Version updates (#417)

* Update AKS version to 1.30

* Update Traefik version to 3.0

* Update version number in doc

* Fix typo in Bicep file

README.md

@@ -24,7 +24,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https
 
 #### Azure platform
 
-- AKS v1.29
+- AKS v1.30
   - System and user [node pool separation](https://learn.microsoft.com/azure/aks/use-system-pools)
   - [AKS-managed Microsoft Entra ID integration](https://learn.microsoft.com/azure/aks/managed-aad)
   - Microsoft Entra ID-backed Kubernetes RBAC (*local user accounts disabled*)
@@ -43,7 +43,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https
 - [ImageCleaner (Eraser)](https://learn.microsoft.com/azure/aks/image-cleaner) *[AKS-managed add-on]*
 - [Kubernetes Reboot Daemon](https://learn.microsoft.com/azure/aks/node-updates-kured)
 - [Secrets Store CSI Driver for Kubernetes](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver) *[AKS-managed add-on]*
-- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v2.11/routing/providers/kubernetes-ingress/)
+- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-ingress/)
 
 ![Network diagram depicting a hub-spoke network with two peered VNets and main Azure resources used in the architecture.](https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/images/secure-baseline-architecture.svg)
 

cluster-stamp.bicep

@@ -28,7 +28,7 @@ param clusterAuthorizedIPRanges array = []
 @description('AKS Service, Node Pool, and supporting services (KeyVault, App Gateway, etc) region. This needs to be the same region as the vnet provided in these parameters. This defaults to the resource group\'s location for higher reliability.')
 param location string = resourceGroup().location
 
-param kubernetesVersion string = '1.29'
+param kubernetesVersion string = '1.30'
 
 @description('Domain name to use for App Gateway and AKS ingress.')
 param domainName string = 'contoso.com'
@@ -1137,7 +1137,7 @@ resource paEnforceImageSource 'Microsoft.Authorization/policyAssignments@2024-04
     policyDefinitionId: pdEnforceImageSource.id
     parameters: {
       allowedContainerImagesRegex: {
-        // If all images are pull into your ARC instance as described in these instructions you can remove the docker.io & ghcr.io entries.
+        // If all images are pull into your ACR instance as described in these instructions you can remove the docker.io & ghcr.io entries.
         value: '${acr.name}\\.azurecr\\.io/.+$|mcr\\.microsoft\\.com/.+$|docker\\.io/library/.+$'
       }
       excludedNamespaces: {

docs/deploy/07-bootstrap-validation.md

@@ -10,7 +10,7 @@ GitOps allows a team to author Kubernetes manifest files, persist them in their
 - Cluster-wide configuration of Azure Monitor for Containers
 - The workload's namespace named `a0008`
 
-1. Install `kubectl` 1.28 or newer. (`kubectl` supports ±1 Kubernetes version.)
+1. Install `kubectl` 1.29 or newer. (`kubectl` supports ±1 Kubernetes version.)
 
    ```bash
    sudo az aks install-cli

docs/deploy/09-secret-management-and-ingress-controller.md

@@ -73,7 +73,7 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi
 
    ```bash
    # Import ingress controller image hosted in public container registries
-   az acr import --source docker.io/library/traefik:v2.11 -n $ACR_NAME_AKS_BASELINE
+   az acr import --source docker.io/library/traefik:v3.0 -n $ACR_NAME_AKS_BASELINE
    ```
 
 1. Install the Traefik Ingress Controller.

workload/traefik.yaml

@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/name: traefik-ingress-ilb
     app.kubernetes.io/instance: traefik-ingress-ilb
 ---
-#https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+#https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -46,7 +46,6 @@ rules:
       - update
   - apiGroups:
       - traefik.io
-      - traefik.containo.us
     resources:
       - middlewares
       - middlewaretcps
@@ -57,6 +56,7 @@ rules:
       - tlsoptions
       - tlsstores
       - serverstransports
+      - serverstransporttcps
     verbs:
       - get
       - list
@@ -65,7 +65,7 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: traefik-watch-workloads
+  name: traefik-ingress-controller
   namespace: a0008
   labels:
     app.kubernetes.io/name: traefik-ingress-ilb
@@ -230,10 +230,10 @@ spec:
         # PRODUCTION READINESS CHANGE REQUIRED
         # This image should be sourced from a non-public container registry, such as the
         # one deployed along side of this reference implementation.
-        # az acr import --source docker.io/library/traefik:v2.11 -n <your-acr-instance-name>
+        # az acr import --source docker.io/library/traefik:v3.0 -n <your-acr-instance-name>
         # and then set this to
-        # image: <your-acr-instance-name>.azurecr.io/library/traefik:v2.11
-      - image: docker.io/library/traefik:v2.11
+        # image: <your-acr-instance-name>.azurecr.io/library/traefik:v3.0
+      - image: docker.io/library/traefik:v3.0
         imagePullPolicy: IfNotPresent
         name: traefik-ingress-controller
         resources:
@@ -310,4 +310,4 @@ spec:
       securityContext:
         fsGroup: 65532
       nodeSelector:
-       agentpool: npuser01
+       agentpool: npuser01