Add forgotten file

defaults/main.yml

@@ -1,6 +1,6 @@
 my_context: kubernetes
-traefik_version: "3.0.4"
-traefik_helm_chart_version: "28.0.0"
+traefik_version: "3.1.4"
+traefik_helm_chart_version: "31.1.1"
 cluster_domain: "local"
 traefik_namespace: "traefik"
 traefik_service_type: LoadBalancer

tasks/main.yml

@@ -106,6 +106,9 @@
       kubernetes.core.helm_repository:
         name: traefik
         repo_url: "https://helm.traefik.io/traefik"
+#    - name: show templating results
+#      ansible.builtin.debug:
+#        msg: "{{ lookup('ansible.builtin.template', 'traefik-helm-value.yaml.j2') }}"
     - name: Deploy latest version of Traefik
       kubernetes.core.helm:
         context: "{{ my_context }}"
@@ -113,6 +116,7 @@
         chart_ref: traefik/traefik
         chart_version: "{{ traefik_helm_chart_version }}"
         release_namespace: "{{ traefik_namespace }}"
+        create_namespace: true
         values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}"
 
     - name: Install traefik configuration
@@ -122,8 +126,9 @@
         namespace: '{{ traefik_namespace }}'
 #        merge_type: merge
         apply: true
-        resource_definition: "{{ lookup('template', item) | from_yaml }}"
+        resource_definition: "{{ lookup('template', item) | from_yaml_all }}"
       with_items:
+        - default-network-dns-policy.yaml.j2
 #        - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}"
         - traefik-certificate.yml.j2
         - traefik-cm.yml.j2

templates/default-network-dns-policy.yaml.j2

@@ -0,0 +1,46 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: intra-namespace
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            name: {{ traefik_namespace }}
+
+#---
+#apiVersion: networking.k8s.io/v1
+#kind: NetworkPolicy
+#metadata:
+#  name: allow-dns-access
+#spec:
+#  podSelector:
+#    matchLabels: {}
+#  policyTypes:
+#  - Egress
+#  egress:
+#  - to:
+#    - namespaceSelector:
+#        matchLabels:
+#          kubernetes.io/metadata.name: kube-system
+#      podSelector:
+#        matchLabels:
+#          k8s-app: kube-dns
+#    ports:
+#    - protocol: UDP
+#      port: 53
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-traefik-v121-ingress
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: traefik
+  ingress:
+  - {}
+  policyTypes:
+  - Ingress

templates/traefik-helm-value.yaml.j2

@@ -140,11 +140,10 @@ metrics:
 #             severity: warning
 #           annotations:
 #             summary: "Traefik Down"
-#             description: "{{ $labels.pod }} on {{ $labels.nodename }} is down"
+#             description: "{% raw %}{{ $labels.pod }} on {{ $labels.nodename }} is down{% endraw %}"
 experimental:
-  plugins:
-    enabled: true
 {% if traefik_ondemand is defined %}
+  plugins:
     sablier:
       moduleName: "github.com/acouvreur/sablier"
       version: "v1.7.0"
@@ -155,3 +154,10 @@ experimental:
   hub:
     enabled: true
 {% endif %}
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop: [ALL]
+  readOnlyRootFilesystem: true
+  seccompProfile: 
+    type: RuntimeDefault

templates/traefik-ingressroute.yml.j2

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: traefik

templates/traefik-ondemand-plugin.yml.j2

@@ -19,9 +19,21 @@ spec:
       containers:
       - name: sablier
         image: acouvreur/sablier:1.7.0
-        args: ["start", "--provider.name=kubernetes"]
+        args: ["start", "--provider.name=kubernetes", "--storage.file=/dev/shm/state.json"]
         ports:
           - containerPort: 10000
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ALL]
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
+      securityContext:
+        runAsGroup: 65532
+        runAsNonRoot: true
+        runAsUser: 65532
+# --configFile=path/to/myconfigfile.yml 
 ---
 apiVersion: v1
 kind: Service
@@ -39,7 +51,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: sablier
-  namespace: {{ traefik_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -87,7 +98,7 @@ subjects:
     name: sablier
     namespace: {{ traefik_namespace }}
 #---
-#apiVersion: traefik.containo.us/v1alpha1
+#apiVersion: traefik.io/v1alpha1
 #kind: Middleware
 #metadata:
 #  name: ondemand