fix nas ingress

2026-06-26 18:54:17 +02:00
parent 9f74a88be7
commit 3cdd40153f
1 changed files with 56 additions and 58 deletions
--- a/nas/ingress.yaml
+++ b/nas/ingress.yaml
@@ -3,8 +3,9 @@ kind: Namespace
 metadata:
  name: nas-proxy
 ---
-# cert-manager Certificate for nas.rogi.casa.
-# Standalone (not owned by an Ingress) so it survives independent of routing.
+# Standalone cert-manager Certificate for nas.rogi.casa (not owned by an Ingress,
+# since cert-manager's ingress-shim would otherwise create one owned by the
+# Ingress below and tie its lifecycle to it; keeping it standalone is cleaner).
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -22,64 +23,61 @@ spec:
    - digital signature
    - key encipherment
 ---
-# Traefik IngressRoute that dials the NAS directly via kind: Servers.
-# This avoids:
-#   - Traefik rejecting an ExternalName Service (allowexternalnameservices=false), and
-#   - ArgoCD excluding an Endpoints object (resource.exclusions strips Endpoints).
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+# Selector-less Service + manual Endpoints pointing at the NAS.
+# Requires the argocd-cm `resource.exclusions` to NOT exclude Endpoints
+# (the default K3s/ArgoCD exclusion strips all Endpoints objects).
+apiVersion: v1
+kind: Service
+metadata:
+  name: synology-nas
+  namespace: nas-proxy
+spec:
+  type: ClusterIP
+  clusterIP: None
+  ports:
+    - port: 5001
+      targetPort: 5001
+      protocol: TCP
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: synology-nas
+  namespace: nas-proxy
+subsets:
+  - addresses:
+      - ip: 10.88.30.10
+    ports:
+      - port: 5001
+        protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
  name: nas
  namespace: nas-proxy
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    # Tell Traefik the backend is HTTPS (DSM uses HTTPS on 5001)
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    # Skip backend TLS verification since DSM uses a self-signed cert
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+    traefik.ingress.kubernetes.io/service.serverstransport: skip-verify@file
+    traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120"
 spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`nas.rogi.casa`)
-      kind: Rule
-      priority: 1
-      services:
-        - kind: Servers
-          scheme: https
-          serversTransport: skip-verify
-          servers:
-            - url: https://10.88.30.10:5001
-          passHostHeader: true
-          responseForwarding:
-            flushInterval: 100ms
+  ingressClassName: traefik
  tls:
+    - hosts:
+        - nas.rogi.casa
      secretName: nas-tls
---
-# HTTP -> HTTPS redirect for nas.rogi.casa
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: nas-http-redirect
-  namespace: nas-proxy
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`nas.rogi.casa`)
-      kind: Rule
-      priority: 1
-      middlewares:
-        - name: redirect-to-https
-          namespace: nas-proxy
-      services:
-        # Syntactically required backend; never reached because the redirect
-        # middleware short-circuits the request.
-        - kind: Servers
-          scheme: https
-          servers:
-            - url: https://10.88.30.10:5001
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: redirect-to-https
-  namespace: nas-proxy
-spec:
-  redirectScheme:
-    scheme: https
-    permanent: true
+  rules:
+    - host: nas.rogi.casa
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: synology-nas
+                port:
+                  number: 5001