Merge current v2.7 into master

pkg/provider/acme/provider.go

@@ -538,7 +538,7 @@ func (p *Provider) addCertificateForDomain(domain types.Domain, certificate, key
 // The second (RenewInterval) is the interval between renew attempts.
 func getCertificateRenewDurations(certificatesDuration int) (time.Duration, time.Duration) {
 	switch {
-	case certificatesDuration >= 265*24: // >= 1 year
+	case certificatesDuration >= 365*24: // >= 1 year
 		return 4 * 30 * 24 * time.Hour, 7 * 24 * time.Hour // 4 month, 1 week
 	case certificatesDuration >= 3*30*24: // >= 90 days
 		return 30 * 24 * time.Hour, 24 * time.Hour // 30 days, 1 day

pkg/provider/acme/provider_test.go

@@ -608,11 +608,17 @@ func Test_getCertificateRenewDurations(t *testing.T) {
 			expectRenewInterval:   time.Minute,
 		},
 		{
-			desc:                  "1 Year certificates: 2 months renew period, 1 week renew interval",
+			desc:                  "1 Year certificates: 4 months renew period, 1 week renew interval",
 			certificatesDurations: 24 * 365,
 			expectRenewPeriod:     time.Hour * 24 * 30 * 4,
 			expectRenewInterval:   time.Hour * 24 * 7,
 		},
+		{
+			desc:                  "265 Days certificates: 30 days renew period, 1 day renew interval",
+			certificatesDurations: 24 * 265,
+			expectRenewPeriod:     time.Hour * 24 * 30,
+			expectRenewInterval:   time.Hour * 24,
+		},
 		{
 			desc:                  "90 Days certificates: 30 days renew period, 1 day renew interval",
 			certificatesDurations: 24 * 90,

pkg/provider/ecs/ecs.go

@@ -392,6 +392,13 @@ func (p *Provider) lookupEc2Instances(ctx context.Context, client *awsClient, cl
 
 		for _, container := range resp.ContainerInstances {
 			instanceIds[aws.StringValue(container.Ec2InstanceId)] = aws.StringValue(container.ContainerInstanceArn)
+			// Disallow Instance IDs of the form mi-*
+			// This prevents considering external instances in ECS Anywhere setups
+			// and getting InvalidInstanceID.Malformed error when calling the describe-instances endpoint.
+			if strings.HasPrefix(aws.StringValue(container.Ec2InstanceId), "mi-") {
+				continue
+			}
+
 			instanceArns = append(instanceArns, container.Ec2InstanceId)
 		}
 	}

pkg/provider/hub/handler.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"sync/atomic"
@@ -101,7 +102,7 @@ func (h *handler) handleDiscoverIP(rw http.ResponseWriter, req *http.Request) {
 }
 
 func (h *handler) doDiscoveryReq(ctx context.Context, ip, port, nonce string) error {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("https://%s:%s", ip, port), http.NoBody)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("https://%s", net.JoinHostPort(ip, port)), http.NoBody)
 	if err != nil {
 		return fmt.Errorf("creating request: %w", err)
 	}

pkg/provider/hub/hub.go

@@ -17,13 +17,15 @@ import (
 
 var _ provider.Provider = (*Provider)(nil)
 
-// DefaultEntryPointName is the name of the default internal entry point.
-const DefaultEntryPointName = "traefik-hub"
+// Entrypoints created for Hub.
+const (
+	APIEntrypoint    = "traefikhub-api"
+	TunnelEntrypoint = "traefikhub-tunl"
+)
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	EntryPoint string `description:"Entrypoint that exposes data for Traefik Hub. It should be a dedicated one, and not used by any router." json:"entryPoint,omitempty" toml:"entryPoint,omitempty" yaml:"entryPoint,omitempty" export:"true"`
-	TLS        *TLS   `description:"TLS configuration for mTLS communication between Traefik and Hub Agent." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
+	TLS *TLS `description:"TLS configuration for mTLS communication between Traefik and Hub Agent." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
 
 	server *http.Server
 }
@@ -36,11 +38,6 @@ type TLS struct {
 	Key      ttls.FileOrContent `description:"The TLS key for Traefik Proxy as a TLS client." json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty" loggable:"false"`
 }
 
-// SetDefaults sets the default values.
-func (p *Provider) SetDefaults() {
-	p.EntryPoint = DefaultEntryPointName
-}
-
 // Init the provider.
 func (p *Provider) Init() error {
 	return nil
@@ -48,10 +45,15 @@ func (p *Provider) Init() error {
 
 // Provide allows the hub provider to provide configurations to traefik using the given configuration channel.
 func (p *Provider) Provide(configurationChan chan<- dynamic.Message, _ *safe.Pool) error {
+	if p.TLS == nil {
+		return nil
+	}
+
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		return fmt.Errorf("listener: %w", err)
 	}
+
 	port := listener.Addr().(*net.TCPAddr).Port
 
 	client, err := createAgentClient(p.TLS)
@@ -59,7 +61,7 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, _ *safe.Poo
 		return fmt.Errorf("creating Hub Agent HTTP client: %w", err)
 	}
 
-	p.server = &http.Server{Handler: newHandler(p.EntryPoint, port, configurationChan, p.TLS, client)}
+	p.server = &http.Server{Handler: newHandler(APIEntrypoint, port, configurationChan, p.TLS, client)}
 
 	// TODO: this is going to be leaky (because no context to make it terminate)
 	// if/when Provide lifecycle differs with Traefik lifecycle.
@@ -70,7 +72,7 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, _ *safe.Poo
 		}
 	}()
 
-	exposeAPIAndMetrics(configurationChan, p.EntryPoint, port, p.TLS)
+	exposeAPIAndMetrics(configurationChan, APIEntrypoint, port, p.TLS)
 
 	return nil
 }

pkg/provider/kubernetes/crd/kubernetes.go

@@ -413,7 +413,7 @@ func getServicePort(svc *corev1.Service, port intstr.IntOrString) (*corev1.Servi
 
 	if hasValidPort {
 		log.WithoutContext().
-			Warning("The port %d from IngressRoute doesn't match with ports defined in the ExternalName service %s/%s.", port, svc.Namespace, svc.Name)
+			Warnf("The port %s from IngressRoute doesn't match with ports defined in the ExternalName service %s/%s.", port, svc.Namespace, svc.Name)
 	}
 
 	return &corev1.ServicePort{Port: port.IntVal}, nil