chore(deps): update base infrastructure (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
devsec.hardening	galaxy-collection	major	9.0.0 -> 10.1.0
topolvm		major	14.1.0 -> 15.5.0
traefik (source)		major	28.0.0 -> 33.0.0
traefik (source)		major	32.0.0 -> 33.0.0

---

Release Notes

dev-sec/ansible-collection-hardening (devsec.hardening)

v10.1.0

Compare Source

Full Changelog

Implemented enhancements:

• Ubuntu 24.04 support #​764
• Add variable to set name_format for auditd #​810 [os_hardening] (schurzi)
• feat(ssh): add alpine support #​809 [ssh_hardening] (rndmh3ro)
• Provide granular noop for ssh configuration #​789 [ssh_hardening] (seven-beep)

Fixed bugs:

• molecule scenario ssh_hardening if failing due to missing docker image #​790
• getent_shadow empty #​787
• Error: Missing privilege separation directory: /run/sshd #​752
• fix(ssh_hardening): test setting kex to false, remove wrong default #​808 [ssh_hardening] (rndmh3ro)

Merged pull requests:

• Pin python dependencies and optimize GitHub Actions #​811 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• fix(cicd): test idempotence on ssh custom tests #​807 [ssh_hardening] (rndmh3ro)
• Document correct quotes for ssh_permit_tunnel parameter #​806 [ssh_hardening] (vmpr)
• fix(docs): add 'become: true' to example playbooks. fix #​787 #​804 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• chore(deps): update dependency ansible-core to v2.17.5 #​802 (renovate[bot])
• Don't run tests if the environment is not correct #​801 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• chore(deps): update actions/checkout digest to eef6144 #​800 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
• feat: Corrected package name #​799 [ssh_hardening] (PapaPeskwo)
• Use Python venv for VM tests #​798 (schurzi)
• Remove unused files and variables #​797 [os_hardening] (schurzi)
• chore(deps): update ansible/ansible-lint digest to 3b5bee1 #​795 (renovate[bot])
• chore(deps): update ansible/ansible-lint digest to 25f783c #​792 (renovate[bot])
• chore(deps): update dependency ansible-core to v2.17.4 #​791 (renovate[bot])
• chore(deps): update actions/setup-python digest to f677139 #​788 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
• chore(deps): update dependency ansible-core to v2.17.3 #​786 (renovate[bot])
• chore(deps): update dependency ansible-core to v2.17.2 #​756 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])

v10.0.0

Compare Source

Full Changelog

Implemented enhancements:

• option to disable regeneration of ssh private key #​772
• Support systemd socket activation for sshd #​763 [ssh_hardening]
• Release 9.0.2 #​758
• Make Publickey authentication configurable #​750
• Ansible Linting #​747
• Make value of kernel.unprivileged_userns_clone depending on kernel version #​727
• Ensure that ssh is installed (cf #​771) #​774 [ssh_hardening] (Byh0ki)
• ssh: explicitly enable or disable the service at boot #​771 [ssh_hardening] (Byh0ki)
• disable systemd socket activation #​769 [ssh_hardening] (rndmh3ro)
• Add ssh_pubkey_authentication variable to ssh hardening #​749 [ssh_hardening] (debbabi)

Fixed bugs:

• ssh hardening role fails when ssh_permit_root_login var is set on ubuntu 24.04 #​768
• os_hardening fails when setting vm.mmap_rnd_bits #​757
• ssh_gateway_ports is documented to accept 'clientspecified' string, but only accepts bools #​755
• harden permissions for directory mount /var/log fails for minimized Ubuntu 22.04 #​741
• Update Debian compatibility #​784 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• do not force type of ssh_gateway_ports #​765 [mysql_hardening] [os_hardening] [ssh_hardening] (rndmh3ro)

Merged pull requests:

• Update to current Fedora releases #​783 [os_hardening] [ssh_hardening] (schurzi)
• Remove deprecated rebuild of initrd #​782 [os_hardening] (schurzi)
• chore(deps): update patrickjahns/version-drafter-action digest to 2076fa4 #​781 (renovate[bot])
• chore(deps): update ansible/ansible-lint digest to 95382d3 #​779 (renovate[bot])
• chore(deps): update actions/setup-python digest to 39cd149 #​778 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
• remove tests for FreeBSD12 since it's out of support #​777 [ssh_hardening] (schurzi)
• chore(deps): pin dependencies #​776 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
• Use best-practice preset for renovate #​775 (schurzi)
• Deprecate Centos Stream 8 #​770 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• centos7 is eol, remove it #​767 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• fix spelling #​766 [os_hardening] [ssh_hardening] (rndmh3ro)
• ci: define permissions for enforce-labels workflow #​760 (fgreinacher)
• Update dependency ansible-core to v2.16.5 #​754 (renovate[bot])
• Update dependency ansible-core to v2.16.4 #​751 (renovate[bot])
• Update ansible/ansible-lint action to v24 #​745 (renovate[bot])
• Always update Vagrant Boxes before using #​744 (schurzi)
• Remove Docker containers on self-hosted runner after tests #​743 (schurzi)
• Update dependency ansible-core to v2.16.3 #​742 (renovate[bot])

v9.0.1

Compare Source

Full Changelog

Implemented enhancements:

• Extend ansible-lint testing to cover our test cases #​731
• Complete tests for OS hardening #​660
• support restarts of audit service on Arch linux #​722 [os_hardening] (schurzi)

Fixed bugs:

• Fails to install #​735
• Amazon Linux gpg check fails #​734
• ssh_hardening ipv6 #​719
• boolean variable inconsistency? #​330
• Restore idempotency for disabling unused filesystems with Ansible 2.16.0 #​718 [os_hardening] (akikanellis)

Closed issues:

• 9.0.0 version number in galaxy.yml file is wrong #​740

Merged pull requests:

• restructure readme to move known limitations up top #​739 [os_hardening] [ssh_hardening] (rndmh3ro)
• release only on releases, not pre-releases #​738 (rndmh3ro)
• Update dependency ansible-core to v2.16.2 #​737 (renovate[bot])
• fix linting for github config #​736 (rndmh3ro)
• Update actions/setup-python action to v5 #​733 (renovate[bot])
• Update ansible-lint action and revise configuration to scan all Ansible code #​732 (schurzi)
• update labeler to new config format #​730 [ssh_hardening] (schurzi)
• Update dependency ansible-core to v2.16.1 #​728 [os_hardening] (renovate[bot])
• pin Ansible to always let Renovate update to the most current version in our tests #​721 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)

traefik/traefik-helm-chart (traefik)

v33.0.0

Compare Source

Upgrade Notes

There are multiple breaking changes in this release:

1. The default port of traefik entrypoint has changed from 9000 to 8080, just like the Traefik Proxy default port
   • You may have to update probes accordingly (or set this port back to 9000)
2. publishedService is enabled by default on Ingress provider
   • You can disable it, if needed
3. The POD_NAME and POD_NAMESPACE environment variables are now set by default, without values.
   • It is no longer necessary to add them in values and so, it can be removed from user values.
4. In values, certResolvers specific syntax has been reworked to align with Traefik Proxy syntax.
   • PR #​1214 contains a complete before / after example on how to update values
5. Traefik Proxy 3.2 supports Gateway API v1.2 (standard channel)
   • It is recommended to check that other software using Gateway API on your cluster are compatible
   • The Gateway API CRD upgrade may fail even with Flux, Argo or other CD tool
   • See release notes of gateway API v1.2 on how to upgrade their CRDs and avoid issues about invalid values on v1alpha2 version

The CRDs needs to be updated, as documented in the README.

ℹ️ A separate helm chart, just for CRDs, is being considered for a future release. See PR #​1123

⚠ BREAKING CHANGES

• Env Variables: allow extending env without overwrite
• certificateResolvers: 💥 🐛 use same syntax in Chart and in Traefik
• Kubernetes Ingress: 💥 ✨ enable publishedService by default
• Traefik: 💥 set 8080 as default port for traefik entrypoint

Features

• Gateway API: ✨ add infrastructure in the values (2b28f7b)
• Gateway API: ✨ standard install CRD v1.2.0 (4432f3c)
• Traefik Proxy: update traefik docker tag to v3.2.0 (323e139)
• Traefik Proxy: ✨ support Gateway API statusAddress (e7dcac1)
• Traefik Proxy: CRDs for v3.2+ (d3c6d4c)

Bug Fixes

• certificateResolvers: 💥 🐛 use same syntax in Chart and in Traefik (016822d)
• Env Variables: allow extending env without overwrite (20f54b6)
• Gateway API: 🐛 add missing required RBAC for v3.2 with experimental Channel (b872549)
• schema: 🐛 targetPort can also be a string (12fee7e)
• use correct children indentation for logs.access.filters (59073ef)
• Kubernetes Ingress: 💥 ✨ enable publishedService by default (f7a96da)
• Traefik: 💥 set 8080 as default port for traefik entrypoint (2b32ce7)
• Traefik Hub: RBAC for distributedAcme (74abfee)
• 🐛 http3 with internal service (7558e63)

New Contributors

• @​jonathanbeber made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1210
• @​logica0419 made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1237

v32.1.1

Compare Source

32.1.1 (2024-10-11)

Features

• deps: update traefik docker tag to v3.1.6 (37f9f12)

Bug Fixes

• schema: 🐛 targetPort can also be a string (c64c50a)

v32.1.0

Compare Source

Features

• deps: update traefik docker tag to v3.1.5 (3b1860c)
• Traefik Proxy: update rbac following v3.2 migration guide (cae906e)

Bug Fixes

• 🐛 set disableIngressClassLookup until 3.1.4 (7c81ff5)

v32.0.0

Compare Source

⚠ BREAKING CHANGES

• Traefik Hub. See release notes for more details.
  • CRD has to be updated before upgrading the Chart
  • There is a breaking change on how Redis is configured

Fixes

• Replace CLF with common in values.yaml by @​WillDaSilva in https://github.com/traefik/traefik-helm-chart/pull/1199
• Change apiVersion to updated group in EXAMPLES.md by @​NeuronButter in https://github.com/traefik/traefik-helm-chart/pull/1200

Features

• Traefik Hub: add APIPlans and APIBundles CRDs (87d206e)

New Contributors

• @​WillDaSilva made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1199
• @​NeuronButter made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1200

Full Changelog: traefik/traefik-helm-chart@v31.1.1...v32.0.0

v31.1.1

Compare Source

31.1.1 (2024-09-20)

Features

• deps: update traefik docker tag to v3.1.4 (51b46ba)

Bug Fixes

• 🐛 updateStrategy behavior (6c1c8c3)

v31.1.0

Compare Source

Features

• ✨ input validation using schema (cf703c7)
• ✨ add AllowACMEByPass and improve schema/doc on ports values (458cab9)
• Traefik Hub: add new webhooks and removes unnecessary ones (d7c3622)
• deps: update traefik docker tag to v3.1.3 (1ecf803)

Bug Fixes

• 🐛 update CRD to v3.1 (2dc2253)

v31.0.0

Compare Source

⚠ BREAKING CHANGES

• 🐛 set allowEmptyServices to true by default
• CRDs needs to be upgraded for Traefik Hub users
  • kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/

Features

• Traefik Hub: update CRDs to v1.7.0 (aa18d47)

Bug Fixes

• HTTP3: split udp and tcp Service when service.single is false (24acadf)
• 🐛 set allowEmptyServices to true by default (2324766)
• Traefik Hub: update CRDs to v1.5.0 (ee3537a)

v30.1.0

Compare Source

Features

• ✨ rework namespaced RBAC with disableClusterScopeResources (5b54cf7)
• deps: update traefik docker tag to v3.1.2
• deps: update traefik docker tag to v3.1.1

Bug Fixes

• disable default HTTPS listener for gateway (f90f16e)
• Gateway API: use Standard channel by default (ccdb66b)
• Gateway API: wildcard support in hostname (93d1717)

v30.0.2

Compare Source

30.0.2 (2024-07-30)

Features

• Traefik Hub: 🍻 add E2E tests on RBACs change (dd3bee0)

Bug Fixes

• Traefik Hub: missing RBACs for Traefik Hub (ed80c4c)

v30.0.1

Compare Source

30.0.1 (2024-07-29)

Bug Fixes

• Traefik Hub: RBACs missing with API Gateway (747f833)
• Traefik Hub: support new RBACs for upcoming traefik hub release (0e81ea2)

v30.0.0

Compare Source

Upgrade notes

This release comes with a breaking change ⚠️ on how to configure Gateway with values (#​1133).
This release supports Traefik Proxy v3.0, v3.1 and Traefik Hub v3.3

Features

• ✨ display release name and image full path in installation notes (b77d53d)
• handle log filePath and noColor (51fc564)
• use single ingressRoute template (9240475)
• deps: update traefik docker tag to v3.1.0

Bug Fixes

• 🐛 ingressroute default name (a494617)
• can't set gateway name (13d302d)
• namespaced RBACs hub api gateway (50c24e5)
• remove version in OCI documentation (d613258)
• Gateway API: provide expected roles when using namespaced RBAC (abc6310)
• Gateway API: revamp Gateway implementation (5f2705d)

Documentation

• EXAMPLES: 📚️ improve wording on dashboard access without exposing it (2b03ee8)

v29.0.1

Compare Source

29.0.1 (2024-07-09)

Features

• ✨ publish chart on OCI registry (deaddf5)

Bug Fixes

• RBACs for hub and disabled namespaced RBACs (0827106)
• semverCompare failing on some legitimate tags (143b96f)

v29.0.0

Compare Source

Upgrade Notes

This is a major breaking upgrade. Migration guide from v3.0 to v3.1rc has been applied on this chart.

This release supports both Traefik Proxy v3.0.x and v3.1rc.

It comes with those ⚠️ breaking changes ⚠️ :

• Far better support on Gateway API v1.1: Gateway, GatewayClass, CRDs & RBAC (#​1107)
• Many changes on CRDs & RBAC (#​1072 & #​1108)
• Refactor on Prometheus Operator support. Values has changed (#​1114)
• Dashboard IngressRoute is now disabled by default (#​1111)

CRDs needs to be upgraded: kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/

Features

• ✨ migrate to endpointslices rbac (0449b0b)
• ✨ update CRDs & RBAC for Traefik Proxy (228c4e4)
• allow to set hostAliases for traefik pod (42e5745)
• dashboard: dashboard IngressRoute should be disabled by default (d9b856a)
• providers: add nativeLBByDefault support (e75a85c)
• providers: improve kubernetesGateway and Gateway API support (2eb640a)
• workflow: add oci push (aa3022a)
• deps: update traefik docker tag to v3.0.4
• deps: update traefik docker tag to v3.0.3

Bug Fixes

• dashboard: Only set ingressClass annotation when kubernetesCRD provider is listening for it (f142f6c)
• rbac: nodes API permissions for Traefik v3.1+ (647439d)
• allow multiples values in the secretResourceNames slice (24978e8)
• 🐛 improve error message on additional service without ports (d4cab24)
• prometheus operator settings (7d3a90d)

Documentation

• fix typos and broken link (e43afd4)

New Contributors

• @​justinrush made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1093
• @​x0ddf made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1094
• @​traefiker made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1101
• @​mmetc made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1102

v28.3.0

Compare Source

Features

• allow setting permanent on redirectTo (1b454e9)

Bug Fixes

• Security: 🐛 🔒️ mount service account token on pod level ([db4f43f](https://github.com/traefik/traefik-helm-chart/commit/
• Traefik Hub: remove namespace in mutating webhook (f8f2da2)
• Traefik Hub: remove obsolete CRD (4fcec62)
• 🐛 namespaced rbac when kubernetesIngress provider is disabled (3bb41f7)
  db4f43f))
• 🐛 add divisor: '1' to GOMAXPROCS and GOMEMLIMIT (9ccbee2)

New Contributors

• @​hawkesn made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1085
• @​berlincount made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1082

Full Changelog: traefik/traefik-helm-chart@v28.2.0...v28.3.0

v28.2.0

Compare Source

⚠️ This release align to Kubernetes default (Always) for podSecurityContext.fsGroupChangePolicy. It was OnRootMismatch in previous release of this chart. It can easily be set (back) to OnRootMismatch if needed, see EXAMPLES.

Features

• ✨ simplify values and provide more examples (4eb71eb)
• add deletecollection right on secrets (fb69807)
• update traefik docker tag to v3.0.1 by @​renovate in https://github.com/traefik/traefik-helm-chart/pull/1075

Bug Fixes

• IngressClass: provides annotation on IngressRoutes when it's enabled (f5de0c3)

New Contributors

• @​jspdown made their first contribution in https://github.com/traefik/traefik-helm-chart/pull/1077

Full Changelog: traefik/traefik-helm-chart@v28.1.0...v28.2.0

v28.1.0

Compare Source

Features

• Traefik Hub: add initial support for API Gateway (dc5c68d)
• Traefik Hub: use Traefik Proxy otlp config (a910db4)

Bug Fixes

• Traefik Hub: refine support (60d210d)
• Traefik Hub: do not deploy mutating webhook when enabling only API Gateway (cb2a98d)

Documentation

• example: Update Digital Ocean PROXY Protocol (9850319)
• 📚️ improve UPGRADING section (54ec665)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

This pull request was validated by pint.

✔️ No problems found

Stats

Stat	Value
Version	0.63.0
Number of rules parsed	372
Number of rules checked	0
Number of problems found	0
Number of offline checks	0
Number of online checks	0
Checks duration	0

Problems

No problems reported