fix: doc requirements

Co-authored-by: Jared Rodriguez <jared@blacknode.net>

CHANGELOG.md

@@ -1,5 +1,17 @@
 # Change Log
 
+## [v1.7.34](https://github.com/traefik/traefik/tree/v1.7.34) (2021-12-10)
+[All Commits](https://github.com/traefik/traefik/compare/v1.7.33...v1.7.34)
+
+**Bug fixes:**
+- **[k8s]** require that secret is a valid PEM ([#8624](https://github.com/traefik/traefik/pull/8624) by [jr0d](https://github.com/jr0d))
+
+## [v1.7.33](https://github.com/traefik/traefik/tree/v1.7.33) (2021-10-07)
+[All Commits](https://github.com/traefik/traefik/compare/v1.7.32...v1.7.33)
+
+**Bug fixes:**
+- **[acme]** acme: fix non-cluster mode ([#8501](https://github.com/traefik/traefik/pull/8501) by [ldez](https://github.com/ldez))
+
 ## [v1.7.32](https://github.com/traefik/traefik/tree/v1.7.32) (2021-10-06)
 [All Commits](https://github.com/traefik/traefik/compare/v1.7.31...v1.7.32)
 

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2018 Containous SAS; 2020-2021 Traefik Labs
+Copyright (c) 2016-2018 Containous SAS; 2020-2022 Traefik Labs
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

acme/acme.go

@@ -69,7 +69,7 @@ type ACME struct {
 	challengeTLSProvider  *challengeTLSProvider
 	checkOnDemandDomain   func(domain string) bool
 	jobs                  *channels.InfiniteChannel
-	TLSConfig             *tls.Config `description:"TLS config in case wildcard certs are used"`
+	TLSConfig             *tls.Config `description:"TLS config in case wildcard certs are used" hash:"-"`
 	dynamicCerts          *safe.Safe
 	resolvingDomains      map[string]struct{}
 	resolvingDomainsMutex sync.RWMutex

api/handler.go

@@ -21,9 +21,9 @@ type Handler struct {
 	Debug                 bool   `export:"true"`
 	CurrentConfigurations *safe.Safe
 	Statistics            *types.Statistics          `description:"Enable more detailed statistics" export:"true"`
-	Stats                 *thoas_stats.Stats         `json:"-"`
-	StatsRecorder         *middlewares.StatsRecorder `json:"-"`
-	DashboardAssets       *assetfs.AssetFS           `json:"-"`
+	Stats                 *thoas_stats.Stats         `json:"-" hash:"-"`
+	StatsRecorder         *middlewares.StatsRecorder `json:"-" hash:"-"`
+	DashboardAssets       *assetfs.AssetFS           `json:"-" hash:"-"`
 }
 
 var (

configuration/configuration.go

@@ -452,18 +452,19 @@ func (gc *GlobalConfiguration) InitACMEProvider() (*acmeprovider.Provider, error
 		if gc.Cluster == nil {
 			provider := &acmeprovider.Provider{}
 			provider.Configuration = &acmeprovider.Configuration{
-				KeyType:       gc.ACME.KeyType,
-				OnHostRule:    gc.ACME.OnHostRule,
-				OnDemand:      gc.ACME.OnDemand,
-				Email:         gc.ACME.Email,
-				Storage:       gc.ACME.Storage,
-				HTTPChallenge: gc.ACME.HTTPChallenge,
-				DNSChallenge:  gc.ACME.DNSChallenge,
-				TLSChallenge:  gc.ACME.TLSChallenge,
-				Domains:       gc.ACME.Domains,
-				ACMELogging:   gc.ACME.ACMELogging,
-				CAServer:      gc.ACME.CAServer,
-				EntryPoint:    gc.ACME.EntryPoint,
+				KeyType:        gc.ACME.KeyType,
+				OnHostRule:     gc.ACME.OnHostRule,
+				OnDemand:       gc.ACME.OnDemand,
+				Email:          gc.ACME.Email,
+				PreferredChain: gc.ACME.PreferredChain,
+				Storage:        gc.ACME.Storage,
+				HTTPChallenge:  gc.ACME.HTTPChallenge,
+				DNSChallenge:   gc.ACME.DNSChallenge,
+				TLSChallenge:   gc.ACME.TLSChallenge,
+				Domains:        gc.ACME.Domains,
+				ACMELogging:    gc.ACME.ACMELogging,
+				CAServer:       gc.ACME.CAServer,
+				EntryPoint:     gc.ACME.EntryPoint,
 			}
 
 			store := acmeprovider.NewLocalStore(provider.Storage)

mkdocs.yml

@@ -26,7 +26,7 @@ theme:
     prev: 'Previous'
     next: 'Next'
 
-copyright: "Copyright © 2016-2019 Containous; 2020-2021 Traefik Labs"
+copyright: "Copyright © 2016-2019 Containous; 2020-2022 Traefik Labs"
 
 # only to force the use of the analytics partials
 google_analytics:

provider/kubernetes/fixtures/tLSSecretLoad_ingresses.yml

@@ -38,3 +38,22 @@ spec:
           servicePort: 80
   tls:
   - secretName: myUndefinedSecret
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    ingress.kubernetes.io/frontend-entry-points: ep3
+  name: badSecretIng
+  namespace: testing
+spec:
+  rules:
+    - host: example.fail
+      http:
+        paths:
+          - backend:
+              serviceName: example-fail
+              servicePort: 80
+  tls:
+    - secretName: badSecret

provider/kubernetes/fixtures/tLSSecretLoad_secrets.yml

@@ -6,3 +6,13 @@ kind: Secret
 metadata:
   name: myTlsSecret
   namespace: testing
+
+---
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5ceDAwXHgwMFx4MDAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tXG4=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+kind: Secret
+metadata:
+  name: badSecret
+  namespace: testing

provider/kubernetes/kubernetes.go

@@ -3,6 +3,7 @@ package kubernetes
 import (
 	"bufio"
 	"bytes"
+	"encoding/pem"
 	"errors"
 	"flag"
 	"fmt"
@@ -835,6 +836,19 @@ func getCertificateBlocks(secret *corev1.Secret, namespace, secretName string) (
 			namespace, secretName, strings.Join(missingEntries, ", "))
 	}
 
+	if !isPem(tlsCrtData) {
+		missingEntries = append(missingEntries, "tls.crt")
+	}
+
+	if !isPem(tlsKeyData) {
+		missingEntries = append(missingEntries, "tls.key")
+	}
+
+	if len(missingEntries) > 0 {
+		return "", "", fmt.Errorf("secret %s/%s does not contain PEM formatted TLS data entries: %s",
+			namespace, secretName, strings.Join(missingEntries, ","))
+	}
+
 	return cert, key, nil
 }
 
@@ -1269,3 +1283,17 @@ func templateSafeString(value string) error {
 	_, err := strconv.Unquote(`"` + value + `"`)
 	return err
 }
+
+func isPem(data []byte) bool {
+	for {
+		block, rest := pem.Decode(data)
+		if block == nil {
+			return false
+		}
+		if len(rest) == 0 {
+			break
+		}
+		data = rest
+	}
+	return true
+}

provider/kubernetes/kubernetes_test.go

@@ -1915,8 +1915,8 @@ func TestGetTLS(t *testing.T) {
 							Namespace: "testing",
 						},
 						Data: map[string][]byte{
-							"tls.crt": []byte("tls-crt"),
-							"tls.key": []byte("tls-key"),
+							"tls.crt": []byte("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"),
+							"tls.key": []byte("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n"),
 						},
 					},
 					{
@@ -1925,8 +1925,8 @@ func TestGetTLS(t *testing.T) {
 							Namespace: "testing",
 						},
 						Data: map[string][]byte{
-							"tls.crt": []byte("tls-crt"),
-							"tls.key": []byte("tls-key"),
+							"tls.crt": []byte("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"),
+							"tls.key": []byte("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n"),
 						},
 					},
 				},
@@ -1934,14 +1934,14 @@ func TestGetTLS(t *testing.T) {
 			result: map[string]*tls.Configuration{
 				"testing/test-secret": {
 					Certificate: &tls.Certificate{
-						CertFile: tls.FileOrContent("tls-crt"),
-						KeyFile:  tls.FileOrContent("tls-key"),
+						CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"),
+						KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n"),
 					},
 				},
 				"testing/test-secret2": {
 					Certificate: &tls.Certificate{
-						CertFile: tls.FileOrContent("tls-crt"),
-						KeyFile:  tls.FileOrContent("tls-key"),
+						CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"),
+						KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n"),
 					},
 				},
 			},
@@ -1968,8 +1968,8 @@ func TestGetTLS(t *testing.T) {
 							Namespace: "testing",
 						},
 						Data: map[string][]byte{
-							"tls.crt": []byte("tls-crt"),
-							"tls.key": []byte("tls-key"),
+							"tls.crt": []byte("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"),
+							"tls.key": []byte("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n"),
 						},
 					},
 				},
@@ -1978,12 +1978,60 @@ func TestGetTLS(t *testing.T) {
 				"testing/test-secret": {
 					EntryPoints: []string{"api-secure", "https"},
 					Certificate: &tls.Certificate{
-						CertFile: tls.FileOrContent("tls-crt"),
-						KeyFile:  tls.FileOrContent("tls-key"),
+						CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"),
+						KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n"),
 					},
 				},
 			},
 		},
+		{
+			desc: "load bad certificate",
+			ingress: buildIngress(
+				iNamespace("testing"),
+				iAnnotation(annotationKubernetesFrontendEntryPoints, "https,api-secure"),
+				iRules(iRule(iHost("example.com"))),
+				iTLSes(iTLS("test-secret")),
+			),
+			client: clientMock{
+				secrets: []*corev1.Secret{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "test-secret",
+							Namespace: "testing",
+						},
+						Data: map[string][]byte{
+							"tls.crt": []byte("invalid"),
+							"tls.key": []byte("invalid"),
+						},
+					},
+				},
+			},
+			errResult: "secret testing/test-secret does not contain PEM formatted TLS data entries: tls.crt,tls.key",
+		},
+		{
+			desc: "load nested bad certificate",
+			ingress: buildIngress(
+				iNamespace("testing"),
+				iAnnotation(annotationKubernetesFrontendEntryPoints, "https,api-secure"),
+				iRules(iRule(iHost("example.com"))),
+				iTLSes(iTLS("test-secret")),
+			),
+			client: clientMock{
+				secrets: []*corev1.Secret{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "test-secret",
+							Namespace: "testing",
+						},
+						Data: map[string][]byte{
+							"tls.crt": []byte("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n\x00\x00\x00-----END CERTIFICATE-----\n"),
+							"tls.key": []byte("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
+						},
+					},
+				},
+			},
+			errResult: "secret testing/test-secret does not contain PEM formatted TLS data entries: tls.crt",
+		},
 	}
 
 	for _, test := range testCases {

requirements.txt

@@ -2,3 +2,38 @@ mkdocs==0.17.5
 pymdown-extensions==4.12
 mkdocs-bootswatch==0.5.0
 mkdocs-material==2.9.4
+
+appdirs==1.4.4
+CacheControl==0.12.6
+certifi==2020.12.5
+chardet==4.0.0
+click==8.1.3
+colorama==0.4.4
+contextlib2==0.6.0
+distlib==0.3.1
+distro==1.5.0
+html5lib==1.1
+idna==3.2
+importlib-metadata==4.12.0
+Jinja2==3.1.2
+livereload==2.6.3
+lockfile==0.12.2
+Markdown==3.3.7
+MarkupSafe==2.1.1
+msgpack==1.0.2
+ordered-set==4.0.2
+packaging==20.9
+pep517==0.10.0
+progress==1.5
+Pygments==2.12.0
+pymdown-extensions==4.12
+pyparsing==2.4.7
+PyYAML==6.0
+requests==2.25.1
+retrying==1.3.3
+six==1.15.0
+toml==0.10.2
+tornado==4.5.3
+urllib3==1.26.5
+webencodings==0.5.1
+zipp==3.8.1

script/gcg/traefik-bugfix.toml

@@ -4,11 +4,11 @@ RepositoryName = "traefik"
 OutputType = "file"
 FileName = "traefik_changelog.md"
 
-# example new bugfix v1.7.32
+# example new bugfix v1.7.34
 CurrentRef = "v1.7"
-PreviousRef = "v1.7.31"
+PreviousRef = "v1.7.33"
 BaseBranch = "v1.7"
-FutureCurrentRefName = "v1.7.32"
+FutureCurrentRefName = "v1.7.34"
 
 ThresholdPreviousRef = 10
 ThresholdCurrentRef = 10