From b4016783d5713d4260c0d5f089bf8d5202b34b19 Mon Sep 17 00:00:00 2001 From: Diogo Guerra Date: Fri, 26 Mar 2021 16:55:00 +0100 Subject: [PATCH] Update traefik options * Traefik version updated from v1.7.19 to v1.7.28 * Force secure connections to use TLSv1.2 or greater Change-Id: I65561358113952e3f60dc488b35ee8fa8f8da740 Signed-off-by: Diogo Guerra --- doc/source/user/index.rst | 2 +- .../kubernetes/fragments/enable-ingress-traefik.sh | 5 +++-- .../k8s_fedora_atomic_v1/templates/kubecluster.yaml | 2 +- .../k8s_fedora_coreos_v1/templates/kubecluster.yaml | 2 +- .../update-traefik-min-tls-protocol-de7e36de90c1a2f3.yaml | 7 +++++++ 5 files changed, 13 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/update-traefik-min-tls-protocol-de7e36de90c1a2f3.yaml diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 6169724408..4e248295bf 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -1247,7 +1247,7 @@ _`container_infra_prefix` * docker.io/grafana/grafana:5.1.5 * docker.io/prom/node-exporter:latest * docker.io/prom/prometheus:latest - * docker.io/traefik:v1.7.10 + * docker.io/traefik:v1.7.28 * gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1 * gcr.io/google_containers/metrics-server-amd64:v0.3.6 * k8s.gcr.io/node-problem-detector:v0.6.2 diff --git a/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh b/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh index fba7ce9de5..517e40cd6c 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh @@ -22,9 +22,8 @@ data: address = ":80" [entryPoints.https] address = ":443" - [entryPoints.metrics] - address = ":8082" [entryPoints.https.tls] + minVersion = "VersionTLS12" cipherSuites = [ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", @@ -44,6 +43,8 @@ data: "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA" ] + [entryPoints.metrics] + address = ":8082" --- kind: DaemonSet apiVersion: apps/v1 diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index ef9acf6a4a..a9def4754a 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -281,7 +281,7 @@ parameters: traefik_ingress_controller_tag: type: string description: tag of the traefik containers to be used. - default: v1.7.19 + default: v1.7.28 wait_condition_timeout: type: number diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml index 6b6876f495..b114e1d2a2 100644 --- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml @@ -283,7 +283,7 @@ parameters: traefik_ingress_controller_tag: type: string description: tag of the traefik containers to be used. - default: v1.7.19 + default: v1.7.28 wait_condition_timeout: type: number diff --git a/releasenotes/notes/update-traefik-min-tls-protocol-de7e36de90c1a2f3.yaml b/releasenotes/notes/update-traefik-min-tls-protocol-de7e36de90c1a2f3.yaml new file mode 100644 index 0000000000..f7050fa4a5 --- /dev/null +++ b/releasenotes/notes/update-traefik-min-tls-protocol-de7e36de90c1a2f3.yaml @@ -0,0 +1,7 @@ +--- +upgrade: + - | + Upgrade traefik version to v1.7.28 +security: + - | + Force traefik https port connections to use TLSv1.2 or greater