apiVersion: v1 kind: Namespace metadata: name: nas-proxy --- # Standalone cert-manager Certificate for nas.rogi.casa (not owned by an Ingress, # since cert-manager's ingress-shim would otherwise create one owned by the # Ingress below and tie its lifecycle to it; keeping it standalone is cleaner). apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: nas-tls namespace: nas-proxy spec: secretName: nas-tls dnsNames: - nas.rogi.casa issuerRef: group: cert-manager.io kind: ClusterIssuer name: letsencrypt-prod usages: - digital signature - key encipherment --- # Selector-less Service + manual Endpoints pointing at the NAS. # Requires the argocd-cm `resource.exclusions` to NOT exclude Endpoints # (the default K3s/ArgoCD exclusion strips all Endpoints objects). apiVersion: v1 kind: Service metadata: name: synology-nas namespace: nas-proxy spec: type: ClusterIP clusterIP: None ports: - port: 5001 targetPort: 5001 protocol: TCP --- apiVersion: v1 kind: Endpoints metadata: name: synology-nas namespace: nas-proxy subsets: - addresses: - ip: 10.88.30.10 ports: - port: 5001 protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nas namespace: nas-proxy annotations: cert-manager.io/cluster-issuer: letsencrypt-prod # Tell Traefik the backend is HTTPS (DSM uses HTTPS on 5001) traefik.ingress.kubernetes.io/router.tls: "true" # Skip backend TLS verification since DSM uses a self-signed cert traefik.ingress.kubernetes.io/service.serversscheme: https traefik.ingress.kubernetes.io/service.serverstransport: skip-verify@file traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120" spec: ingressClassName: traefik tls: - hosts: - nas.rogi.casa secretName: nas-tls rules: - host: nas.rogi.casa http: paths: - path: / pathType: Prefix backend: service: name: synology-nas port: number: 5001