Merge 'v2.3' into master.

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.
 
 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.2
+- for Traefik v2: use branch v2.3
 
 Bug fixes:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.2
+- for Traefik v2: use branch v2.3
 
 Enhancements:
 - for Traefik v1: we only accept bug fixes

CHANGELOG.md

@@ -1,3 +1,14 @@
+## [v2.3.1](https://github.com/traefik/traefik/tree/v2.3.1) (2020-09-28)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.0...v2.3.1)
+
+**Bug fixes:**
+- **[webui]** Fix blank webui on some browsers ([#7364](https://github.com/traefik/traefik/pull/7364) by [matthieuh](https://github.com/matthieuh))
+
+**Documentation:**
+- **[k8s/helm]** Update of the helm repo localisation ([#7352](https://github.com/traefik/traefik/pull/7352) by [dgoujard](https://github.com/dgoujard))
+- restore traefik logo ([#7344](https://github.com/traefik/traefik/pull/7344) by [notsureifkevin](https://github.com/notsureifkevin))
+- Removes invalid items in the changelog. ([#7339](https://github.com/traefik/traefik/pull/7339) by [ldez](https://github.com/ldez))
+
 ## [v2.3.0](https://github.com/traefik/traefik/tree/v2.3.0) (2020-09-23)
 [All Commits](https://github.com/traefik/traefik/compare/v2.2.0-rc1...v2.3.0)
 

CODE_OF_CONDUCT.md

@@ -36,7 +36,7 @@ Representation of a project may be further defined and clarified by project main
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@containo.us
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io
 All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
 The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
 Further details of specific enforcement policies may be posted separately.
@@ -48,4 +48,4 @@ Project maintainers who do not follow or enforce the Code of Conduct in good fai
 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[version]: http://contributor-covenant.org/version/1/4/

README.md

@@ -8,7 +8,7 @@
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
-[![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+[![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
 
 
@@ -96,9 +96,9 @@ A collection of contributions around Traefik can be found at [https://awesome.tr
 ## Support
 
 To get community support, you can:
-- join the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+- join the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 
-If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
+If you need commercial support, please contact [Traefik.io](https://traefik.io) by mail: <mailto:support@traefik.io>.
 
 ## Download
 
@@ -122,7 +122,7 @@ git clone https://github.com/traefik/traefik
 
 ## Introductory Videos
 
-You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us).
+You can find high level and deep dive videos on [videos.traefik.io](https://videos.traefik.io).
 
 ## Maintainers
 
@@ -152,9 +152,9 @@ We use [Semantic Versioning](https://semver.org/).
 
 ## Credits
 
-Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the logo ![logo](docs/content/assets/img/traefik.icon.png).
+Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the gopher's logo!.
 
-Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.
+The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.
 
-Traefik's logo was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
+The gopher's logo of Traefik was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
 The original Go gopher was designed by [Renee French](https://reneefrench.blogspot.com/).

docs/content/getting-started/install-traefik.md

@@ -9,7 +9,10 @@ You can install Traefik with the following flavors:
 
 ## Use the Official Docker Image
 
-Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/v2.3/traefik.sample.toml):
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
+
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.3/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.3/traefik.sample.yml)
 
 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
@@ -42,7 +45,7 @@ Ensure that the following requirements are met:
 Add Traefik's chart repository to Helm:
 
 ```bash
-helm repo add traefik https://traefik.github.io/traefik-helm-chart
+helm repo add traefik https://helm.traefik.io/traefik
 ```
 
 You can update the chart repository by running:

docs/content/https/acme.md

@@ -516,6 +516,34 @@ certificatesResolvers:
 # ...
 ```
 
+### `keyType`
+
+_Optional, Default="RSA4096"_
+
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  keyType = "RSA4096"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      keyType: 'RSA4096'
+      # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.keyType="RSA4096"
+# ...
+```
+
 ## Fallback
 
 If Let's Encrypt is not reachable, the following certificates will apply:

docs/content/reference/static-configuration/file.toml

@@ -251,6 +251,9 @@
     addEntryPointsLabels = true
     addServicesLabels = true
 
+[pilot]
+  token = "foobar"
+
 [ping]
   entryPoint = "foobar"
   manualRouting = true
@@ -365,8 +368,6 @@
       [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
 
 [experimental]
-  [experimental.pilot]
-    token = "foobar"
   [experimental.plugins]
     [experimental.plugins.Descriptor0]
       moduleName = "foobar"

docs/content/reference/static-configuration/file.yaml

@@ -270,6 +270,8 @@ metrics:
     password: foobar
     addEntryPointsLabels: true
     addServicesLabels: true
+pilot:
+  token: foobar
 ping:
   entryPoint: foobar
   manualRouting: true
@@ -384,8 +386,6 @@ certificatesResolvers:
         entryPoint: foobar
       tlsChallenge: {}
 experimental:
-  pilot:
-    token: foobar
   plugins:
     Descriptor0:
       moduleName: foobar

pkg/config/runtime/runtime.go

@@ -23,7 +23,7 @@ type Configuration struct {
 	TCPRouters  map[string]*TCPRouterInfo  `json:"tcpRouters,omitempty"`
 	TCPServices map[string]*TCPServiceInfo `json:"tcpServices,omitempty"`
 	UDPRouters  map[string]*UDPRouterInfo  `json:"udpRouters,omitempty"`
-	UDPServices map[string]*UDPServiceInfo `json:"updServices,omitempty"`
+	UDPServices map[string]*UDPServiceInfo `json:"udpServices,omitempty"`
 }
 
 // NewConfig returns a Configuration initialized with the given conf. It never returns nil.

pkg/provider/acme/local_store.go

@@ -34,7 +34,10 @@ func (s *LocalStore) save(resolverName string, storedData *StoredData) {
 	defer s.lock.Unlock()
 
 	s.storedData[resolverName] = storedData
-	s.saveDataChan <- s.storedData
+
+	// we cannot pass s.storedData directly, map is reference type and as result
+	// we can face with race condition, so we need to work with objects copy
+	s.saveDataChan <- s.unSafeCopyOfStoredData()
 }
 
 func (s *LocalStore) get(resolverName string) (*StoredData, error) {
@@ -81,7 +84,10 @@ func (s *LocalStore) get(resolverName string) (*StoredData, error) {
 				}
 				if len(certificates) < len(storedData.Certificates) {
 					storedData.Certificates = certificates
-					s.saveDataChan <- s.storedData
+
+					// we cannot pass s.storedData directly, map is reference type and as result
+					// we can face with race condition, so we need to work with objects copy
+					s.saveDataChan <- s.unSafeCopyOfStoredData()
 				}
 			}
 		}
@@ -111,6 +117,15 @@ func (s *LocalStore) listenSaveAction() {
 	})
 }
 
+// unSafeCopyOfStoredData creates maps copy of storedData. Is not thread safe, you should use `s.lock`.
+func (s *LocalStore) unSafeCopyOfStoredData() map[string]*StoredData {
+	result := map[string]*StoredData{}
+	for k, v := range s.storedData {
+		result[k] = v
+	}
+	return result
+}
+
 // GetAccount returns ACME Account.
 func (s *LocalStore) GetAccount(resolverName string) (*Account, error) {
 	storedData, err := s.get(resolverName)

pkg/provider/acme/local_store_test.go

@@ -0,0 +1,87 @@
+package acme
+
+import (
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLocalStore_GetAccount(t *testing.T) {
+	acmeFile := filepath.Join(t.TempDir(), "acme.json")
+
+	email := "some42@email.com"
+	filePayload := fmt.Sprintf(`{
+  "test": {
+    "Account": {
+      "Email": "%s"
+    }
+  }
+}`, email)
+
+	err := ioutil.WriteFile(acmeFile, []byte(filePayload), 0o600)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		desc     string
+		filename string
+		expected *Account
+	}{
+		{
+			desc:     "empty file",
+			filename: filepath.Join(t.TempDir(), "acme-empty.json"),
+			expected: nil,
+		},
+		{
+			desc:     "file with data",
+			filename: acmeFile,
+			expected: &Account{Email: "some42@email.com"},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			s := NewLocalStore(test.filename)
+
+			account, err := s.GetAccount("test")
+			require.NoError(t, err)
+
+			assert.Equal(t, test.expected, account)
+		})
+	}
+}
+
+func TestLocalStore_SaveAccount(t *testing.T) {
+	acmeFile := filepath.Join(t.TempDir(), "acme.json")
+
+	s := NewLocalStore(acmeFile)
+
+	email := "some@email.com"
+
+	err := s.SaveAccount("test", &Account{Email: email})
+	require.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	file, err := ioutil.ReadFile(acmeFile)
+	require.NoError(t, err)
+
+	expected := `{
+  "test": {
+    "Account": {
+      "Email": "some@email.com",
+      "Registration": null,
+      "PrivateKey": null,
+      "KeyType": ""
+    },
+    "Certificates": null
+  }
+}`
+
+	assert.Equal(t, expected, string(file))
+}

pkg/provider/acme/provider.go

@@ -220,7 +220,7 @@ func (p *Provider) getClient() (*lego.Client, error) {
 
 	config := lego.NewConfig(account)
 	config.CADirURL = caServer
-	config.Certificate.KeyType = account.KeyType
+	config.Certificate.KeyType = GetKeyType(ctx, p.KeyType)
 	config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version)
 
 	client, err := lego.NewClient(config)

pkg/tls/tlsmanager.go

@@ -106,7 +106,7 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
 	tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 		domainToCheck := types.CanonicalDomain(clientHello.ServerName)
 
-		if m.TLSAlpnGetter != nil {
+		if m.TLSAlpnGetter != nil && isACMETLS(clientHello) {
 			cert, err := m.TLSAlpnGetter(domainToCheck)
 			if err != nil {
 				return nil, err
@@ -282,3 +282,13 @@ func buildDefaultCertificate(defaultCertificate *Certificate) (*tls.Certificate,
 	}
 	return &cert, nil
 }
+
+func isACMETLS(clientHello *tls.ClientHelloInfo) bool {
+	for _, proto := range clientHello.SupportedProtos {
+		if proto == tlsalpn01.ACMETLS1Protocol {
+			return true
+		}
+	}
+
+	return false
+}