From 24d977621bbd0d1dbbc10676f0522e62bd100e1e Mon Sep 17 00:00:00 2001
From: Adrien Reslinger <adrien@reslinger.net>
Date: Sat, 28 Sep 2024 18:55:56 +0200
Subject: [PATCH] Add forgotten file

---
 templates/traefik-ondemand-plugin.yml.j2 | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2
index 59c28ad..0a0aba5 100644
--- a/templates/traefik-ondemand-plugin.yml.j2
+++ b/templates/traefik-ondemand-plugin.yml.j2
@@ -19,9 +19,21 @@ spec:
       containers:
       - name: sablier
         image: acouvreur/sablier:1.7.0
-        args: ["start", "--provider.name=kubernetes"]
+        args: ["start", "--provider.name=kubernetes", "--storage.file=/dev/shm/state.json"]
         ports:
-        - containerPort: 10000
+          - containerPort: 10000
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ALL]
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
+      securityContext:
+        runAsGroup: 65532
+        runAsNonRoot: true
+        runAsUser: 65532
+# --configFile=path/to/myconfigfile.yml 
 ---
 apiVersion: v1
 kind: Service
@@ -39,7 +51,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: sablier
-  namespace: {{ traefik_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -87,7 +98,7 @@ subjects:
     name: sablier
     namespace: {{ traefik_namespace }}
 #---
-#apiVersion: traefik.containo.us/v1alpha1
+#apiVersion: traefik.io/v1alpha1
 #kind: Middleware
 #metadata:
 #  name: ondemand