build: pin gluetun to v3.41.1

Fixes VPN restart loop after :latest pulled a build with the Alpine 3.22
iptables parsing regression and the healthcheck race (#3123). v3.41.1
includes the k8s cluster-DNS auto-detection so DNS lookups in the
startup healthcheck no longer time out behind the killswitch.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

cluster_setup/traefik-config.yaml

@@ -0,0 +1,37 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    logs:
+      access:
+        enabled: true
+        format: common
+    # opcional: para logs de Traefik (no sólo access logs)
+    log:
+      level: INFO
+      format: json
+    # esto ya estaba, pero si querés mantenerlo:
+    deployment:
+      podAnnotations:
+        prometheus.io/port: "8082"
+        prometheus.io/scrape: "true"
+    providers:
+      kubernetesIngress:
+        publishedService:
+          enabled: true
+    priorityClassName: "system-cluster-critical"
+    tolerations:
+    - key: "CriticalAddonsOnly"
+      operator: "Exists"
+    - key: "node-role.kubernetes.io/control-plane"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+      effect: "NoSchedule"
+    service:
+      ipFamilyPolicy: "PreferDualStack"
+

helm-values/qbittorrent_values.yaml

@@ -55,7 +55,7 @@ qbittorrent:
 gluetun:
   image:
     repository: qmcgaw/gluetun
-    tag: latest
+    tag: v3.41.1
     pullPolicy: IfNotPresent
   env:
     - name: VPN_SERVICE_PROVIDER

non_argo_values/gitea_values.yaml

@@ -21,8 +21,8 @@ ingress:
   className: traefik
   pathType: Prefix
   annotations:
-    # Restrict to LAN access (matching your existing pattern)
-    traefik.ingress.kubernetes.io/whitelist.sourcerange: "192.168.0.0/16,10.0.0.0/8,172.16.0.0/12"
+    # Restrict to LAN access via Traefik v3 Middleware (resources/gitea-middleware.yaml)
+    traefik.ingress.kubernetes.io/router.middlewares: "gitea-lan-only@kubernetescrd"
     cert-manager.io/cluster-issuer: "letsencrypt-production"
   hosts:
     - host: gitea.gilgamezh.me

resources/gitea-middleware.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: lan-only
+  namespace: gitea
+spec:
+  ipAllowList:
+    sourceRange:
+      - 192.168.0.0/16
+      - 10.0.0.0/8
+      - 172.16.0.0/12

resources/ingress.yaml

@@ -4,12 +4,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: kube-plex
   name: kube-plex
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: tp2.gilgamezh.me
       http:
@@ -31,12 +31,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: radarr
   name: radarr
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: radarr.gilgamezh.me
       http:
@@ -58,12 +58,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: sonarr
   name: sonarr
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: sonarr.gilgamezh.me
       http:
@@ -85,12 +85,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: lidarr
   name: lidarr
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: lidarr.gilgamezh.me
       http: