Skip to content

Commit 34b9121

Browse files
committed
Merge v3.6 into master
2 parents 8bdcd72 + b9c2e75 commit 34b9121

59 files changed

Lines changed: 1399 additions & 460 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/template-webui.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
name: Build Web UI
22
on:
33
workflow_call: {}
4+
env:
5+
SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360 # 15 days
46
jobs:
57

68
build-webui:
@@ -22,6 +24,12 @@ jobs:
2224
cache: yarn
2325
cache-dependency-path: webui/yarn.lock
2426

27+
- name: Setup safe-chain
28+
working-directory: ./webui
29+
run: |
30+
npm i -g @aikidosec/safe-chain
31+
safe-chain setup-ci
32+
2533
- name: Build webui
2634
working-directory: ./webui
2735
run: |

.github/workflows/test-gateway-api-conformance.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ on:
99
- 'pkg/provider/kubernetes/gateway/**'
1010
- 'integration/fixtures/gateway-api-conformance/**'
1111
- 'integration/gateway_api_conformance_test.go'
12+
- 'integration/integration_test.go'
1213

1314
env:
1415
GO_VERSION: '1.24'

.github/workflows/test-knative-conformance.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ on:
99
- 'pkg/provider/kubernetes/knative/**'
1010
- 'integration/fixtures/knative/**'
1111
- 'integration/knative_conformance_test.go'
12+
- 'integration/integration_test.go'
1213

1314
env:
1415
GO_VERSION: '1.24'

.github/workflows/test-unit.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,11 @@ jobs:
7979
cache: 'yarn'
8080
cache-dependency-path: webui/yarn.lock
8181

82+
- name: Setup safe-chain
83+
run: |
84+
npm i -g @aikidosec/safe-chain
85+
safe-chain setup-ci
86+
8287
- name: UI unit tests
8388
working-directory: ./webui
8489
env:

.golangci.yml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -239,6 +239,8 @@ linters:
239239
text: ' always receives '
240240
linters:
241241
- unparam
242+
- path: pkg/server/service/bufferpool.go
243+
text: 'SA6002: argument should be pointer-like to avoid allocations'
242244
- path: pkg/server/middleware/middlewares.go
243245
text: Function 'buildConstructor' has too many statements
244246
linters:
@@ -314,12 +316,8 @@ linters:
314316
text: 'the methods of "wasmMiddlewareBuilder" use pointer receiver and non-pointer receiver.'
315317
linters:
316318
- recvcheck
317-
- path: pkg/server/service/bufferpool.go
318-
text: 'SA6002: argument should be pointer-like to avoid allocations'
319319
- path: pkg/proxy/httputil/bufferpool.go
320320
text: 'SA6002: argument should be pointer-like to avoid allocations'
321-
- path: pkg/udp/conn.go
322-
text: 'SA6002: argument should be pointer-like to avoid allocations'
323321
- path: integration/integration_test.go
324322
text: 'var (gatewayAPIConformanceRunTest|traefikVersion) is unused'
325323
- path: pkg/server/router/router.go

CHANGELOG.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,29 @@
1+
## [v3.6.2](https://github.com/traefik/traefik/tree/v3.6.2) (2025-11-18)
2+
[All Commits](https://github.com/traefik/traefik/compare/v3.6.1...v3.6.2)
3+
4+
**Bug fixes:**
5+
- **[k8s/ingress-nginx]** Deprecate Kubernetes Ingress NGINX provider experimental flag ([#12286](https://github.com/traefik/traefik/pull/12286) by [rtribotte](https://github.com/rtribotte))
6+
7+
## [v3.6.1](https://github.com/traefik/traefik/tree/v3.6.1) (2025-11-13)
8+
[All Commits](https://github.com/traefik/traefik/compare/v3.6.0...v3.6.1)
9+
10+
**Bug fixes:**
11+
- **[docker]** Auto-negotiate Docker API Version ([#12256](https://github.com/traefik/traefik/pull/12256) by [felixbuenemann](https://github.com/felixbuenemann))
12+
- **[server]** Fix multi-layer routing with models ([#12258](https://github.com/traefik/traefik/pull/12258) by [juliens](https://github.com/juliens))
13+
- **[udp]** Revert "Avoid allocations in readLoop by using sync.Pool" ([#12267](https://github.com/traefik/traefik/pull/12267) by [kevinpollet](https://github.com/kevinpollet))
14+
- **[webui]** Fix blocked navigation on Safari ([#12231](https://github.com/traefik/traefik/pull/12231) by [gndz07](https://github.com/gndz07))
15+
- **[webui]** Restore remote Upgrade to Hub button web component ([#12219](https://github.com/traefik/traefik/pull/12219) by [gndz07](https://github.com/gndz07))
16+
17+
**Documentation:**
18+
- **[k8s]** Fix Nginx provider documentation ([#12266](https://github.com/traefik/traefik/pull/12266) by [nmengin](https://github.com/nmengin))
19+
- **[k8s]** Fix Gateway API version and the list of features supported ([#12254](https://github.com/traefik/traefik/pull/12254) by [nmengin](https://github.com/nmengin))
20+
21+
## [v2.11.31](https://github.com/traefik/traefik/tree/v2.11.31) (2025-11-13)
22+
[All Commits](https://github.com/traefik/traefik/compare/v2.11.30...v2.11.31)
23+
24+
**Bug fixes:**
25+
- **[docker,docker/swarm]** Auto-negotiate Docker API version ([#12262](https://github.com/traefik/traefik/pull/12262) by [kevinpollet](https://github.com/kevinpollet))
26+
127
## [v3.6.0](https://github.com/traefik/traefik/tree/v3.6.0) (2025-11-07)
228
[All Commits](https://github.com/traefik/traefik/compare/v3.5.0-rc1...v3.6.0)
329

SECURITY.md

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,5 @@
11
# Security Policy
22

3-
You can join our security mailing list to be aware of the latest announcements from our security team.
4-
You can subscribe by sending an email to [email protected] or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
5-
6-
Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
7-
83
## Supported Versions
94

105
- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
@@ -17,14 +12,16 @@ We use [Semantic Versioning](https://semver.org/).
1712

1813
| Version | Supported |
1914
|-----------|--------------------|
20-
| `2.2.x` | :white_check_mark: |
21-
| `< 2.2.x` | :x: |
22-
| `1.7.x` | :white_check_mark: |
23-
| `< 1.7.x` | :x: |
15+
| `3.6.x` | :white_check_mark: |
16+
| `< 3.6.x` | :x: |
17+
| `2.11.x` | :white_check_mark: |
18+
| `< 2.11.x` | :x: |
2419

2520
## Reporting a Vulnerability
2621

2722
We want to keep Traefik safe for everyone.
2823
If you've discovered a security vulnerability in Traefik,
2924
we appreciate your help in disclosing it to us in a responsible manner,
3025
by creating a [security advisory](https://github.com/traefik/traefik/security/advisories).
26+
27+
Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).

cmd/traefik/traefik.go

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -114,9 +114,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
114114
log.Debug().RawJSON("staticConfiguration", []byte(redactedStaticConfiguration)).Msg("Static configuration loaded [json]")
115115
}
116116

117-
if staticConfiguration.Global.CheckNewVersion {
118-
checkNewVersion()
119-
}
117+
checkNewVersion(staticConfiguration)
120118

121119
stats(staticConfiguration)
122120

@@ -614,13 +612,28 @@ func setupTracing(ctx context.Context, conf *static.Tracing) (*tracing.Tracer, i
614612
return tracer, closer
615613
}
616614

617-
func checkNewVersion() {
618-
ticker := time.Tick(24 * time.Hour)
619-
safe.Go(func() {
620-
for time.Sleep(10 * time.Minute); ; <-ticker {
621-
version.CheckNewVersion()
622-
}
623-
})
615+
func checkNewVersion(staticConfiguration *static.Configuration) {
616+
logger := log.With().Logger()
617+
618+
if staticConfiguration.Global.CheckNewVersion {
619+
logger.Info().Msg(`Version check is enabled.`)
620+
logger.Info().Msg(`Traefik checks for new releases to notify you if your version is out of date.`)
621+
logger.Info().Msg(`It also collects usage data during this process.`)
622+
logger.Info().Msg(`Check the documentation to get more info: https://doc.traefik.io/traefik/contributing/data-collection/`)
623+
624+
ticker := time.Tick(24 * time.Hour)
625+
safe.Go(func() {
626+
for time.Sleep(10 * time.Minute); ; <-ticker {
627+
version.CheckNewVersion()
628+
}
629+
})
630+
} else {
631+
logger.Info().Msg(`
632+
Version check is disabled.
633+
You will not be notified if a new version is available.
634+
More details: https://doc.traefik.io/traefik/contributing/data-collection/
635+
`)
636+
}
624637
}
625638

626639
func stats(staticConfiguration *static.Configuration) {

docs/content/contributing/data-collection.md

Lines changed: 64 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,72 @@
11
---
22
title: "Traefik Data Collection Documentation"
3-
description: "To learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances. Read the technical documentation."
3+
description: "Learn what data Traefik shares, how it is used, and how you can control it. This documentation explains both version check and anonymous usage statistics data. Read the technical documentation."
44
---
55

66
# Data Collection
77

8-
Understanding How Traefik is Being Used
8+
Understanding the data Traefik shares and how it is used
99
{: .subtitle }
1010

11-
## Configuration Example
11+
## Introduction
1212

13-
Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.
14-
For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us, so we can benefit from your experience and use cases.
13+
Protecting user privacy is essential to Traefik Labs, and we design every data-sharing mechanism with transparency and minimalism in mind.
14+
This page describes the two types of data exchanged by Traefik and how to configure them.
15+
16+
For more details on how your data is handled, please refer to our [Privacy and Cookie Policy](https://traefik.io/legal/privacy-and-cookie-policy).
17+
18+
## Configuration Overview
19+
20+
Traefik provides two independent mechanisms:
21+
22+
- `checkNewVersion`, enabled by default. You may disable it at any time.
23+
- `sendAnonymousUsage`, which requires explicit opt‑in.
24+
25+
Examples below show how to activate or deactivate both of them.
26+
27+
```yaml tab="YAML"
28+
global:
29+
checkNewVersion: true # set to false to disable
30+
sendAnonymousUsage: false # set to true to enable
31+
```
32+
33+
```toml tab="TOML"
34+
[global]
35+
checkNewVersion = true # set to false to disable
36+
sendAnonymousUsage = false # set to true to enable
37+
```
38+
39+
```bash tab="CLI"
40+
--global.checkNewVersion=true # set to false to disable
41+
--global.sendAnonymousUsage=false # set to true to enable
42+
```
43+
44+
A log message at startup clearly indicates whether each of those options are enabled or disabled.
45+
46+
## Version Check (`checkNewVersion`) – Opt-out
47+
48+
Traefik periodically contacts `update.traefik.io` to determine whether a newer version is available.
49+
When this request is made, Traefik shares the **running version** and the **public IP** of the instance.
50+
The IP is used to build global usage statistics and does not influence the version comparison.
51+
52+
This mechanism helps you stay informed about updates and provides TraefikLabs with a broad view of which versions are deployed in the wild.
53+
54+
The collected IP addresses are also used for marketing purposes, specifically to detect companies running Traefik and offer them adapted support contracts, enterprise features, and tailored services.
55+
56+
If you want to explore the implementation, you can read the version check source code: [version.go](https://github.com/traefik/traefik/blob/master/pkg/version/version.go)
57+
58+
## Anonymous Usage Data (`sendAnonymousUsage`) – Opt‑in
59+
60+
Traefik can also collect anonymous usage statistics once per day, starting 10 minutes after it starts running.
61+
These statistics include:
62+
63+
- the Traefik version,
64+
- a hash of the configuration,
65+
- an anonymized version of the static configuration (all sensitive fields removed: tokens, passwords, URLs, IP addresses, domains, emails, etc.).
66+
67+
This feature comes from this [public proposal](https://github.com/traefik/traefik/issues/2369).
68+
69+
This information helps TraefikLabs understand how Traefik is used in general and prioritize features and provider support accordingly. Dynamic configuration (routers and services) is never collected.
1570

1671
!!! example "Enabling Data Collection"
1772

@@ -32,21 +87,6 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to
3287
--global.sendAnonymousUsage
3388
```
3489

35-
## Collected Data
36-
37-
This feature comes from this [public proposal](https://github.com/traefik/traefik/issues/2369).
38-
39-
In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
40-
Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
41-
42-
### What's collected / when ?
43-
44-
Once a day (the first call begins 10 minutes after the start of Traefik), we collect:
45-
46-
- the Traefik version number
47-
- a hash of the configuration
48-
- an **anonymized version** of the static configuration (token, username, password, URL, IP, domain, email, etc., are removed).
49-
5090
!!! info
5191

5292
- We do not collect the dynamic configuration information (routers & services).
@@ -93,8 +133,9 @@ providers:
93133
insecureSkipVerify: true
94134
```
95135
96-
## The Code for Data Collection
136+
### The Code for Anonymous Usage Collection
97137
98-
If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)
138+
If you want to explore the implementation, you can read the collector source code:
139+
[collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)
99140
100-
By default, we anonymize all configuration fields, except fields tagged with `export=true`.
141+
Traefik anonymizes all configuration fields by default, except those explicitly marked with `export=true`.

docs/content/migrate/v3.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -525,3 +525,32 @@ To use the new `leasttime` load-balancer algorithm with the Kubernetes CRD provi
525525
```shell
526526
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
527527
```
528+
529+
## v3.6.2
530+
531+
### Ingress NGINX Provider
532+
533+
The KubernetesIngressNGINX Provider is no longer experimental in v3.6.2 and can be enabled without the `experimental.kubernetesIngressNGINX` option.
534+
535+
**Deprecated Configuration:**
536+
537+
??? example "Experimental kubernetesIngressNGINX option (deprecated)"
538+
539+
```yaml tab="File (YAML)"
540+
experimental:
541+
kubernetesIngressNGINX: true
542+
```
543+
544+
```toml tab="File (TOML)"
545+
[experimental]
546+
kubernetesIngressNGINX=true
547+
```
548+
549+
```bash tab="CLI"
550+
--experimental.kubernetesIngressNGINX=true
551+
```
552+
553+
**Migration Steps:**
554+
555+
1. Remove the `kubernetesIngressNGINX` option from the experimental section
556+
2. Configure the provider using the [kubernetesIngressNGINX Provider documentation](../reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md)

0 commit comments

Comments
 (0)