chore(release): 🚀 publish v27.0.0

traefik/Changelog.md

@@ -1,31 +1,163 @@
 # Change Log
 
-## 27.0.0 (unreleased)
+## 27.0.0  ![AppVersion: v2.11.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.11.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm)
+
+**Release date:** 2024-04-02
 
 **Upgrade notes**
 
 Custom services and port exposure have been redesigned, requiring the following changes:
 - if you were overriding port exposure behavior using the `expose` or `exposeInternal` flags, you should replace them with a service name to boolean mapping, i.e. replace this:
+
 ```yaml
 ports:
    web:
       expose: false
       exposeInternal: true
 ```
+
 with this:
+
 ```yaml
 ports:
    web:
       expose:
          default: false
          internal: true
 ```
-- if you were previously using the `service.internal` value,
-you should migrate the values to the `service.additionalServices.internal` value instead; this should yield the same results, but make sure to carefully check for any changes!
+
+- if you were previously using the `service.internal` value, you should migrate the values to the `service.additionalServices.internal` value instead; this should yield the same results, but make sure to carefully check for any changes!
+
+**Changes**
+
+* fix: remove null annotations on dashboard `IngressRoute`
+* fix(rbac): do not create clusterrole for namespace deployment on Traefik v3
+* feat: restrict access to secrets
+* feat!: :boom: refactor custom services and port exposure
+* chore(release): 🚀 publish v27.0.0
+
+### Default value changes
+
+```diff
+diff --git a/traefik/values.yaml b/traefik/values.yaml
+index dbd078f..363871d 100644
+--- a/traefik/values.yaml
++++ b/traefik/values.yaml
+@@ -250,6 +250,9 @@ providers:
+     # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
+     namespaces: []
+     # - "default"
++    # Disable cluster IngressClass Lookup - Requires Traefik V3.
++    # When combined with rbac.namespaced: true, ClusterRole will not be created and ingresses must use kubernetes.io/ingress.class annotation instead of spec.ingressClassName.
++    disableIngressClassLookup: false
+     # IP used for Kubernetes Ingress endpoints
+     publishedService:
+       enabled: false
+@@ -626,22 +629,20 @@ ports:
+     # -- You SHOULD NOT expose the traefik port on production deployments.
+     # If you want to access it from outside your cluster,
+     # use `kubectl port-forward` or create a secure ingress
+-    expose: false
++    expose:
++      default: false
+     # -- The exposed port for this service
+     exposedPort: 9000
+     # -- The port protocol (TCP/UDP)
+     protocol: TCP
+-    # -- Defines whether the port is exposed on the internal service;
+-    # note that ports exposed on the default service are exposed on the internal
+-    # service by default as well.
+-    exposeInternal: false
+   web:
+     ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
+     # asDefault: true
+     port: 8000
+     # hostPort: 8000
+     # containerPort: 8000
+-    expose: true
++    expose:
++      default: true
+     exposedPort: 80
+     ## -- Different target traefik port on the cluster, useful for IP type LB
+     # targetPort: 80
+@@ -650,10 +651,6 @@ ports:
+     # -- Use nodeport if set. This is useful if you have configured Traefik in a
+     # LoadBalancer.
+     # nodePort: 32080
+-    # -- Defines whether the port is exposed on the internal service;
+-    # note that ports exposed on the default service are exposed on the internal
+-    # service by default as well.
+-    exposeInternal: false
+     # Port Redirections
+     # Added in 2.2, you can make permanent redirects via entrypoints.
+     # https://docs.traefik.io/routing/entrypoints/#redirection
+@@ -677,17 +674,14 @@ ports:
+     port: 8443
+     # hostPort: 8443
+     # containerPort: 8443
+-    expose: true
++    expose:
++      default: true
+     exposedPort: 443
+     ## -- Different target traefik port on the cluster, useful for IP type LB
+     # targetPort: 80
+     ## -- The port protocol (TCP/UDP)
+     protocol: TCP
+     # nodePort: 32443
+-    # -- Defines whether the port is exposed on the internal service;
+-    # note that ports exposed on the default service are exposed on the internal
+-    # service by default as well.
+-    exposeInternal: false
+     ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer.
+     # appProtocol: https
+     #
+@@ -744,15 +738,12 @@ ports:
+     # -- You may not want to expose the metrics port on production deployments.
+     # If you want to access it from outside your cluster,
+     # use `kubectl port-forward` or create a secure ingress
+-    expose: false
++    expose:
++      default: false
+     # -- The exposed port for this service
+     exposedPort: 9100
+     # -- The port protocol (TCP/UDP)
+     protocol: TCP
+-    # -- Defines whether the port is exposed on the internal service;
+-    # note that ports exposed on the default service are exposed on the internal
+-    # service by default as well.
+-    exposeInternal: false
+
+ # -- TLS Options are created as TLSOption CRDs
+ # https://doc.traefik.io/traefik/https/tls/#tls-options
+@@ -814,6 +805,7 @@ service:
+   #   - IPv4
+   #   - IPv6
+   ##
++  additionalServices: {}
+   ## -- An additional and optional internal Service.
+   ## Same parameters as external Service
+   # internal:
+@@ -899,11 +891,14 @@ hostNetwork: false
+ rbac:
+   enabled: true
+   # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
+-  # If set to true, installs Role and RoleBinding. Providers will only watch target namespace.
++  # If set to true, installs Role and RoleBinding instead of ClusterRole/ClusterRoleBinding. Providers will only watch target namespace.
++  # When combined with providers.kubernetesIngress.disableIngressClassLookup: true and Traefik V3, ClusterRole to watch IngressClass is also disabled.
+   namespaced: false
+   # Enable user-facing roles
+   # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+   # aggregateTo: [ "admin" ]
++  # List of Kubernetes secrets that are accessible for Traefik. If empty, then access is granted to every secret.
++  secretResourceNames: []
+
+ # -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
+ podSecurityPolicy:
+```
 
 ## 26.1.0  ![AppVersion: v2.11.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.11.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm)
 
-**Release date:** 2024-02-16
+**Release date:** 2024-02-19
 
 * fix: 🐛 set runtimeClassName at pod level
 * fix: 🐛 missing quote on experimental plugin args
@@ -36,7 +168,7 @@ you should migrate the values to the `service.additionalServices.internal` value
 * doc: fix invalid suggestion on TLSOption (#996)
 * chore: 🔧 update maintainers
 * chore: 🔧 promote jnoordsij to Traefik Helm Chart maintainer
-* chore(release): publish v26.1.0
+* chore(release): 🚀 publish v26.1.0
 * chore(deps): update traefik docker tag to v2.11.0
 * chore(deps): update traefik docker tag to v2.10.7
 * chore(crds): update definitions for traefik v2.11

traefik/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: traefik
 description: A Traefik based Kubernetes ingress controller
 type: application
-version: 26.1.0
+version: 27.0.0
 # renovate: image=traefik
 appVersion: v2.11.0
 kubeVersion: ">=1.16.0-0"
@@ -25,15 +25,8 @@ maintainers:
 icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png
 annotations:
   artifacthub.io/changes: |
-    - "fix: 🐛 missing quote on experimental plugin args"
-    - "fix: update traefik v3 serverstransporttcps CRD"
-    - "feat: set runtimeClassName on pod spec"
-    - "feat: create v1 Gateway and GatewayClass Version for Traefik v3"
-    - "feat: allow exposure of ports on internal service only"
-    - "doc: fix invalid suggestion on TLSOption (#996)"
-    - "chore: 🔧 update maintainers"
-    - "chore: 🔧 promote jnoordsij to Traefik Helm Chart maintainer"
-    - "chore(release): publish v26.1.0"
-    - "chore(deps): update traefik docker tag to v2.11.0"
-    - "chore(deps): update traefik docker tag to v2.10.7"
-    - "chore(crds): update definitions for traefik v2.11"
+    - "fix: remove null annotations on dashboard `IngressRoute`"
+    - "fix(rbac): do not create clusterrole for namespace deployment on Traefik v3"
+    - "feat: restrict access to secrets"
+    - "feat!: :boom: refactor custom services and port exposure"
+    - "chore(release): 🚀 publish v27.0.0"

traefik/VALUES.md

@@ -1,6 +1,6 @@
 # traefik
 
-![Version: 26.1.0](https://img.shields.io/badge/Version-26.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.11.0](https://img.shields.io/badge/AppVersion-v2.11.0-informational?style=flat-square)
+![Version: 27.0.0](https://img.shields.io/badge/Version-27.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.11.0](https://img.shields.io/badge/AppVersion-v2.11.0-informational?style=flat-square)
 
 A Traefik based Kubernetes ingress controller
 
@@ -103,23 +103,19 @@ Kubernetes: `>=1.16.0-0`
 | podSecurityContext.runAsNonRoot | bool | `true` | Specifies whether the containers should run as a non-root user. |
 | podSecurityContext.runAsUser | int | `65532` | The ID of the user for all containers in the pod to run as. |
 | podSecurityPolicy | object | `{"enabled":false}` | Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding |
-| ports.metrics.expose | bool | `false` | You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
-| ports.metrics.exposeInternal | bool | `false` | Defines whether the port is exposed on the internal service; note that ports exposed on the default service are exposed on the internal service by default as well. |
+| ports.metrics.expose | object | `{"default":false}` | You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
 | ports.metrics.exposedPort | int | `9100` | The exposed port for this service |
 | ports.metrics.port | int | `9100` | When using hostNetwork, use another port to avoid conflict with node exporter: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
 | ports.metrics.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
-| ports.traefik.expose | bool | `false` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
-| ports.traefik.exposeInternal | bool | `false` | Defines whether the port is exposed on the internal service; note that ports exposed on the default service are exposed on the internal service by default as well. |
+| ports.traefik.expose | object | `{"default":false}` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
 | ports.traefik.exposedPort | int | `9000` | The exposed port for this service |
 | ports.traefik.port | int | `9000` |  |
 | ports.traefik.protocol | string | `"TCP"` | The port protocol (TCP/UDP) |
-| ports.web.expose | bool | `true` |  |
-| ports.web.exposeInternal | bool | `false` | Defines whether the port is exposed on the internal service; note that ports exposed on the default service are exposed on the internal service by default as well. |
+| ports.web.expose.default | bool | `true` |  |
 | ports.web.exposedPort | int | `80` |  |
 | ports.web.port | int | `8000` |  |
 | ports.web.protocol | string | `"TCP"` |  |
-| ports.websecure.expose | bool | `true` |  |
-| ports.websecure.exposeInternal | bool | `false` | Defines whether the port is exposed on the internal service; note that ports exposed on the default service are exposed on the internal service by default as well. |
+| ports.websecure.expose.default | bool | `true` |  |
 | ports.websecure.exposedPort | int | `443` |  |
 | ports.websecure.http3.enabled | bool | `false` |  |
 | ports.websecure.middlewares | list | `[]` | /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace middlewares:   - namespace-name1@kubernetescrd   - namespace-name2@kubernetescrd |
@@ -140,6 +136,7 @@ Kubernetes: `>=1.16.0-0`
 | providers.kubernetesCRD.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. |
 | providers.kubernetesIngress.allowEmptyServices | bool | `false` | Allows to return 503 when there is no endpoints available |
 | providers.kubernetesIngress.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in Ingress |
+| providers.kubernetesIngress.disableIngressClassLookup | bool | `false` |  |
 | providers.kubernetesIngress.enabled | bool | `true` | Load Kubernetes Ingress provider |
 | providers.kubernetesIngress.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. |
 | providers.kubernetesIngress.publishedService.enabled | bool | `false` |  |
@@ -151,6 +148,7 @@ Kubernetes: `>=1.16.0-0`
 | readinessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. |
 | resources | object | `{}` | The resources parameter defines CPU and memory requirements and limits for Traefik's containers. |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | To run the container with ports below 1024 this will need to be adjusted to run as root |
+| service.additionalServices | object | `{}` |  |
 | service.annotations | object | `{}` | Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) |
 | service.annotationsTCP | object | `{}` | Additional annotations for TCP service only |
 | service.annotationsUDP | object | `{}` | Additional annotations for UDP service only |
@@ -175,4 +173,4 @@ Kubernetes: `>=1.16.0-0`
 | volumes | list | `[]` | Add volumes to the traefik pod. The volume name will be passed to tpl. This can be used to mount a cert pair or a configmap that holds a config.toml file. After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: `additionalArguments: - "--providers.file.filename=/config/dynamic.toml" - "--ping" - "--ping.entrypoint=web"` |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)