From b058c459733309d2476c27b94209712e006bd24f Mon Sep 17 00:00:00 2001 From: Jeremy Daer Date: Sat, 28 Sep 2024 11:28:48 -0400 Subject: [PATCH] Traefik 2.11 default to address CVE-2024-45410 Fixes #968 --- lib/kamal/configuration/docs/traefik.yml | 4 ++-- lib/kamal/configuration/traefik.rb | 2 +- test/cli/traefik_test.rb | 2 +- test/integration/docker/deployer/app/config/deploy.yml | 2 +- .../docker/deployer/app_with_roles/config/deploy.yml | 2 +- test/integration/docker/deployer/setup.sh | 2 +- test/integration/main_test.rb | 2 +- test/integration/traefik_test.rb | 4 ++-- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/lib/kamal/configuration/docs/traefik.yml b/lib/kamal/configuration/docs/traefik.yml index 756afa9e..2dba5678 100644 --- a/lib/kamal/configuration/docs/traefik.yml +++ b/lib/kamal/configuration/docs/traefik.yml @@ -17,8 +17,8 @@ traefik: # Image # - # The Traefik image to use, defaults to `traefik:v2.10` - image: traefik:v2.9 + # The Traefik image to use, defaults to `traefik:v2.11` + image: traefik:v2.11 # Host port # diff --git a/lib/kamal/configuration/traefik.rb b/lib/kamal/configuration/traefik.rb index c958afdf..0abdcb08 100644 --- a/lib/kamal/configuration/traefik.rb +++ b/lib/kamal/configuration/traefik.rb @@ -1,5 +1,5 @@ class Kamal::Configuration::Traefik - DEFAULT_IMAGE = "traefik:v2.10" + DEFAULT_IMAGE = "traefik:v2.11" CONTAINER_PORT = 80 DEFAULT_ARGS = { "log.level" => "DEBUG" diff --git a/test/cli/traefik_test.rb b/test/cli/traefik_test.rb index c01c9bb5..d1df46d8 100644 --- a/test/cli/traefik_test.rb +++ b/test/cli/traefik_test.rb @@ -139,7 +139,7 @@ class CliTraefikTest < CliTestCase assert_match "docker image prune --all --force --filter label=org.opencontainers.image.title=Traefik", output assert_match "/usr/bin/env mkdir -p .kamal", output assert_match "docker login -u [REDACTED] -p [REDACTED]", output - assert_match "docker container start traefik || docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --env-file .kamal/env/traefik/traefik.env --log-opt max-size=\"10m\" --label traefik.http.routers.catchall.entryPoints=\"http\" --label traefik.http.routers.catchall.rule=\"PathPrefix(\\`/\\`)\" --label traefik.http.routers.catchall.service=\"unavailable\" --label traefik.http.routers.catchall.priority=\"1\" --label traefik.http.services.unavailable.loadbalancer.server.port=\"0\" traefik:v2.10 --providers.docker --log.level=\"DEBUG\"", output + assert_match "docker container start traefik || docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --env-file .kamal/env/traefik/traefik.env --log-opt max-size=\"10m\" --label traefik.http.routers.catchall.entryPoints=\"http\" --label traefik.http.routers.catchall.rule=\"PathPrefix(\\`/\\`)\" --label traefik.http.routers.catchall.service=\"unavailable\" --label traefik.http.routers.catchall.priority=\"1\" --label traefik.http.services.unavailable.loadbalancer.server.port=\"0\" traefik:v2.11 --providers.docker --log.level=\"DEBUG\"", output assert_match "/usr/bin/env mkdir -p .kamal", output assert_match %r{docker rename app-web-latest app-web-latest_replaced_.*}, output assert_match %r{docker run --detach --restart unless-stopped --name app-web-latest --hostname 1.1.1.1-.* -e KAMAL_CONTAINER_NAME="app-web-latest" -e KAMAL_VERSION="latest" --env-file .kamal/env/roles/app-web.env --health-cmd}, output diff --git a/test/integration/docker/deployer/app/config/deploy.yml b/test/integration/docker/deployer/app/config/deploy.yml index 397a49ca..889bd021 100644 --- a/test/integration/docker/deployer/app/config/deploy.yml +++ b/test/integration/docker/deployer/app/config/deploy.yml @@ -33,7 +33,7 @@ traefik: args: accesslog: true accesslog.format: json - image: registry:4443/traefik:v2.10 + image: registry:4443/traefik:v2.11 accessories: busybox: service: custom-busybox diff --git a/test/integration/docker/deployer/app_with_roles/config/deploy.yml b/test/integration/docker/deployer/app_with_roles/config/deploy.yml index 2cf362c6..da9bb2b7 100644 --- a/test/integration/docker/deployer/app_with_roles/config/deploy.yml +++ b/test/integration/docker/deployer/app_with_roles/config/deploy.yml @@ -27,7 +27,7 @@ traefik: args: accesslog: true accesslog.format: json - image: registry:4443/traefik:v2.10 + image: registry:4443/traefik:v2.11 accessories: busybox: service: custom-busybox diff --git a/test/integration/docker/deployer/setup.sh b/test/integration/docker/deployer/setup.sh index 0cd511d9..e2153900 100755 --- a/test/integration/docker/deployer/setup.sh +++ b/test/integration/docker/deployer/setup.sh @@ -19,7 +19,7 @@ push_image_to_registry_4443() { install_kamal push_image_to_registry_4443 nginx 1-alpine-slim -push_image_to_registry_4443 traefik v2.10 +push_image_to_registry_4443 traefik v2.11 push_image_to_registry_4443 busybox 1.36.0 # .ssh is on a shared volume that persists between runs. Clean it up as the diff --git a/test/integration/main_test.rb b/test/integration/main_test.rb index c4558c1d..6a5d444c 100644 --- a/test/integration/main_test.rb +++ b/test/integration/main_test.rb @@ -32,7 +32,7 @@ class MainTest < IntegrationTest assert_match /Traefik Host: vm2/, details assert_match /App Host: vm1/, details assert_match /App Host: vm2/, details - assert_match /traefik:v2.10/, details + assert_match /traefik:v2.11/, details assert_match /registry:4443\/app:#{first_version}/, details audit = kamal :audit, capture: true diff --git a/test/integration/traefik_test.rb b/test/integration/traefik_test.rb index d2aa2a97..2f176a53 100644 --- a/test/integration/traefik_test.rb +++ b/test/integration/traefik_test.rb @@ -52,11 +52,11 @@ class TraefikTest < IntegrationTest private def assert_traefik_running - assert_match /traefik:v2.10 "\/entrypoint.sh/, traefik_details + assert_match /traefik:v2.11 "\/entrypoint.sh/, traefik_details end def assert_traefik_not_running - assert_no_match /traefik:v2.10 "\/entrypoint.sh/, traefik_details + assert_no_match /traefik:v2.11 "\/entrypoint.sh/, traefik_details end def traefik_details