chore(deps): update postgres:18.3-alpine docker digest to 5209801 (#257)

## Summary

- Replace ingress-nginx 4.15.1 with Traefik v3 (Helm chart 39.0.7) as ingress controller
- Convert nginx-specific annotations to Traefik Middleware CRDs
- Update setup script selectors, namespaces, and readiness checks
- Add `.claude/settings.local.json` to `.gitignore`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #254

.gitignore

@@ -1,2 +1,3 @@
 data
 charts
+.claude/settings.local.json

k8s/app/local-proxy.yaml

@@ -24,9 +24,9 @@ kind: Ingress
 metadata:
   name: frontend
   annotations:
-    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:3300"
+    traefik.ingress.kubernetes.io/router.middlewares: default-frontend-host@kubernetescrd
 spec:
-  ingressClassName: nginx
+  ingressClassName: traefik
   tls:
     - hosts:
         - staging-shiny.unbound.se
@@ -59,9 +59,9 @@ kind: Ingress
 metadata:
   name: api
   annotations:
-    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:4444"
+    traefik.ingress.kubernetes.io/router.middlewares: default-api-host@kubernetescrd
 spec:
-  ingressClassName: nginx
+  ingressClassName: traefik
   tls:
     - hosts:
         - staging-shiny-api.unbound.se
@@ -77,3 +77,21 @@ spec:
                 name: api-external
                 port:
                   number: 4444
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: frontend-host
+spec:
+  headers:
+    customRequestHeaders:
+      Host: "localhost:3300"
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: api-host
+spec:
+  headers:
+    customRequestHeaders:
+      Host: "localhost:4444"

k8s/infra/kustomization.yaml

@@ -10,13 +10,13 @@ helmCharts:
   includeCRDs: true
   releaseName: external-secrets
   repo: https://charts.external-secrets.io
-  version: 2.0.1
+  version: 2.3.0
 - name: cert-manager
   namespace: cert-manager
   includeCRDs: true
   releaseName: cert-manager
   repo: https://charts.jetstack.io
-  version: v1.19.4
+  version: v1.20.2
   valuesInline:
     crds:
       enabled: true

k8s/infra/lavinmq.yaml

@@ -28,7 +28,7 @@ spec:
         app.kubernetes.io/name: lavinmq
     spec:
       containers:
-      - image: cloudamqp/lavinmq:2.6.8
+      - image: cloudamqp/lavinmq:2.6.10@sha256:e52866d61141b3bb61a3ae99acd7fac1c750ba86af50037864f9498c27fbd89a
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:

k8s/infra/postgres.yaml

@@ -52,7 +52,7 @@ spec:
     spec:
       containers:
       - name: postgres
-        image: postgres:18.3-alpine@sha256:97e0c20847f5fe90be7e002ce2619be71f037e898f6c7364ad59e3826d60fee5
+        image: postgres:18.3-alpine@sha256:52098013b4b64a746626437d38afc03cabff6cdeb4d3d92e2342aa95f0ce56ea
         args:
         - -c
         - shared_buffers=384MB

k8s/nginx/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- namespaces.yaml
-helmCharts:
-- name: ingress-nginx
-  namespace: ingress-nginx
-  includeCRDs: true
-  releaseName: ingress-nginx
-  repo: https://kubernetes.github.io/ingress-nginx
-  version: 4.14.3
-  valuesFile: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/manifest-templates/provider/kind/values.yaml

k8s/traefik/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespaces.yaml
+helmCharts:
+- name: traefik
+  namespace: traefik
+  includeCRDs: true
+  releaseName: traefik
+  repo: https://traefik.github.io/charts
+  version: 39.0.7
+  valuesFile: values.yaml

k8s/traefik/namespaces.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik

k8s/traefik/values.yaml

@@ -0,0 +1,31 @@
+deployment:
+  kind: DaemonSet
+
+ports:
+  web:
+    hostPort: 80
+  websecure:
+    hostPort: 443
+
+tolerations:
+  - key: "node-role.kubernetes.io/master"
+    operator: "Equal"
+    effect: "NoSchedule"
+  - key: "node-role.kubernetes.io/control-plane"
+    operator: "Equal"
+    effect: "NoSchedule"
+
+nodeSelector:
+  ingress-ready: "true"
+
+providers:
+  kubernetesIngress:
+    publishedService:
+      enabled: false
+
+service:
+  type: ClusterIP
+
+ingressClass:
+  enabled: true
+  isDefaultClass: true

setup

@@ -12,20 +12,20 @@ kubectl create secret docker-registry gitlab \
 
 kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gitlab"}]}'
 
-kustomized="$(mktemp -t unboundnginx.yaml.XXXXXX)"
+kustomized="$(mktemp -t unboundtraefik.yaml.XXXXXX)"
 
-kubectl kustomize --enable-helm "k8s/nginx" >> "${kustomized}"
+kubectl kustomize --enable-helm "k8s/traefik" >> "${kustomized}"
 kubectl apply -f "${kustomized}" --server-side || true
 
-printf "\nWait for pod app.kubernetes.io/component=controller to be created."
+printf "\nWait for pod app.kubernetes.io/name=traefik to be created."
 while :; do
   sleep 2
-  [ -n "$(kubectl -n ingress-nginx get pod --selector=app.kubernetes.io/component=controller 2>/dev/null)" ] && printf "\n\n" && break
+  [ -n "$(kubectl -n traefik get pod --selector=app.kubernetes.io/name=traefik 2>/dev/null)" ] && printf "\n\n" && break
   printf "."
 done
 
-echo "Wait for nginx to be available."
+echo "Wait for traefik to be available."
-until [[ $(kubectl -n ingress-nginx get endpointslices -l 'kubernetes.io/service-name=ingress-nginx-controller' -o=jsonpath='{.items[*].endpoints[*].addresses[*]}') ]]; do sleep 5; done
+until [[ $(kubectl -n traefik get endpointslices -l 'kubernetes.io/service-name=traefik' -o=jsonpath='{.items[*].endpoints[*].addresses[*]}') ]]; do sleep 5; done
 
 kustomized="$(mktemp -t unboundinfra.yaml.XXXXXX)"