	})
+
+	s.traefikCmd(withConfigFile(file), "--log.level=DEBUG", "--accesslog")
+
+	// Wait for traefik.
+	err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
+	require.NoError(s.T(), err)
+
+	// Add client self-signed cert.
+	roots := x509.NewCertPool()
+	certContent, err := os.ReadFile("./resources/tls/local.cert")
+	require.NoError(s.T(), err)
+
+	roots.AppendCertsFromPEM(certContent)
+
+	// Open a connection to inspect SettingsFrame.
+	conn, err := tls.Dial("tcp", "127.0.0.1:8000", &tls.Config{
+		RootCAs:    roots,
+		NextProtos: []string{"h2"},
+	})
+	require.NoError(s.T(), err)
+
+	framer := http2.NewFramer(nil, conn)
+	frame, err := framer.ReadFrame()
+	require.NoError(s.T(), err)
+
+	fr, ok := frame.(*http2.SettingsFrame)
+	require.True(s.T(), ok)
+
+	_, ok = fr.Value(http2.SettingEnableConnectProtocol)
+	assert.False(s.T(), ok)
+}
+
 func (s *WebsocketSuite) TestHeaderAreForwarded() {
 	upgrader := gorillawebsocket.Upgrader{} // use default options
 

diff --git a/pkg/config/static/static_config.go b/pkg/config/static/static_config.go
@@ -331,7 +331,7 @@ func (c *Configuration) SetEffectiveConfiguration() {
 		}
 
 		if resolver.ACME.DNSChallenge.DelayBeforeCheck > 0 {
-			log.Warn().Msgf("delayBeforeCheck is now deprecated, please use propagation.delayBeforeCheck instead.")
+			log.Warn().Msgf("delayBeforeCheck is now deprecated, please use propagation.delayBeforeChecks instead.")
 
 			if resolver.ACME.DNSChallenge.Propagation == nil {
 				resolver.ACME.DNSChallenge.Propagation = &acmeprovider.Propagation{}

diff --git a/pkg/provider/acme/provider.go b/pkg/provider/acme/provider.go
@@ -89,7 +89,7 @@ type DNSChallenge struct {
 	Resolvers   []string     `description:"Use following DNS servers to resolve the FQDN authority." json:"resolvers,omitempty" toml:"resolvers,omitempty" yaml:"resolvers,omitempty"`
 	Propagation *Propagation `description:"DNS propagation checks configuration" json:"propagation,omitempty" toml:"propagation,omitempty" yaml:"propagation,omitempty"  label:"allowEmpty" file:"allowEmpty" export:"true"`
 
-	// Deprecated: please use Propagation.DelayBeforeCheck instead.
+	// Deprecated: please use Propagation.DelayBeforeChecks instead.
 	DelayBeforeCheck ptypes.Duration `description:"(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers." json:"delayBeforeCheck,omitempty" toml:"delayBeforeCheck,omitempty" yaml:"delayBeforeCheck,omitempty" export:"true"`
 	// Deprecated: please use Propagation.DisableAllChecks instead.
 	DisablePropagationCheck bool `description:"(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended]" json:"disablePropagationCheck,omitempty" toml:"disablePropagationCheck,omitempty" yaml:"disablePropagationCheck,omitempty" export:"true"`

diff --git a/script/gcg/traefik-bugfix.toml b/script/gcg/traefik-bugfix.toml
@@ -4,11 +4,11 @@ RepositoryName = "traefik"
 OutputType = "file"
 FileName = "traefik_changelog.md"
 
-# example new bugfix v3.2.3
-CurrentRef = "v3.2"
-PreviousRef = "v3.2.2"
-BaseBranch = "v3.2"
-FutureCurrentRefName = "v3.2.3"
+# example new bugfix v3.3.1
+CurrentRef = "v3.3"
+PreviousRef = "v3.3.0"
+BaseBranch = "v3.3"
+FutureCurrentRefName = "v3.3.1"
 
 ThresholdPreviousRef = 10
 ThresholdCurrentRef = 10

diff --git a/script/gcg/traefik-final-release-part1.toml b/script/gcg/traefik-final-release-part1.toml
@@ -4,11 +4,11 @@ RepositoryName = "traefik"
 OutputType = "file"
 FileName = "traefik_changelog.md"
 
-# example final release of v3.2.0
-CurrentRef = "v3.2"
-PreviousRef = "v3.2.0-rc1"
-BaseBranch = "v3.2"
-FutureCurrentRefName = "v3.2.0"
+# example final release of v3.3.0
+CurrentRef = "v3.3"
+PreviousRef = "v3.3.0-rc1"
+BaseBranch = "v3.3"
+FutureCurrentRefName = "v3.3.0"
 
 ThresholdPreviousRef = 10
 ThresholdCurrentRef = 10

diff --git a/script/gcg/traefik-final-release-part2.toml b/script/gcg/traefik-final-release-part2.toml
@@ -4,11 +4,11 @@ RepositoryName = "traefik"
 OutputType = "file"
 FileName = "traefik_changelog.md"
 
-# example final release of v3.2.0
-CurrentRef = "v3.2.0-rc1"
-PreviousRef = "v3.1.0-rc1"
+# example final release of v3.3.0
+CurrentRef = "v3.3.0-rc1"
+PreviousRef = "v3.2.0-rc1"
 BaseBranch = "master"
-FutureCurrentRefName = "v3.2.0-rc1"
+FutureCurrentRefName = "v3.3.0"
 
 ThresholdPreviousRef = 10
 ThresholdCurrentRef = 10