taqi/homeserver
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

kubernetes: added additional ingress controller for internal access

Browse Source 
- added additional traefik ingress controller for accessing internal
  services via ingress.
This commit is contained in:
Taqi Tahmid
2025-06-26 21:01:12 +03:00
parent 4fa8058a44
commit 2a294eb273
12 changed files with 72 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
kubernetes/README.md
View File

@ -1,6 +1,6 @@
# Setup K3s Kubernetes Cluster
# Configure Traefik with extra values
# Configure Traefik Ingress Controller
The Traefik ingress controller is deployed along with K3s. To modify the
default values,
@ -12,6 +12,26 @@ helm upgrade traefik traefik/traefik \
--version 22.1.0
```
## Additional Ingress Controller for Internal Access
An additional ingress controller is deployed for internal access to services.
This ingress controller is used to access services that are not exposed to the
internet. It is deployed in the `internal-ingress` namespace and uses the
Traefik ingress controller.
To utilize the internal ingress controller, add the following
`ingressClassName: traefik-internal` under ingress spec.
```bash
helm upgrade --install \
--create-namespace traefik-internal traefik/traefik \
--namespace traefik-internal \
-f traefik/traefik-internal/values.yaml
```
The LoadBalancer service IP for the internal ingress controller is added to
the adGuard DNS server to resolve the internal services.
# Configure Cert Manager for automating SSL certificate handling
Cert manager handles SSL certificate creation and renewal from Let's Encrypt.
@ -50,11 +70,11 @@ export KUBE_EDITOR=nvim
kubectl -n kube-system edit configmap coredns
```
Next, deploy the ClusterIssuer, WildcardCert, and secrets using helm
Next, deploy the ClusterIssuer, WildcardCert, and secrets using helm chart.
```bash
source .env
helm install cert-handler cert-manager-helm-chart \
helm install cert-handler cert-manager-config-helm-chart \
--atomic --set secret.apiToken=$CLOUDFLARE_TOKEN \
--set clusterIssuer.email=$EMAIL \
--set wildcardCert.dnsNames[0]=$DNSNAME

0
kubernetes/cert-manager-helm-chart/Chart.yaml → kubernetes/cert-manager-config-helm-chart/Chart.yaml
View File

0
kubernetes/cert-manager-helm-chart/templates/clusterIssuers.yaml → kubernetes/cert-manager-config-helm-chart/templates/clusterIssuers.yaml
View File

0
kubernetes/cert-manager-helm-chart/templates/secret-cloudflare.yaml → kubernetes/cert-manager-config-helm-chart/templates/secret-cloudflare.yaml
View File

0
kubernetes/cert-manager-helm-chart/templates/wildcardCert.yaml → kubernetes/cert-manager-config-helm-chart/templates/wildcardCert.yaml
View File

0
kubernetes/cert-manager-helm-chart/values.yaml → kubernetes/cert-manager-config-helm-chart/values.yaml
View File

2
kubernetes/docker-registry-helm-chart/values.yaml
View File

@ -14,7 +14,7 @@ ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/issuer: "letsencrypt-prod"
cert-manager.io/cluster-issuer: "acme-issuer"
tls:
enabled: true
host: "*.example.com"

2
kubernetes/immich/values.yaml
View File

@ -63,7 +63,7 @@ server:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/issuer: "letsencrypt-prod"
cert-manager.io/cluster-issuer: "acme-issuer"
hosts:
- host: placeholder.immich.app
paths:

4
kubernetes/minio/values-tenant.yaml
View File

@ -494,11 +494,11 @@ ingress:
pathType: Prefix
console:
enabled: true
ingressClassName: "traefik"
ingressClassName: "traefik-internal"
labels: {}
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/issuer: "letsencrypt-prod"
cert-manager.io/cluster-issuer: "acme-issuer"
traefik.ingress.kubernetes.io/service.serversTransport: insecure-transport
traefik.ingress.kubernetes.io/router.middlewares: kube-system-ip-whitelist@kubernetescrd
tls:

2
kubernetes/my-portfolio/portfolioManifest.yaml
View File

@ -44,7 +44,7 @@ metadata:
name: portfolio
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/issuer: "letsencrypt-prod"
cert-manager.io/cluster-issuer: "acme-issuer"
spec:
tls:
- hosts:

6
kubernetes/traefik/traefik-internal/values.yaml Normal file
View File

@ -0,0 +1,6 @@
ingressClass:
enabled: true
isDefaultClass: false
name: traefik-internal
additionalArguments:
- "--providers.kubernetesingress.ingressclass=traefik-internal"

7
kubernetes/traefik/traefik-middleware/ip-whitelist.yaml
View File

@ -2,9 +2,10 @@ apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: ip-whitelist
namespace: minio
namespace: kube-system
spec:
ipWhiteList:
sourceRange:
- 192.168.1.0/24
- 87.92.7.212/32
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16