From 3cdd40153fb55c2683ea86d610819e461e0d9805 Mon Sep 17 00:00:00 2001 From: Roger Oriol Date: Fri, 26 Jun 2026 18:54:17 +0200 Subject: [PATCH] fix nas ingress --- nas/ingress.yaml | 114 +++++++++++++++++++++++------------------------ 1 file changed, 56 insertions(+), 58 deletions(-) diff --git a/nas/ingress.yaml b/nas/ingress.yaml index 6ab2e59..4373656 100644 --- a/nas/ingress.yaml +++ b/nas/ingress.yaml @@ -3,8 +3,9 @@ kind: Namespace metadata: name: nas-proxy --- -# cert-manager Certificate for nas.rogi.casa. -# Standalone (not owned by an Ingress) so it survives independent of routing. +# Standalone cert-manager Certificate for nas.rogi.casa (not owned by an Ingress, +# since cert-manager's ingress-shim would otherwise create one owned by the +# Ingress below and tie its lifecycle to it; keeping it standalone is cleaner). apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -22,64 +23,61 @@ spec: - digital signature - key encipherment --- -# Traefik IngressRoute that dials the NAS directly via kind: Servers. -# This avoids: -# - Traefik rejecting an ExternalName Service (allowexternalnameservices=false), and -# - ArgoCD excluding an Endpoints object (resource.exclusions strips Endpoints). -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute +# Selector-less Service + manual Endpoints pointing at the NAS. +# Requires the argocd-cm `resource.exclusions` to NOT exclude Endpoints +# (the default K3s/ArgoCD exclusion strips all Endpoints objects). +apiVersion: v1 +kind: Service +metadata: + name: synology-nas + namespace: nas-proxy +spec: + type: ClusterIP + clusterIP: None + ports: + - port: 5001 + targetPort: 5001 + protocol: TCP +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: synology-nas + namespace: nas-proxy +subsets: + - addresses: + - ip: 10.88.30.10 + ports: + - port: 5001 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress metadata: name: nas namespace: nas-proxy + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + # Tell Traefik the backend is HTTPS (DSM uses HTTPS on 5001) + traefik.ingress.kubernetes.io/router.tls: "true" + # Skip backend TLS verification since DSM uses a self-signed cert + traefik.ingress.kubernetes.io/service.serversscheme: https + traefik.ingress.kubernetes.io/service.serverstransport: skip-verify@file + traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120" spec: - entryPoints: - - websecure - routes: - - match: Host(`nas.rogi.casa`) - kind: Rule - priority: 1 - services: - - kind: Servers - scheme: https - serversTransport: skip-verify - servers: - - url: https://10.88.30.10:5001 - passHostHeader: true - responseForwarding: - flushInterval: 100ms + ingressClassName: traefik tls: - secretName: nas-tls ---- -# HTTP -> HTTPS redirect for nas.rogi.casa -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: nas-http-redirect - namespace: nas-proxy -spec: - entryPoints: - - web - routes: - - match: Host(`nas.rogi.casa`) - kind: Rule - priority: 1 - middlewares: - - name: redirect-to-https - namespace: nas-proxy - services: - # Syntactically required backend; never reached because the redirect - # middleware short-circuits the request. - - kind: Servers - scheme: https - servers: - - url: https://10.88.30.10:5001 ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: redirect-to-https - namespace: nas-proxy -spec: - redirectScheme: - scheme: https - permanent: true + - hosts: + - nas.rogi.casa + secretName: nas-tls + rules: + - host: nas.rogi.casa + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: synology-nas + port: + number: 5001