chore(security): update traefik to 2.10.7

Addresses two CVE fixes from 2.10.6
feat: add distinct version for wildcard key secret
2024-01-11 21:47:59 -05:00 · 2024-01-11 21:47:50 -05:00 · 2024-01-11 21:47:04 -05:00 · 2024-01-11 21:47:04 -05:00 · 2024-01-11 21:45:32 -05:00 · 2024-01-11 21:45:05 -05:00
6 changed files with 38 additions and 5 deletions
--- a/.env.sample
+++ b/.env.sample
@ -46,6 +46,19 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1

+#####################################################################
+# Manual wildcard certificate insertion                             #
+#####################################################################
+
+# Set wildcards = 1, and uncomment compose_file to enable.
+# Create your certs elsewhere and add them like:
+# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
+# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
+#WILDCARDS_ENABLED=1
+#SECRET_WILDCARD_CERT_VERSION=v1
+#SECRET_WILDCARD_KEY_VERSION=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
+
 #####################################################################
 # Keycloak log-in                                                   #
 #####################################################################
--- a/abra.sh
+++ b/abra.sh
@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v17
-export FILE_PROVIDER_YML_VERSION=v8
+export TRAEFIK_YML_VERSION=v18
+export FILE_PROVIDER_YML_VERSION=v9
 export ENTRYPOINT_VERSION=v2
--- a/compose.wildcard.yml
+++ b/compose.wildcard.yml
@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - ssl_cert
+      - ssl_key
+
+secrets:
+  ssl_cert:
+    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
+    external: true
+  ssl_key:
+    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
+    external: true
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: "traefik:v2.10.5"
+    image: "traefik:v2.10.7"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@ -25,7 +25,6 @@ http:
    security:
      headers:
        frameDeny: true
-        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        stsIncludeSubdomains: true
@ -45,3 +44,8 @@ tls:
        - CurveP521
        - CurveP384
      sniStrict: true
+  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
+  certificates:
+    - certFile: /run/secrets/ssl_cert
+      keyFile: /run/secrets/ssl_key
+  {{ end }}
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@ -114,4 +114,4 @@ certificatesResolvers:
        resolvers:
          - "1.1.1.1:53"
          - "9.9.9.9:53"
-      {{ end }}
+      {{ end }}
Author	SHA1	Message	Date
Chris (wolcen) Thompson	e3c1df83fa	chore(security): update traefik to 2.10.7 Addresses two CVE fixes from 2.10.6	2024-01-11 21:47:59 -05:00
Chris (wolcen) Thompson	998190f684	feat: add distinct version for wildcard key secret	2024-01-11 21:47:50 -05:00
Chris (wolcen) Thompson	cd92c909ba	docs: correct secret insertion examples	2024-01-11 21:47:04 -05:00
Chris (wolcen) Thompson	64351c27d1	fix: deprecation warning - handled by redirect under web already	2024-01-11 21:47:04 -05:00
Chris (wolcen) Thompson	f4b05fd87f	Bump file revisions for wildcard support	2024-01-11 21:45:32 -05:00
Chris (wolcen) Thompson	3c5333ba71	feat: add support for wildcard certs via secrets	2024-01-11 21:45:05 -05:00