feat(plugins): support ConfigMap inline local plugins alongside hostPath

EXAMPLES.md

@@ -623,20 +623,135 @@ extraObjects:
 
 To develop or test plugins without pushing them to a public registry, you can load plugin source code directly from your local filesystem.
 
->[!NOTE]
-> The ``hostPath`` must point to a directory containing the plugin source code and a valid ``go.mod`` file. The ``moduleName`` must match the module name specified in the ``go.mod`` file.
+>[!WARNING]
+> The legacy `hostPath` configuration at the `experimental.localPlugins` level is deprecated. Please use the new structured `experimental.localPlugins.<yourplugin>.type` configuration for better organization and future features.
+
+### Legacy Configuration (Backward Compatibility)
+
+>[!WARNING]
+> This legacy `hostPath` configuration is deprecated and will be removed in the next major version. Please migrate to the structured `type` configuration below.
+
+```yaml
+experimental:
+  localPlugins:
+    legacy-demo:
+      moduleName: github.com/traefik/legacydemo
+      mountPath: /plugins-local/src/github.com/traefik/legacydemo
+      hostPath: /path/to/plugin-source  # ⚠️ Deprecated - use type: hostPath instead
+```
+
+## Structured Local Plugins (Current Approach)
+
+The `localPlugins` configuration supports a structured `experimental.localPlugins.<yourplugin>.type` approach that provides better organization, security, and flexibility:
+
+### Using Inline Plugin (Recommended for small/medium plugins)
+
+For testing or general use, embed plugin source directly in values.yaml using the secure `inlinePlugin` type:
+
+```yaml
+experimental:
+  localPlugins:
+    helloworld-plugin:
+      moduleName: github.com/example/helloworldplugin
+      mountPath: /plugins-local/src/github.com/example/helloworldplugin
+      type: inlinePlugin
+      source:
+        go.mod: |
+          module github.com/example/helloworldplugin
+
+          go 1.23
+        .traefik.yml: |
+          displayName: Hello World Plugin
+          type: middleware
+
+          import: github.com/example/helloworldplugin
+
+          summary: |
+            This is a simple plugin that prints "Hello, World!" to the response.
+
+          testData:
+            message: "Hello, World!"
+        main.go: |
+          package helloworldplugin
+
+          import (
+            "context"
+            "net/http"
+          )
+
+          type Config struct{}
+
+          func CreateConfig() *Config {
+            return &Config{}
+          }
+
+          type HelloWorld struct {
+            next http.Handler
+          }
+
+          func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
+            return &HelloWorld{next: next}, nil
+          }
+
+          func (h *HelloWorld) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+            rw.Write([]byte("Hello, World!"))
+            h.next.ServeHTTP(rw, req)
+          }
+```
+
+> **Advantages**: Secure (no host filesystem access), portable, version controlled with Helm values, supports up to 1MB of plugin code.
+
+### Using Host Path Plugin (Use with Caution)
+
+>[!WARNING]
+> The `hostPath` type should be avoided for security reasons and requires additional work to pull plugins from repositories or blob storage. Consider using `inlinePlugin` or `localPath` instead.
 
 ```yaml
 experimental:
   localPlugins:
     local-demo:
       moduleName: github.com/traefik/localplugindemo
       mountPath: /plugins-local/src/github.com/traefik/localplugindemo
+      type: hostPath
       hostPath: /path/to/plugin-source
 ```
 
->[!IMPORTANT]
-> When using ``hostPath`` volumes, the plugin source code must be available on every node where Traefik pods might be scheduled.
+### Using Local Path Plugin (Advanced)
+
+>[!NOTE]
+> The `localPath` type leverages the existing `additionalVolumes` mechanism for maximum flexibility. This supports PVC, CSI drivers (s3-csi-driver, FUSE), and other volume types.
+
+```yaml
+# Define the volume in additionalVolumes first
+deployment:
+  additionalVolumes:
+    - name: plugin-storage
+      persistentVolumeClaim:
+        claimName: plugin-storage-pvc
+    # Or use CSI driver for S3/blob storage:
+    # - name: s3-plugin-storage
+    #   csi:
+    #     driver: s3.csi.aws.com
+    #     volumeAttributes:
+    #       bucketName: my-plugin-bucket
+
+# Then reference it in localPlugins
+experimental:
+  localPlugins:
+    s3-plugin:
+      moduleName: github.com/example/s3plugin
+      mountPath: /plugins-local/src/github.com/example/s3plugin
+      type: localPath
+      volumeName: plugin-storage  # Must match additionalVolumes name
+      subPath: plugins/s3plugin   # Optional subpath within volume
+```
+
+> **Advantages**:
+>
+> - **Flexible**: Supports any Kubernetes volume type (PVC, CSI, NFS, etc.)
+> - **Secure**: Works with CSI drivers for cloud storage (S3, Azure Blob, GCS)
+> - **Scalable**: Centralized plugin storage, no per-node requirements
+> - **Consistent**: Uses existing Helm chart patterns (`additionalVolumes`)
 
 ## Using Traefik-Hub with private plugin registries
 
@@ -778,8 +893,8 @@ podSecurityContext:
 
 Setup:
 
-* cert-manager installed in `cert-manager` namespace
-* A cloudflare account on a DNS Zone
+- cert-manager installed in `cert-manager` namespace
+- A cloudflare account on a DNS Zone
 
 **Step 1**: Create `Secret` and `Issuer` needed by `cert-manager` with your API Token.
 See [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/)

traefik-crds/README.md

@@ -0,0 +1,39 @@
+# traefik-crds
+
+![Version: 1.10.0](https://img.shields.io/badge/Version-1.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+
+A Traefik based Kubernetes ingress controller
+
+**Homepage:** <https://traefik.io/>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| mloiseleur | <[email protected]> |  |
+| darkweaver87 | <[email protected]> |  |
+| jnoordsij |  |  |
+
+## Source Code
+
+* <https://github.com/traefik/traefik-helm-chart>
+* <https://github.com/traefik/traefik>
+
+## Requirements
+
+Kubernetes: `>=1.22.0-0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| deleteOnUninstall | bool | `false` | Set it to true if you want to uninstall CRDs when uninstalling this chart. By default, CRDs will be kept so your custom resources will not be deleted accidentally. |
+| enabled | bool | `true` | Field that can be used as a condition when this chart is a dependency. This definition is only here as a placeholder such that it is included in the json schema. See https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags for more info. |
+| gatewayAPI | bool | `false` | Set it to true to install GatewayAPI CRDs. Needed if you set providers.kubernetesGateway.enabled to true in main chart Cannot be used together with gatewayAPIExperimental |
+| gatewayAPIExperimental | bool | `false` | Set it to true to install experimental GatewayAPI CRDs. This includes additional experimental features beyond the standard Gateway API Cannot be used together with gatewayAPI |
+| global | object | `{}` | Global values This definition is only here as a placeholder such that it is included in the json schema. |
+| hub | bool | `false` | Set it to true to install Traefik Hub CRDs. Needed if you set hub.enabled to true in main chart |
+| traefik | bool | `true` | Install Traefik CRDs by default |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)