Update Traefik to 2.9.6 version

[framar89]

Summary

Currently the default image version used for traefik is quay.io/eclipse/che--traefik:v2.8.1-4e52a5e2495484f5e19a49edfd2f652b0bce7b3603fa0df545ed90168ffae1c3 which has a critical vulnerability as showed in https://quay.io/repository/eclipse/che--traefik?tab=tags I ran a security scan using Trivy (https://trivy.dev/results/?image=traefik:v2.8.2) for the Dockerhub image traefik:v2.8.2 and it tells that there are no vulnerabilities.

So my questions are:

• Can traefik be updated to at least 2.8.2? It's a build update, so I don't expect any breaking changes.
• I saw that the image can be customized in Eclipse Che CRD so that I can temporarily use the one provided by Dockerhub (traefik:v2.8.2). Is it compatible? Do I need to change anything else?
• Are there any differences from the images in https://quay.io/repository/eclipse/che--traefik and the corresponding traefik in Dockerhub?

Thanks

Relevant information

No response

[tolusha]

@framar89

1. Yes, it can be updated.
2. You can try traefik:v2.8.2 image without any changes and it must be compatible. If it works for you, I will create a PR. Use the following command to set a new image in CheCluster CR

   kubectl patch checluster/eclipse-che --patch '{"spec": {"networking": {"auth": {"gateway": {"deployment": {"containers": [{"name": "gateway", "image": "traefik:v2.8.2"}]}}}}}}' --type=merge -n eclipse-che

3. There can't be any differences, quay.io contains a copy of docker.io image.

[framar89]

Unfortunately traefik:v2.8.2 does not work but I tried traefik:v2.9.5 (released 20 days ago) and it worked.

So, I think you can update to v2.9.5.

[tolusha]

traefik:v2.8.2 does not work for me either. The latest greatest traefik:v2.9.6 works fine for me. I will open a PR to switch to the new image.

[nickboldt]

Upstream steps (for 7.59):

• configure https://github.com/eclipse-che/che-release/blob/main/utils/copyImagesToQuay.txt, run https://github.com/eclipse-che/che-release/blob/main/utils/copyImagesToQuay.sh
  • Done: https://quay.io/repository/eclipse/che--traefik?tab=tags&tag=v2.9.6-bb7be8d50edf73d8d3a812ac8873ef354a0fe9b40d7f3880747b43a3525855d2
• update refs to traefik in operator csv, docs, etc.
• trigger builds of che-operator and any other impacted projects

Downstream steps (for 3.5 - https://issues.redhat.com/browse/CRW-3606):

• update https://github.com/redhat-developer/devspaces-images/blob/devspaces-3-rhel-8/devspaces-traefik/container.yaml
• update https://github.com/redhat-developer/devspaces-images/blob/devspaces-3-rhel-8/devspaces-traefik/build/rhel.Dockerfile if needed
• update https://github.com/redhat-developer/devspaces-images/blob/devspaces-3-rhel-8/devspaces-traefik/build/scripts/sync.sh (which is using 2.8.1 right now)
• update https://github.com/redhat-developer/devspaces/blob/devspaces-3-rhel-8/dependencies/job-config.json#L553-L563 and re-run job-configurator job to pull in changes Building:
• see if it builds in https://main-jenkins-csb-crwqe.apps.ocp-c1.prod.psi.redhat.com/job/DS_CI/job/traefik_3.x/
• iterate as needed Testing:
• get an SME in what traefik actually does (@tolusha ?) to verify the resulting 3.4 build does what it's expected to do with respect to what Traefik did before/after the change.