kubernetes: added additional ingress controller for internal access

- added additional traefik ingress controller for accessing internal
  services via ingress.

kubernetes/README.md

@@ -1,6 +1,6 @@
 # Setup K3s Kubernetes Cluster
 
-# Configure Traefik with extra values
+# Configure Traefik Ingress Controller
 
 The Traefik ingress controller is deployed along with K3s. To modify the
 default values,
@@ -12,6 +12,26 @@ helm upgrade traefik traefik/traefik \
   --version 22.1.0
 ```
 
+## Additional Ingress Controller for Internal Access
+
+An additional ingress controller is deployed for internal access to services.
+This ingress controller is used to access services that are not exposed to the
+internet. It is deployed in the `internal-ingress` namespace and uses the
+Traefik ingress controller.
+
+To utilize the internal ingress controller, add the following
+`ingressClassName: traefik-internal` under ingress spec.
+
+```bash
+helm upgrade --install \
+  --create-namespace traefik-internal traefik/traefik \
+  --namespace traefik-internal \
+  -f traefik/traefik-internal/values.yaml
+```
+
+The LoadBalancer service IP for the internal ingress controller is added to
+the adGuard DNS server to resolve the internal services.
+
 # Configure Cert Manager for automating SSL certificate handling
 
 Cert manager handles SSL certificate creation and renewal from Let's Encrypt.
@@ -50,11 +70,11 @@ export KUBE_EDITOR=nvim
 kubectl -n kube-system edit configmap coredns
 ```
 
-Next, deploy the ClusterIssuer, WildcardCert, and secrets using helm
+Next, deploy the ClusterIssuer, WildcardCert, and secrets using helm chart.
 
 ```bash
 source .env
-helm install cert-handler cert-manager-helm-chart \
+helm install cert-handler cert-manager-config-helm-chart \
   --atomic --set secret.apiToken=$CLOUDFLARE_TOKEN \
   --set clusterIssuer.email=$EMAIL \
   --set wildcardCert.dnsNames[0]=$DNSNAME

kubernetes/docker-registry-helm-chart/values.yaml

@@ -14,7 +14,7 @@ ingress:
   enabled: true
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    cert-manager.io/issuer: "letsencrypt-prod"
+    cert-manager.io/cluster-issuer: "acme-issuer"
   tls:
     enabled: true
     host: "*.example.com"

kubernetes/immich/values.yaml

@@ -63,7 +63,7 @@ server:
       enabled: true
       annotations:
         traefik.ingress.kubernetes.io/router.entrypoints: websecure
-        cert-manager.io/issuer: "letsencrypt-prod"
+        cert-manager.io/cluster-issuer: "acme-issuer"
       hosts:
         - host: placeholder.immich.app
           paths:

kubernetes/minio/values-tenant.yaml

@@ -494,11 +494,11 @@ ingress:
     pathType: Prefix
   console:
     enabled: true
-    ingressClassName: "traefik"
+    ingressClassName: "traefik-internal"
     labels: {}
     annotations:
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
-      cert-manager.io/issuer: "letsencrypt-prod"
+      cert-manager.io/cluster-issuer: "acme-issuer"
       traefik.ingress.kubernetes.io/service.serversTransport: insecure-transport
       traefik.ingress.kubernetes.io/router.middlewares: kube-system-ip-whitelist@kubernetescrd
     tls:

kubernetes/my-portfolio/portfolioManifest.yaml

@@ -44,7 +44,7 @@ metadata:
   name: portfolio
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    cert-manager.io/issuer: "letsencrypt-prod"
+    cert-manager.io/cluster-issuer: "acme-issuer"
 spec:
   tls:
     - hosts:

kubernetes/traefik/traefik-internal/values.yaml

@@ -0,0 +1,6 @@
+ingressClass:
+  enabled: true
+  isDefaultClass: false
+  name: traefik-internal
+additionalArguments:
+  - "--providers.kubernetesingress.ingressclass=traefik-internal"

kubernetes/traefik/traefik-middleware/ip-whitelist.yaml

@@ -2,9 +2,10 @@ apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: ip-whitelist
-  namespace: minio
+  namespace: kube-system
 spec:
   ipWhiteList:
     sourceRange:
-      - 192.168.1.0/24
+      - 10.0.0.0/8
-      - 87.92.7.212/32
+      - 172.16.0.0/12
+      - 192.168.0.0/16