Merge branch v3.1 into master

2024-09-20 09:51:54 +02:00 · 2024-09-20 09:51:54 +02:00 · a398536688
commit a398536688
parent 42e1f2c9b1 0be01cc067
76 changed files with 1073 additions and 220 deletions
--- a/pkg/provider/acme/provider.go
+++ b/pkg/provider/acme/provider.go
@ -801,7 +801,7 @@ func deleteUnnecessaryDomains(ctx context.Context, domains []types.Domain) []typ
 			}

 			// Check if CN or SANS to check already exists
-			// or can not be checked by a wildcard
+			// or cannot be checked by a wildcard
 			var newDomainsToCheck []string
 			for _, domainProcessed := range domainToCheck.ToStrArray() {
 				if idxDomain < idxDomainToCheck && isDomainAlreadyChecked(domainProcessed, domain.ToStrArray()) {
--- a/pkg/provider/docker/builder_test.go
+++ b/pkg/provider/docker/builder_test.go
@ -205,7 +205,7 @@ func withEndpointSpec(ops ...func(*swarm.EndpointSpec)) func(*swarm.Service) {
 	}
 }

-func modeDNSSR(spec *swarm.EndpointSpec) {
+func modeDNSRR(spec *swarm.EndpointSpec) {
 	spec.Mode = swarm.ResolutionModeDNSRR
 }

--- a/pkg/provider/docker/config_test.go
+++ b/pkg/provider/docker/config_test.go
@ -3976,7 +3976,7 @@ func TestDynConfBuilder_getIPAddress_swarm(t *testing.T) {
 		networks map[string]*network.Summary
 	}{
 		{
-			service:  swarmService(withEndpointSpec(modeDNSSR)),
+			service:  swarmService(withEndpointSpec(modeDNSRR)),
 			expected: "",
 			networks: map[string]*network.Summary{},
 		},
--- a/pkg/provider/docker/pswarm_test.go
+++ b/pkg/provider/docker/pswarm_test.go
@ -114,7 +114,7 @@ func TestSwarmProvider_listServices(t *testing.T) {
 						"traefik.docker.network": "barnet",
 						"traefik.docker.LBSwarm": "true",
 					}),
-					withEndpointSpec(modeDNSSR)),
+					withEndpointSpec(modeDNSRR)),
 			},
 			dockerVersion:    "1.30",
 			networks:         []network.Summary{},
@ -140,7 +140,7 @@ func TestSwarmProvider_listServices(t *testing.T) {
 						"traefik.docker.network": "barnet",
 						"traefik.docker.LBSwarm": "true",
 					}),
-					withEndpointSpec(modeDNSSR)),
+					withEndpointSpec(modeDNSRR)),
 			},
 			dockerVersion: "1.30",
 			networks: []network.Summary{
@ -185,7 +185,7 @@ func TestSwarmProvider_listServices(t *testing.T) {
 					serviceLabels(map[string]string{
 						"traefik.docker.network": "barnet",
 					}),
-					withEndpointSpec(modeDNSSR)),
+					withEndpointSpec(modeDNSRR)),
 			},
 			tasks: []swarm.Task{
 				swarmTask("id1",
--- a/pkg/provider/docker/shared_test.go
+++ b/pkg/provider/docker/shared_test.go
@ -86,7 +86,7 @@ func Test_getPort_swarm(t *testing.T) {
 	}{
 		{
 			service: swarmService(
-				withEndpointSpec(modeDNSSR),
+				withEndpointSpec(modeDNSRR),
 			),
 			networks:   map[string]*docker.NetworkResource{},
 			serverPort: "8080",
--- a/pkg/provider/traefik/internal.go
+++ b/pkg/provider/traefik/internal.go
@ -91,15 +91,27 @@ func (i *Provider) createConfiguration(ctx context.Context) *dynamic.Configurati
 }

 func (i *Provider) acme(cfg *dynamic.Configuration) {
-	var eps []string
+	allowACMEByPass := map[string]bool{}
+	for name, ep := range i.staticCfg.EntryPoints {
+		allowACMEByPass[name] = ep.AllowACMEByPass
+	}

+	var eps []string
+	var epsByPass []string
 	uniq := map[string]struct{}{}
 	for _, resolver := range i.staticCfg.CertificatesResolvers {
 		if resolver.ACME != nil && resolver.ACME.HTTPChallenge != nil && resolver.ACME.HTTPChallenge.EntryPoint != "" {
-			if _, ok := uniq[resolver.ACME.HTTPChallenge.EntryPoint]; !ok {
-				eps = append(eps, resolver.ACME.HTTPChallenge.EntryPoint)
-				uniq[resolver.ACME.HTTPChallenge.EntryPoint] = struct{}{}
+			if _, ok := uniq[resolver.ACME.HTTPChallenge.EntryPoint]; ok {
+				continue
 			}
+			uniq[resolver.ACME.HTTPChallenge.EntryPoint] = struct{}{}
+
+			if allowByPass, ok := allowACMEByPass[resolver.ACME.HTTPChallenge.EntryPoint]; ok && allowByPass {
+				epsByPass = append(epsByPass, resolver.ACME.HTTPChallenge.EntryPoint)
+				continue
+			}
+
+			eps = append(eps, resolver.ACME.HTTPChallenge.EntryPoint)
 		}
 	}

@ -115,6 +127,17 @@ func (i *Provider) acme(cfg *dynamic.Configuration) {
 		cfg.HTTP.Routers["acme-http"] = rt
 		cfg.HTTP.Services["acme-http"] = &dynamic.Service{}
 	}
+
+	if len(epsByPass) > 0 {
+		rt := &dynamic.Router{
+			Rule:        "PathPrefix(`/.well-known/acme-challenge/`)",
+			EntryPoints: epsByPass,
+			Service:     "acme-http@internal",
+		}
+
+		cfg.HTTP.Routers["acme-http-bypass"] = rt
+		cfg.HTTP.Services["acme-http"] = &dynamic.Service{}
+	}
 }

 func (i *Provider) redirection(ctx context.Context, cfg *dynamic.Configuration) {