fix nas ingress

2026-06-26 19:01:08 +02:00
parent 3cdd40153f
commit 2eab82b430
1 changed files with 21 additions and 27 deletions
--- a/nas/ingress.yaml
+++ b/nas/ingress.yaml
@@ -24,8 +24,7 @@ spec:
    - key encipherment
 ---
 # Selector-less Service + manual Endpoints pointing at the NAS.
-# Requires the argocd-cm `resource.exclusions` to NOT exclude Endpoints
-# (the default K3s/ArgoCD exclusion strips all Endpoints objects).
+# (Endpoints is no longer excluded in argocd-cm, so ArgoCD manages it.)
 apiVersion: v1
 kind: Service
 metadata:
@@ -51,33 +50,28 @@ subsets:
      - port: 5001
        protocol: TCP
 ---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+# Traefik IngressRoute (CRD provider) where scheme: https is a first-class
+# field. The standard kubernetes Ingress `service.serversscheme` annotation is
+# ignored for selector-less/Endpoints-backed services in Traefik v3, which
+# caused Traefik to dial the NAS with plain HTTP -> 400 from DSM's nginx.
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
 metadata:
  name: nas
  namespace: nas-proxy
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    # Tell Traefik the backend is HTTPS (DSM uses HTTPS on 5001)
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    # Skip backend TLS verification since DSM uses a self-signed cert
-    traefik.ingress.kubernetes.io/service.serversscheme: https
-    traefik.ingress.kubernetes.io/service.serverstransport: skip-verify@file
-    traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120"
 spec:
-  ingressClassName: traefik
-  tls:
-    - hosts:
-        - nas.rogi.casa
-      secretName: nas-tls
-  rules:
-    - host: nas.rogi.casa
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nas.rogi.casa`)
+      kind: Rule
+      services:
+        - kind: Service
          name: synology-nas
-                port:
-                  number: 5001
+          namespace: nas-proxy
+          port: 5001
+          scheme: https
+          serversTransport: skip-verify
+          passHostHeader: true
+  tls:
+    secretName: nas-tls