From dae8741e68970bab6425229bdccb2d6a52337e19 Mon Sep 17 00:00:00 2001
From: John Downs <john@johndowns.co.nz>
Date: Wed, 17 Jul 2024 08:49:10 +1200
Subject: [PATCH 1/4] Update AKS version to 1.30

---
 README.md           | 4 ++--
 cluster-stamp.bicep | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 4b5275e2..b3f7b567 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https
 
 #### Azure platform
 
-- AKS v1.29
+- AKS v1.30
   - System and User [node pool separation](https://learn.microsoft.com/azure/aks/use-system-pools)
   - [AKS-managed Microsoft Entra ID integration](https://learn.microsoft.com/azure/aks/managed-aad)
   - Microsoft Entra ID-backed Kubernetes RBAC (*local user accounts disabled*)
@@ -43,7 +43,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https
 - [ImageCleaner (Eraser)](https://learn.microsoft.com/azure/aks/image-cleaner) *[AKS-managed add-on]*
 - [Kubernetes Reboot Daemon](https://learn.microsoft.com/azure/aks/node-updates-kured)
 - [Secrets Store CSI Driver for Kubernetes](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver) *[AKS-managed add-on]*
-- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v2.11/routing/providers/kubernetes-ingress/)
+- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-ingress/)
 
 ![Network diagram depicting a hub-spoke network with two peered VNets and main Azure resources used in the architecture.](https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/images/secure-baseline-architecture.svg)
 
diff --git a/cluster-stamp.bicep b/cluster-stamp.bicep
index 668fa8c3..bcb06d86 100644
--- a/cluster-stamp.bicep
+++ b/cluster-stamp.bicep
@@ -28,7 +28,7 @@ param clusterAuthorizedIPRanges array = []
 @description('AKS Service, Node Pool, and supporting services (KeyVault, App Gateway, etc) region. This needs to be the same region as the vnet provided in these parameters. This defaults to the resource group\'s location for higher reliability.')
 param location string = resourceGroup().location
 
-param kubernetesVersion string = '1.29'
+param kubernetesVersion string = '1.30'
 
 @description('Domain name to use for App Gateway and AKS ingress.')
 param domainName string = 'contoso.com'

From c6febe0fe0a8b1a06ab8c239868eefed9f1c272d Mon Sep 17 00:00:00 2001
From: John Downs <john@johndowns.co.nz>
Date: Wed, 17 Jul 2024 08:52:05 +1200
Subject: [PATCH 2/4] Update Traefik version to 3.0

---
 .../09-secret-management-and-ingress-controller.md |  2 +-
 workload/traefik.yaml                              | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/deploy/09-secret-management-and-ingress-controller.md b/docs/deploy/09-secret-management-and-ingress-controller.md
index 542f7082..a8cf0a25 100644
--- a/docs/deploy/09-secret-management-and-ingress-controller.md
+++ b/docs/deploy/09-secret-management-and-ingress-controller.md
@@ -58,7 +58,7 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi
 
    ```bash
    # Import ingress controller image hosted in public container registries
-   az acr import --source docker.io/library/traefik:v2.11 -n $ACR_NAME_AKS_BASELINE
+   az acr import --source docker.io/library/traefik:v3.0 -n $ACR_NAME_AKS_BASELINE
    ```
 
 1. Install the Traefik Ingress Controller.
diff --git a/workload/traefik.yaml b/workload/traefik.yaml
index ce445393..4721004a 100644
--- a/workload/traefik.yaml
+++ b/workload/traefik.yaml
@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/name: traefik-ingress-ilb
     app.kubernetes.io/instance: traefik-ingress-ilb
 ---
-#https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+#https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -46,7 +46,6 @@ rules:
       - update
   - apiGroups:
       - traefik.io
-      - traefik.containo.us
     resources:
       - middlewares
       - middlewaretcps
@@ -57,6 +56,7 @@ rules:
       - tlsoptions
       - tlsstores
       - serverstransports
+      - serverstransporttcps
     verbs:
       - get
       - list
@@ -65,7 +65,7 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: traefik-watch-workloads
+  name: traefik-ingress-controller
   namespace: a0008
   labels:
     app.kubernetes.io/name: traefik-ingress-ilb
@@ -230,10 +230,10 @@ spec:
         # PRODUCTION READINESS CHANGE REQUIRED
         # This image should be sourced from a non-public container registry, such as the
         # one deployed along side of this reference implementation.
-        # az acr import --source docker.io/library/traefik:v2.11 -n <your-acr-instance-name>
+        # az acr import --source docker.io/library/traefik:v3.0 -n <your-acr-instance-name>
         # and then set this to
-        # image: <your-acr-instance-name>.azurecr.io/library/traefik:v2.11
-      - image: docker.io/library/traefik:v2.11
+        # image: <your-acr-instance-name>.azurecr.io/library/traefik:v3.0
+      - image: docker.io/library/traefik:v3.0
         imagePullPolicy: IfNotPresent
         name: traefik-ingress-controller
         resources:
@@ -310,4 +310,4 @@ spec:
       securityContext:
         fsGroup: 65532
       nodeSelector:
-       agentpool: npuser01
\ No newline at end of file
+       agentpool: npuser01

From cb1dcd13dc032009a370af9660e91d1b35d1cf45 Mon Sep 17 00:00:00 2001
From: John Downs <john@johndowns.co.nz>
Date: Wed, 17 Jul 2024 11:27:54 +1200
Subject: [PATCH 3/4] Update version number in doc

---
 docs/deploy/07-bootstrap-validation.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/deploy/07-bootstrap-validation.md b/docs/deploy/07-bootstrap-validation.md
index 5d01aa87..309d6e52 100644
--- a/docs/deploy/07-bootstrap-validation.md
+++ b/docs/deploy/07-bootstrap-validation.md
@@ -10,7 +10,7 @@ GitOps allows a team to author Kubernetes manifest files, persist them in their
 - Cluster-wide configuration of Azure Monitor for Containers
 - The workload's namespace named `a0008`
 
-1. Install `kubectl` 1.28 or newer. (`kubectl` supports ±1 Kubernetes version.)
+1. Install `kubectl` 1.29 or newer. (`kubectl` supports ±1 Kubernetes version.)
 
    ```bash
    sudo az aks install-cli

From 6a67614980382b37ef8144694cf79fb56e52a0c6 Mon Sep 17 00:00:00 2001
From: John Downs <john@johndowns.co.nz>
Date: Thu, 18 Jul 2024 16:04:16 +1200
Subject: [PATCH 4/4] Fix typo in Bicep file

---
 cluster-stamp.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cluster-stamp.bicep b/cluster-stamp.bicep
index bcb06d86..268741e6 100644
--- a/cluster-stamp.bicep
+++ b/cluster-stamp.bicep
@@ -1138,7 +1138,7 @@ resource paEnforceImageSource 'Microsoft.Authorization/policyAssignments@2024-04
     policyDefinitionId: pdEnforceImageSource.id
     parameters: {
       allowedContainerImagesRegex: {
-        // If all images are pull into your ARC instance as described in these instructions you can remove the docker.io & ghcr.io entries.
+        // If all images are pull into your ACR instance as described in these instructions you can remove the docker.io & ghcr.io entries.
         value: '${acr.name}\\.azurecr\\.io/.+$|mcr\\.microsoft\\.com/.+$|docker\\.io/library/.+$'
       }
       excludedNamespaces: {