chore(security): update traefik to 2.10.7

Addresses two CVE fixes from 2.10.6
feat: add distinct version for wildcard key secret
2024-01-11 21:47:59 -05:00 · 2024-01-11 21:47:50 -05:00 · 2024-01-11 21:47:04 -05:00 · 2024-01-11 21:47:04 -05:00 · 2024-01-11 21:45:32 -05:00 · 2024-01-11 21:45:05 -05:00
6 changed files with 38 additions and 5 deletions
--- a/.env.sample
+++ b/.env.sample
@ -46,6 +46,19 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################
 # Set wildcards = 1, and uncomment compose_file to enable.
 # Create your certs elsewhere and add them like:
 # abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
 # abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
 #WILDCARDS_ENABLED=1
 #SECRET_WILDCARD_CERT_VERSION=v1
 #SECRET_WILDCARD_KEY_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
 #####################################################################
 # Keycloak log-in                                                   #
 #####################################################################
--- a/abra.sh
+++ b/abra.sh
@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v17
+export TRAEFIK_YML_VERSION=v18
-export FILE_PROVIDER_YML_VERSION=v8
+export FILE_PROVIDER_YML_VERSION=v9
 export ENTRYPOINT_VERSION=v2
--- a/compose.wildcard.yml
+++ b/compose.wildcard.yml
@ -0,0 +1,16 @@
 ---
 version: "3.8"
 services:
  app:
    secrets:
      - ssl_cert
      - ssl_key
 secrets:
  ssl_cert:
    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
    external: true
  ssl_key:
    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
    external: true
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"
 services:
  app:
-    image: "traefik:v2.10.5"
+    image: "traefik:v2.10.7"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@ -25,7 +25,6 @@ http:
    security:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        stsIncludeSubdomains: true
@ -45,3 +44,8 @@ tls:
        - CurveP521
        - CurveP384
      sniStrict: true
  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
  certificates:
    - certFile: /run/secrets/ssl_cert
      keyFile: /run/secrets/ssl_key
  {{ end }}
Author	SHA1	Message	Date
Chris (wolcen) Thompson	e3c1df83fa	chore(security): update traefik to 2.10.7 Addresses two CVE fixes from 2.10.6	2024-01-11 21:47:59 -05:00
Chris (wolcen) Thompson	998190f684	feat: add distinct version for wildcard key secret	2024-01-11 21:47:50 -05:00
Chris (wolcen) Thompson	cd92c909ba	docs: correct secret insertion examples	2024-01-11 21:47:04 -05:00
Chris (wolcen) Thompson	64351c27d1	fix: deprecation warning - handled by redirect under web already	2024-01-11 21:47:04 -05:00
Chris (wolcen) Thompson	f4b05fd87f	Bump file revisions for wildcard support	2024-01-11 21:45:32 -05:00
Chris (wolcen) Thompson	3c5333ba71	feat: add support for wildcard certs via secrets	2024-01-11 21:45:05 -05:00