Merge pull request #4047 from bgruszka/release/v2

fix: compose intercept ignores httpFilters due to missing http mechanism

Author: thallgren

.github/actions/install-dependencies/action.yaml

@@ -40,15 +40,24 @@ runs:
           brew install jq
         fi
     - if: runner.os == 'Windows'
-      name: setup make and zip
+      name: setup make
       shell: pwsh
       run: |
         # Use make from Git for Windows (pre-installed on runners)
         echo "C:\Program Files\Git\usr\bin" | Out-File -FilePath $env:GITHUB_PATH -Append
-        # Download Info-ZIP (Git for Windows only has unzip, not zip)
-        Invoke-WebRequest -Uri "https://www.willus.com/archive/zip64/infozip_binaries_win32.zip" -OutFile infozip.zip
-        Expand-Archive -Path infozip.zip -DestinationPath C:\infozip
-        echo "C:\infozip" | Out-File -FilePath $env:GITHUB_PATH -Append
+    - if: runner.os == 'Windows'
+      name: download Info-ZIP
+      uses: nick-fields/retry/@v3
+      with:
+        max_attempts: 3
+        timeout_minutes: 1
+        shell: pwsh
+        command: |
+          $ErrorActionPreference = 'Stop'
+          # Download Info-ZIP (Git for Windows only has unzip, not zip)
+          Invoke-WebRequest -Uri "https://www.willus.com/archive/zip64/infozip_binaries_win32.zip" -OutFile infozip.zip
+          Expand-Archive -Path infozip.zip -DestinationPath C:\infozip
+          echo "C:\infozip" | Out-File -FilePath $env:GITHUB_PATH -Append
     - if: runner.os == 'Windows'
       name: download winfsp
       uses: nick-fields/retry/@v3

.github/workflows/dev.yaml

@@ -4,16 +4,26 @@ on:
     types:
       - labeled
 
+permissions:
+  contents: read
+  pull-requests: write
+
 env:
-  TELEPRESENCE_REGISTRY: ghcr.io/telepresenceio
+  TELEPRESENCE_REGISTRY: local
 
 jobs:
-  build_images:
+  build_and_test:
     if: ${{ github.event.label.name == 'ok to test' || github.event.label.name == 'compatibility test' }}
-    runs-on: ubuntu-latest
-    outputs:
-      telepresenceVersion: ${{ steps.version.outputs.version }}
-      telepresenceSemver: ${{ steps.version.outputs.semver }}
+    strategy:
+      fail-fast: false
+      matrix:
+        runners:
+          - ubuntu-latest
+          # Re-enable when we can run a proper cluster. Colima almost works on macOS but the very limited
+          # resources available make the test fail very often. On windows, we'll need WSL2
+          # - macos-latest
+          # - windows-latest
+    runs-on: ${{ matrix.runners }}
     steps:
       - name: Remove ok to test label
         if: github.event.label.name == 'ok to test'
@@ -33,62 +43,27 @@ jobs:
         with:
           fetch-depth: 0
           ref: "${{ github.event.pull_request.head.sha }}"
+      - name: install dependencies
+        uses: ./.github/actions/install-dependencies
       - name: Get Telepresence Version
         id: version
         run: |
           v=$(go run build-aux/genversion/main.go ${{github.run_id}})
           echo "TELEPRESENCE_VERSION=$v" >> "$GITHUB_ENV"
           echo "TELEPRESENCE_SEMVER=${v#v}" >> "$GITHUB_ENV"
-          echo "version=$v" >> $GITHUB_OUTPUT
-          echo "semver=${v#v}" >> $GITHUB_OUTPUT
-      - name: Setup docker buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          platforms: linux/amd64,linux/arm64
-      - name: Build image dependencies
-        run: make images-deps
-      - name: Log in to registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Push client image
-        run: |
-          docker buildx build --platform=linux/amd64,linux/arm64 --build-arg TELEPRESENCE_VERSION=${{env.TELEPRESENCE_SEMVER}} \
-          --push --tag ${{env.TELEPRESENCE_REGISTRY}}/telepresence:${{env.TELEPRESENCE_SEMVER}} -f build-aux/docker/images/Dockerfile.client .
-      - name: Push tel2 image
-        run: |
-          docker buildx build --platform=linux/amd64,linux/arm64 --build-arg TELEPRESENCE_VERSION=${{env.TELEPRESENCE_SEMVER}} \
-          --push --tag ${{env.TELEPRESENCE_REGISTRY}}/tel2:${{env.TELEPRESENCE_SEMVER}} -f build-aux/docker/images/Dockerfile.traffic .
-      - name: Log out from registry
-        if: always()
-        run: docker logout
-
-  run_tests:
-    if: ${{ github.event.label.name == 'ok to test' || github.event.label.name == 'compatibility test' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        runners:
-          - ubuntu-latest
-          # Re-enable when we can run a proper cluster. Colima almost works on macOS but the very limited
-          # resources available make the test fail very often. On windows, we'll need WSL2
-          # - macos-latest
-          # - windows-latest
-    runs-on: ${{ matrix.runners }}
-    needs: build_images
-    env:
-      TELEPRESENCE_VERSION: ${{ needs.build_images.outputs.telepresenceVersion }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: "${{ github.event.pull_request.head.sha }}"
-      - name: install dependencies
-        uses: ./.github/actions/install-dependencies
       - name: Start minikube
         if: runner.os == 'Linux'
         uses: medyagh/setup-minikube@latest
         with:
           kubernetes-version: v1.33.5
       - name: Build client
         run: make build
+      - name: Build images
+        run: make client-image tel2-image
+      - name: Load images into minikube
+        run: |
+          minikube image load ${{env.TELEPRESENCE_REGISTRY}}/telepresence:${{env.TELEPRESENCE_SEMVER}}
+          minikube image load ${{env.TELEPRESENCE_REGISTRY}}/tel2:${{env.TELEPRESENCE_SEMVER}}
       - name: Run integration tests
         if: github.event.label.name == 'ok to test'
         uses: nick-fields/retry/@v3
@@ -106,6 +81,7 @@ jobs:
         if:  ${{ github.event.label.name == 'compatibility test' }}
         env:
           DEV_MANAGER_VERSION: "2.24.1"
+          DEV_MANAGER_REGISTRY: ghcr.io/telepresenceio
         uses: nick-fields/retry/@v3
         with:
           max_attempts: 3
@@ -121,6 +97,7 @@ jobs:
         if:  ${{ github.event.label.name == 'compatibility test' }}
         env:
           DEV_CLIENT_VERSION: "2.24.1"
+          DEV_CLIENT_REGISTRY: ghcr.io/telepresenceio
         uses: nick-fields/retry/@v3
         with:
           max_attempts: 3
@@ -136,30 +113,3 @@ jobs:
         env:
           LOG_SUFFIX: "${{ runner.os }}-${{ runner.arch }}-${{ matrix.clusters.distribution }}-${{ matrix.clusters.version }}"
         if: ${{ always() }}
-  purge_images:
-    if: ${{ always() }}
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-    needs:
-      - build_images
-      - run_tests
-    steps:
-      - name: Delete tel2 and telepresence image
-        uses: dataaxiom/ghcr-cleanup-action@v1
-        continue-on-error: true
-        with:
-          owner: telepresenceio
-          packages: tel2,telepresence
-          token: ${{ secrets.GITHUB_TOKEN }}
-          delete-tags: ${{ needs.build_images.outputs.telepresenceSemver }}
-      - name: Prune tel2 and telepresence
-        uses: dataaxiom/ghcr-cleanup-action@v1
-        with:
-          owner: telepresenceio
-          packages: tel2,telepresence
-          token: ${{ secrets.GITHUB_TOKEN }}
-          delete-untagged: true
-          delete-ghost-images: true
-          delete-partial-images: true
-          delete-orphaned-images: true

.github/workflows/release.yaml

@@ -215,6 +215,25 @@ jobs:
           v=${{ github.ref_name }}
           packaging/homebrew-package.sh "${v#v}" "${{ vars.GH_BOT_USER }}" "${{ vars.GH_BOT_EMAIL }}" "${{ secrets.HOMEBREW_TAP_TOKEN }}"
 
+  prune-images:
+    if: ${{ always() }}
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    needs:
+      - push-images
+    steps:
+      - name: Prune tel2 and telepresence
+        uses: dataaxiom/ghcr-cleanup-action@v1
+        with:
+          owner: telepresenceio
+          packages: tel2,telepresence
+          token: ${{ secrets.GITHUB_TOKEN }}
+          delete-untagged: true
+          delete-ghost-images: true
+          delete-partial-images: true
+          delete-orphaned-images: true
+
   test-release:
     needs:
       - push-images

CHANGELOG.yml

@@ -52,6 +52,16 @@ items:
           the need for elevated privileges when using Telepresence. Currently available for amd64 architecture only
           due to dependency constraints.
         docs: install/client
+  - version: 2.26.2
+    date: 2026-02-05
+    notes:
+      - type: bugfix
+        title: Fix HTTP intercepts via telepresence compose failing when httpFilters or httpPaths are set
+        body: >-
+          The compose extension set HeaderFilters and PathFilters on the intercept spec but left the mechanism as "tcp".
+          This caused the traffic manager to reject the intercept with "global TCP/UDP intercepts are disabled".
+          The mechanism is now correctly switched to "http" when any HTTP filters are specified, matching the behavior
+          of the CLI intercept command.
   - version: 2.26.1
     date: 2026-01-26
     notes:

docs/release-notes.md

@@ -20,6 +20,13 @@ New Linux package installers (.deb for Debian/Ubuntu and .rpm for Fedora/RHEL) a
 A new Windows installer (.exe) is now available that installs Telepresence with the root daemon configured as a Windows service. The installer bundles WinFSP and SSHFS-Win dependencies for volume mount support, adds Telepresence to the system PATH, and optionally installs the TelepresenceDaemon service. This eliminates the need for elevated privileges when using Telepresence. Currently available for amd64 architecture only due to dependency constraints.
 </div>
 
+## Version 2.26.2 <span style="font-size: 16px;">(February  5)</span>
+## <div style="display:flex;"><img src="images/bugfix.png" alt="bugfix" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">Fix HTTP intercepts via telepresence compose failing when httpFilters or httpPaths are set</div></div>
+<div style="margin-left: 15px">
+
+The compose extension set HeaderFilters and PathFilters on the intercept spec but left the mechanism as "tcp". This caused the traffic manager to reject the intercept with "global TCP/UDP intercepts are disabled". The mechanism is now correctly switched to "http" when any HTTP filters are specified, matching the behavior of the CLI intercept command.
+</div>
+
 ## Version 2.26.1 <span style="font-size: 16px;">(January 26)</span>
 ## <div style="display:flex;"><img src="images/bugfix.png" alt="bugfix" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">[Add support for "warning" as an alias for "warn" in log levels](https://github.com/telepresenceio/telepresence/issues/4043)</div></div>
 <div style="margin-left: 15px">

docs/release-notes.mdx

@@ -26,6 +26,13 @@ New Linux package installers (.deb for Debian/Ubuntu and .rpm for Fedora/RHEL) a
 A new Windows installer (.exe) is now available that installs Telepresence with the root daemon configured as a Windows service. The installer bundles WinFSP and SSHFS-Win dependencies for volume mount support, adds Telepresence to the system PATH, and optionally installs the TelepresenceDaemon service. This eliminates the need for elevated privileges when using Telepresence. Currently available for amd64 architecture only due to dependency constraints.
   </Body>
 </Note>
+## Version 2.26.2 <span style={{fontSize:'16px'}}>(February  5)</span>
+<Note>
+	<Title type="bugfix">Fix HTTP intercepts via telepresence compose failing when httpFilters or httpPaths are set</Title>
+	<Body>
+The compose extension set HeaderFilters and PathFilters on the intercept spec but left the mechanism as "tcp". This caused the traffic manager to reject the intercept with "global TCP/UDP intercepts are disabled". The mechanism is now correctly switched to "http" when any HTTP filters are specified, matching the behavior of the CLI intercept command.
+  </Body>
+</Note>
 ## Version 2.26.1 <span style={{fontSize:'16px'}}>(January 26)</span>
 <Note>
 	<Title type="bugfix" docs="https://github.com/telepresenceio/telepresence/issues/4043">Add support for "warning" as an alias for "warn" in log levels</Title>

docs/variables.yml

@@ -1,2 +1,2 @@
 version: "2.27.0"
-dlVersion: "v2.27.0"
+dlVersion: "v2.27.0"

integration_test/itest/helm.go

@@ -260,15 +260,16 @@ func (s *cluster) TelepresenceHelmInstall(ctx context.Context, upgrade bool, set
 	}
 
 	vx.Image = GetImage(ctx)
-	if !s.isCI && s.ManagerVersion().EQ(s.ClientVersion()) {
-		pp := "Always"
+	if s.ManagerVersion().EQ(s.ClientVersion()) {
 		if s.ManagerRegistry() == "local" {
 			// Using minikube with local images.
 			// They are automatically present and must not be pulled.
-			pp = "Never"
+			vx.Image.PullPolicy = "Never"
+			vx.Agent.Image.PullPolicy = "Never"
+		} else if !s.isCI {
+			vx.Image.PullPolicy = "Always"
+			vx.Agent.Image.PullPolicy = "Always"
 		}
-		vx.Image.PullPolicy = pp
-		vx.Agent.Image.PullPolicy = pp
 	}
 
 	ss, err := yaml.Marshal(&vx)

pkg/client/cli/docker/compose/extension.go

@@ -273,6 +273,9 @@ func (e *httpFilterExtension) amendInterceptSpec(spec *manager.InterceptSpec) er
 	}
 	spec.HeaderFilters = e.HttpFilters
 	spec.PathFilters = intercept.BuildPathFilters(e.Paths, e.PathPrefixes, e.PathRegexps)
+	if len(spec.HeaderFilters) > 0 || len(spec.PathFilters) > 0 {
+		spec.Mechanism = "http"
+	}
 	spec.Metadata = e.Metadata
 	return nil
 }

pkg/client/cli/docker/compose/extension_test.go

@@ -0,0 +1,99 @@
+package compose
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/telepresenceio/telepresence/rpc/v2/manager"
+	"github.com/telepresenceio/telepresence/v2/pkg/types"
+)
+
+func TestAmendInterceptSpec_MechanismSetToHTTP(t *testing.T) {
+	tests := []struct {
+		name              string
+		httpFilters       map[string]string
+		httpPaths         []string
+		httpPathPrefixes  []string
+		httpPathRegexps   []string
+		expectedMechanism string
+	}{
+		{
+			name:              "no filters leaves mechanism as tcp",
+			expectedMechanism: "tcp",
+		},
+		{
+			name:              "header filter switches mechanism to http",
+			httpFilters:       map[string]string{"x-dev-id": "jdoe"},
+			expectedMechanism: "http",
+		},
+		{
+			name:              "multiple header filters switch mechanism to http",
+			httpFilters:       map[string]string{"x-dev-id": "jdoe", "x-env": "staging"},
+			expectedMechanism: "http",
+		},
+		{
+			name:              "exact path filter switches mechanism to http",
+			httpPaths:         []string{"/api/v1/users"},
+			expectedMechanism: "http",
+		},
+		{
+			name:              "path prefix filter switches mechanism to http",
+			httpPathPrefixes:  []string{"/api/"},
+			expectedMechanism: "http",
+		},
+		{
+			name:              "path regex filter switches mechanism to http",
+			httpPathRegexps:   []string{`/api/v[0-9]+/.*`},
+			expectedMechanism: "http",
+		},
+		{
+			name:              "headers and paths together switch mechanism to http",
+			httpFilters:       map[string]string{"x-dev-id": "jdoe"},
+			httpPathPrefixes:  []string{"/api/"},
+			expectedMechanism: "http",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ext := &httpFilterExtension{
+				HttpFilters:  tt.httpFilters,
+				Paths:        tt.httpPaths,
+				PathPrefixes: tt.httpPathPrefixes,
+				PathRegexps:  tt.httpPathRegexps,
+				Ports:        []types.PortMapping{"3005:3005"},
+			}
+
+			spec := &manager.InterceptSpec{Mechanism: "tcp"}
+			err := ext.amendInterceptSpec(spec)
+			require.NoError(t, err)
+			assert.Equal(t, tt.expectedMechanism, spec.Mechanism)
+		})
+	}
+}
+
+func TestAmendInterceptSpec_HeaderFiltersPopulated(t *testing.T) {
+	filters := map[string]string{"x-dev-id": "jdoe", "x-env": "staging"}
+	ext := &httpFilterExtension{
+		HttpFilters: filters,
+		Ports:       []types.PortMapping{"3005:3005"},
+	}
+
+	spec := &manager.InterceptSpec{Mechanism: "tcp"}
+	err := ext.amendInterceptSpec(spec)
+	require.NoError(t, err)
+	assert.Equal(t, filters, spec.HeaderFilters)
+}
+
+func TestAmendInterceptSpec_NoPorts_ReturnsError(t *testing.T) {
+	ext := &httpFilterExtension{
+		HttpFilters: map[string]string{"x-dev-id": "jdoe"},
+	}
+
+	spec := &manager.InterceptSpec{Mechanism: "tcp"}
+	err := ext.amendInterceptSpec(spec)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "requires at least one port")
+}