From 523c190c7af4688be7d883d363850a84b5450110 Mon Sep 17 00:00:00 2001
From: Taqi Tahmid <mdtaqitahmid@gmail.com>
Date: Wed, 2 Jul 2025 18:40:54 +0300
Subject: [PATCH] kubernetes: move jellyfin to private ingress

---
 infra/terraform/kubernetes/backend.tf |  2 +-
 kubernetes/media/jellyfin-deploy.yaml | 76 ++++++++++++++++++---------
 2 files changed, 53 insertions(+), 25 deletions(-)

diff --git a/infra/terraform/kubernetes/backend.tf b/infra/terraform/kubernetes/backend.tf
index dbe613a..c579f9b 100644
--- a/infra/terraform/kubernetes/backend.tf
+++ b/infra/terraform/kubernetes/backend.tf
@@ -1,7 +1,7 @@
 terraform {
   backend "s3" {
     bucket                      = "terraform-state" # Name of the MinIO bucket
-    key                         = "proxmox/terraform.tfstate" # Path to the state file in the bucket
+    key                         = "kubernetes/terraform.tfstate" # Path to the state file in the bucket
     endpoint                    = var.minio_endpoint # MinIO API endpoint
     access_key                  = var.minio_access_key # MinIO access key
     secret_key                  = var.minio_secret_key # MinIO secret key
diff --git a/kubernetes/media/jellyfin-deploy.yaml b/kubernetes/media/jellyfin-deploy.yaml
index 171fce1..707f50c 100644
--- a/kubernetes/media/jellyfin-deploy.yaml
+++ b/kubernetes/media/jellyfin-deploy.yaml
@@ -71,36 +71,64 @@ spec:
       targetPort: 8096
   type: ClusterIP
 
+# ---
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: jellyfin-ingress
+#   annotations:
+#     traefik.ingress.kubernetes.io/router.middlewares: jellyfin-headers@kubernetescrd
+# spec:
+#   entryPoints:
+#     - websecure
+#   routes:
+#     - match: Host(`${JELLYFIN_HOST}`)
+#       kind: Rule
+#       services:
+#         - name: jellyfin-service
+#           port: 8096
+#   tls:
+#     secretName: jellyfin-tls-secret
+
+# ---
+# apiVersion: traefik.io/v1alpha1
+# kind: Middleware
+# metadata:
+#   name: jellyfin-headers
+# spec:
+#   headers:
+#     customRequestHeaders:
+#       X-Forwarded-Proto: "https"
+#     customResponseHeaders:
+#       X-Frame-Options: "SAMEORIGIN"
+
 ---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
   name: jellyfin-ingress
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: jellyfin-headers@kubernetescrd
+    nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
+    nginx.ingress.kubernetes.io/server-header: "X-Frame-Options SAMEORIGIN"
+    nginx.ingress.kubernetes.io/proxy-set-header: "X-Forwarded-Proto https"
 spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`${JELLYFIN_HOST}`)
-      kind: Rule
-      services:
-        - name: jellyfin-service
-          port: 8096
+  ingressClassName: nginx
+  rules:
+    - host: ${JELLYFIN_HOST}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: jellyfin-service
+                port:
+                  number: 8096
   tls:
-    secretName: jellyfin-tls-secret
-
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: jellyfin-headers
-spec:
-  headers:
-    customRequestHeaders:
-      X-Forwarded-Proto: "https"
-    customResponseHeaders:
-      X-Frame-Options: "SAMEORIGIN"
+    - hosts:
+        - ${JELLYFIN_HOST}
+      secretName: jellyfin-tls-secret
 
 ---
 apiVersion: cert-manager.io/v1