iac/roles/traefik_gateway/tasks/main.yml

---
- name: Install Gateway API CRDs
  shell: |
    microk8s kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/experimental-install.yaml
  register: install_crds
  changed_when: "'configured' in install_crds.stdout or 'created' in install_crds.stdout"

- name: Install Traefik CRDs
  shell: |
    microk8s kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
  register: install_traefik_crds
  changed_when: "'configured' in install_traefik_crds.stdout or 'created' in install_traefik_crds.stdout"

- name: Add Traefik Helm Repo
  kubernetes.core.helm_repository:
    name: traefik
    repo_url: https://traefik.github.io/charts

- name: Install Traefik with Gateway API support
  kubernetes.core.helm:
    name: traefik
    chart_ref: traefik/traefik
    release_namespace: traefik
    create_namespace: true
    values:
      providers:
        kubernetesGateway:
          enabled: true
          experimentalChannel: true
      ports:
        web:
          port: 80
        websecure:
          port: 443
        ssh:
          port: 2222
          expose:
            default: true
          exposedPort: 2222
          protocol: TCP
      service:
        type: LoadBalancer
      gateway:
        enabled: false
      gatewayClass:
        enabled: false
      securityContext:
        capabilities:
          drop: [ALL]
          add: [NET_BIND_SERVICE]
        runAsNonRoot: true
        runAsUser: 65532
        runAsGroup: 65532
    skip_crds: true
    wait: true

- name: Create Gateway Class
  kubernetes.core.k8s:
    definition:
      apiVersion: gateway.networking.k8s.io/v1
      kind: GatewayClass
      metadata:
        name: traefik
      spec:
        controllerName: traefik.io/gateway-controller

- name: Create Gateway
  kubernetes.core.k8s:
    definition:
      apiVersion: gateway.networking.k8s.io/v1
      kind: Gateway
      metadata:
        name: main-gateway
        namespace: traefik
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-prod
      spec:
        gatewayClassName: traefik
        listeners:
        - name: web
          port: 80
          protocol: HTTP
          allowedRoutes:
            namespaces:
              from: All
        - name: websecure
          port: 443
          protocol: HTTPS
          hostname: git.svc.pguia.com
          tls:
            mode: Terminate
            certificateRefs:
            - name: git-svc-pguia-com-tls
          allowedRoutes:
            namespaces:
              from: All
        - name: ssh
          port: 2222
          protocol: TCP
          allowedRoutes:
            namespaces:
              from: All
        - name: argocd-https
          port: 443
          protocol: HTTPS
          hostname: argocd.svc.pguia.com
          tls:
            mode: Terminate
            certificateRefs:
            - name: argocd-svc-pguia-com-tls
          allowedRoutes:
            namespaces:
              from: All