feat(helm)!: Update traefik ( 32.1.1 → 33.0.0 )

[renovate]

This PR contains the following updates:

Package	Update	Change
traefik (source)	major	32.1.1 -> 33.0.0

---

Release Notes

traefik/traefik-helm-chart (traefik)

v33.0.0

Compare Source

Upgrade Notes

There are multiple breaking changes in this release:

1. The default port of traefik entrypoint has changed from 9000 to 8080, just like the Traefik Proxy default port
   • You may have to update probes accordingly (or set this port back to 9000)
2. publishedService is enabled by default on Ingress provider
   • You can disable it, if needed
3. The POD_NAME and POD_NAMESPACE environment variables are now set by default, without values.
   • It is no longer necessary to add them in values and so, it can be removed from user values.
4. In values, certResolvers specific syntax has been reworked to align with Traefik Proxy syntax.
   • PR #​1214 contains a complete before / after example on how to update values
5. Traefik Proxy 3.2 supports Gateway API v1.2 (standard channel)
   • It is recommended to check that other software using Gateway API on your cluster are compatible
   • The Gateway API CRD upgrade may fail even with Flux, Argo or other CD tool
   • See release notes of gateway API v1.2 on how to upgrade their CRDs and avoid issues about invalid values on v1alpha2 version

The CRDs needs to be updated, as documented in the README.

ℹ️ A separate helm chart, just for CRDs, is being considered for a future release. See PR #​1123

⚠ BREAKING CHANGES

• Env Variables: allow extending env without overwrite
• certificateResolvers: 💥 🐛 use same syntax in Chart and in Traefik
• Kubernetes Ingress: 💥 ✨ enable publishedService by default
• Traefik: 💥 set 8080 as default port for traefik entrypoint

Features

• Gateway API: ✨ add infrastructure in the values (2b28f7b)
• Gateway API: ✨ standard install CRD v1.2.0 (4432f3c)
• Traefik Proxy: update traefik docker tag to v3.2.0 (323e139)
• Traefik Proxy: ✨ support Gateway API statusAddress (e7dcac1)
• Traefik Proxy: CRDs for v3.2+ (d3c6d4c)

Bug Fixes

• certificateResolvers: 💥 🐛 use same syntax in Chart and in Traefik (016822d)
• Env Variables: allow extending env without overwrite (20f54b6)
• Gateway API: 🐛 add missing required RBAC for v3.2 with experimental Channel (b872549)
• schema: 🐛 targetPort can also be a string (12fee7e)
• use correct children indentation for logs.access.filters (59073ef)
• Kubernetes Ingress: 💥 ✨ enable publishedService by default (f7a96da)
• Traefik: 💥 set 8080 as default port for traefik entrypoint (2b32ce7)
• Traefik Hub: RBAC for distributedAcme (74abfee)
• 🐛 http3 with internal service (7558e63)

New Contributors

• @​jonathanbeber made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1210
• @​logica0419 made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1237

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/network/traefik/app Kustomization: flux-system/traefik HelmRelease: network/traefik

+++ kubernetes/apps/network/traefik/app Kustomization: flux-system/traefik HelmRelease: network/traefik

@@ -13,13 +13,13 @@

     spec:
       chart: traefik
       sourceRef:
         kind: HelmRepository
         name: traefik
         namespace: flux-system
-      version: 32.1.1
+      version: 33.0.0
   driftDetection:
     mode: enabled
   install:
     crds: CreateReplace
     remediation:
       retries: 3

[github-actions]

--- HelmRelease: network/traefik ClusterRole: network/traefik-network

+++ HelmRelease: network/traefik ClusterRole: network/traefik-network

@@ -76,12 +76,13 @@

 - apiGroups:
   - ''
   resources:
   - namespaces
   - secrets
   - services
+  - configmaps
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - discovery.k8s.io
@@ -90,27 +91,31 @@

   verbs:
   - list
   - watch
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies
   - gatewayclasses
   - gateways
+  - grpcroutes
   - httproutes
   - referencegrants
   - tcproutes
   - tlsroutes
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - backendtlspolicies/status
   - gatewayclasses/status
   - gateways/status
+  - grpcroutes/status
   - httproutes/status
   - tcproutes/status
   - tlsroutes/status
   verbs:
   - update
 
--- HelmRelease: network/traefik Deployment: network/traefik

+++ HelmRelease: network/traefik Deployment: network/traefik

@@ -30,43 +30,43 @@

     spec:
       serviceAccountName: traefik
       automountServiceAccountToken: true
       terminationGracePeriodSeconds: 60
       hostNetwork: false
       containers:
-      - image: docker.io/traefik:v3.1.6
+      - image: docker.io/traefik:v3.2.0
         imagePullPolicy: IfNotPresent
         name: traefik
         resources: null
         readinessProbe:
           httpGet:
             path: /ping
-            port: 9000
+            port: 8080
             scheme: HTTP
           failureThreshold: 1
           initialDelaySeconds: 2
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 2
         livenessProbe:
           httpGet:
             path: /ping
-            port: 9000
+            port: 8080
             scheme: HTTP
           failureThreshold: 3
           initialDelaySeconds: 2
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 2
         lifecycle: null
         ports:
         - name: metrics
           containerPort: 9100
           protocol: TCP
         - name: traefik
-          containerPort: 9000
+          containerPort: 8080
           protocol: TCP
         - name: websecure
           containerPort: 8443
           protocol: TCP
         - name: websecure-http3
           containerPort: 8443
@@ -81,24 +81,27 @@

         - name: data
           mountPath: /data
         - name: tmp
           mountPath: /tmp
         args:
         - --entryPoints.metrics.address=:9100/tcp
-        - --entryPoints.traefik.address=:9000/tcp
+        - --entryPoints.traefik.address=:8080/tcp
         - --entryPoints.websecure.address=:8443/tcp
         - --entryPoints.websecure.asDefault=true
         - --api.dashboard=true
         - --ping=true
         - --metrics.prometheus=true
         - --metrics.prometheus.entrypoint=metrics
         - --providers.kubernetescrd
         - --providers.kubernetescrd.allowEmptyServices=true
         - --providers.kubernetesingress
         - --providers.kubernetesingress.allowEmptyServices=true
+        - --providers.kubernetesingress.ingressendpoint.publishedservice=network/traefik
         - --providers.kubernetesgateway
+        - --providers.kubernetesgateway.statusaddress.service.name=traefik
+        - --providers.kubernetesgateway.statusaddress.service.namespace=network
         - --providers.kubernetesgateway.experimentalchannel=true
         - --entryPoints.websecure.http.tls=true
         - --entryPoints.websecure.http3
         - --log.format=json
         - --log.level=INFO
         - --accesslog=true