refactor: migrate from ingress-nginx to Traefik v3

Replace ingress-nginx 4.15.1 with Traefik v3 (Helm chart 39.0.7)
as the ingress controller for the local kind cluster.

- Replace k8s/nginx/ with k8s/traefik/ (Helm chart, values, namespace)
- Update setup script selectors and namespace references
- Convert nginx upstream-vhost annotations to Traefik Middleware CRDs
- Update ingressClassName from nginx to traefik

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

k8s/app/local-proxy.yaml

@@ -24,9 +24,9 @@ kind: Ingress
 metadata:
   name: frontend
   annotations:
-    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:3300"
+    traefik.ingress.kubernetes.io/router.middlewares: default-frontend-host@kubernetescrd
 spec:
-  ingressClassName: nginx
+  ingressClassName: traefik
   tls:
     - hosts:
         - staging-shiny.unbound.se
@@ -59,9 +59,9 @@ kind: Ingress
 metadata:
   name: api
   annotations:
-    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:4444"
+    traefik.ingress.kubernetes.io/router.middlewares: default-api-host@kubernetescrd
 spec:
-  ingressClassName: nginx
+  ingressClassName: traefik
   tls:
     - hosts:
         - staging-shiny-api.unbound.se
@@ -77,3 +77,21 @@ spec:
                 name: api-external
                 port:
                   number: 4444
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: frontend-host
+spec:
+  headers:
+    customRequestHeaders:
+      Host: "localhost:3300"
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: api-host
+spec:
+  headers:
+    customRequestHeaders:
+      Host: "localhost:4444"

k8s/nginx/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- namespaces.yaml
-helmCharts:
-- name: ingress-nginx
-  namespace: ingress-nginx
-  includeCRDs: true
-  releaseName: ingress-nginx
-  repo: https://kubernetes.github.io/ingress-nginx
-  version: 4.15.1
-  valuesFile: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/manifest-templates/provider/kind/values.yaml

k8s/traefik/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespaces.yaml
+helmCharts:
+- name: traefik
+  namespace: traefik
+  includeCRDs: true
+  releaseName: traefik
+  repo: https://traefik.github.io/charts
+  version: 39.0.7
+  valuesFile: values.yaml

k8s/traefik/namespaces.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik

setup

@@ -12,20 +12,20 @@ kubectl create secret docker-registry gitlab \
 
 kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gitlab"}]}'
 
-kustomized="$(mktemp -t unboundnginx.yaml.XXXXXX)"
+kustomized="$(mktemp -t unboundtraefik.yaml.XXXXXX)"
 
-kubectl kustomize --enable-helm "k8s/nginx" >> "${kustomized}"
+kubectl kustomize --enable-helm "k8s/traefik" >> "${kustomized}"
 kubectl apply -f "${kustomized}" --server-side || true
 
-printf "\nWait for pod app.kubernetes.io/component=controller to be created."
+printf "\nWait for pod app.kubernetes.io/name=traefik to be created."
 while :; do
   sleep 2
-  [ -n "$(kubectl -n ingress-nginx get pod --selector=app.kubernetes.io/component=controller 2>/dev/null)" ] && printf "\n\n" && break
+  [ -n "$(kubectl -n traefik get pod --selector=app.kubernetes.io/name=traefik 2>/dev/null)" ] && printf "\n\n" && break
   printf "."
 done
 
-echo "Wait for nginx to be available."
-until [[ $(kubectl -n ingress-nginx get endpointslices -l 'kubernetes.io/service-name=ingress-nginx-controller' -o=jsonpath='{.items[*].endpoints[*].addresses[*]}') ]]; do sleep 5; done
+echo "Wait for traefik to be available."
+until [[ $(kubectl -n traefik get endpointslices -l 'kubernetes.io/service-name=traefik' -o=jsonpath='{.items[*].endpoints[*].addresses[*]}') ]]; do sleep 5; done
 
 kustomized="$(mktemp -t unboundinfra.yaml.XXXXXX)"