From 0599b3d41a9e6a7b1a52c2295a66166d509a333e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= Date: Thu, 9 Apr 2026 12:34:45 +0000 Subject: [PATCH] ingress revision --- deploy/app/helm-values.yaml | 5 ++-- deploy/infra/ingress-ssh-public.yaml | 14 +++++++++ deploy/infra/ingress-ssh.yaml | 14 +++++++++ ...ess-route.yaml => ingress-web-public.yaml} | 6 ++-- ...re-ingress-route.yaml => ingress-web.yaml} | 4 ++- deploy/infra/kustomization.yaml | 6 ++-- deploy/infra/network-policies.yaml | 30 +++++-------------- 7 files changed, 48 insertions(+), 31 deletions(-) create mode 100644 deploy/infra/ingress-ssh-public.yaml create mode 100644 deploy/infra/ingress-ssh.yaml rename deploy/infra/{public-https-ingress-route.yaml => ingress-web-public.yaml} (74%) rename deploy/infra/{websecure-ingress-route.yaml => ingress-web.yaml} (80%) diff --git a/deploy/app/helm-values.yaml b/deploy/app/helm-values.yaml index 2f3809d..0deb6b9 100644 --- a/deploy/app/helm-values.yaml +++ b/deploy/app/helm-values.yaml @@ -152,10 +152,9 @@ persistence: service: ssh: - type: LoadBalancer - enabled: true + clusterIP: "" # empty string → Kubernetes assigns a routable ClusterIP + type: ClusterIP port: 2222 - externalTrafficPolicy: Local http: clusterIP: "" # empty string → Kubernetes assigns a routable ClusterIP type: ClusterIP diff --git a/deploy/infra/ingress-ssh-public.yaml b/deploy/infra/ingress-ssh-public.yaml new file mode 100644 index 0000000..7e617cf --- /dev/null +++ b/deploy/infra/ingress-ssh-public.yaml @@ -0,0 +1,14 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteTCP +metadata: + name: ssh-public + annotations: + kubernetes.io/ingress.class: traefik-public +spec: + entryPoints: + - tcp2222 + routes: + - match: HostSNI(`*`) + services: + - name: gitea-ssh + port: 2222 diff --git a/deploy/infra/ingress-ssh.yaml b/deploy/infra/ingress-ssh.yaml new file mode 100644 index 0000000..327ec51 --- /dev/null +++ b/deploy/infra/ingress-ssh.yaml @@ -0,0 +1,14 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteTCP +metadata: + name: ssh + annotations: + kubernetes.io/ingress.class: traefik +spec: + entryPoints: + - tcp2222 + routes: + - match: HostSNI(`*`) + services: + - name: gitea-ssh + port: 2222 diff --git a/deploy/infra/public-https-ingress-route.yaml b/deploy/infra/ingress-web-public.yaml similarity index 74% rename from deploy/infra/public-https-ingress-route.yaml rename to deploy/infra/ingress-web-public.yaml index c5f8787..19622d7 100644 --- a/deploy/infra/public-https-ingress-route.yaml +++ b/deploy/infra/ingress-web-public.yaml @@ -1,10 +1,12 @@ apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: - name: public-https + name: web-public + annotations: + kubernetes.io/ingress.class: traefik-public spec: entryPoints: - - public-https + - websecure routes: - match: Host(`git.limbosolutions.com`) && !PathPrefix(`/-/admin`) kind: Rule diff --git a/deploy/infra/websecure-ingress-route.yaml b/deploy/infra/ingress-web.yaml similarity index 80% rename from deploy/infra/websecure-ingress-route.yaml rename to deploy/infra/ingress-web.yaml index 0e485b6..2850f3c 100644 --- a/deploy/infra/websecure-ingress-route.yaml +++ b/deploy/infra/ingress-web.yaml @@ -1,7 +1,9 @@ apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: - name: websecure + name: web + annotations: + kubernetes.io/ingress.class: traefik spec: entryPoints: - websecure diff --git a/deploy/infra/kustomization.yaml b/deploy/infra/kustomization.yaml index 3506e35..7ef48a4 100644 --- a/deploy/infra/kustomization.yaml +++ b/deploy/infra/kustomization.yaml @@ -5,8 +5,10 @@ resources: - cd-serviceaccount.yaml - network-policies.yaml - certificate.yaml - - websecure-ingress-route.yaml - - public-https-ingress-route.yaml + - ingress-web.yaml + - ingress-web-public.yaml + - ingress-ssh.yaml + - ingress-ssh-public.yaml generatorOptions: disableNameSuffixHash: true diff --git a/deploy/infra/network-policies.yaml b/deploy/infra/network-policies.yaml index 8319a04..6625b6b 100644 --- a/deploy/infra/network-policies.yaml +++ b/deploy/infra/network-policies.yaml @@ -14,29 +14,10 @@ spec: --- - apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: - name: allow-ssh-to-gitea -spec: - endpointSelector: - matchLabels: - app.kubernetes.io/name: gitea - - ingress: - - fromCIDRSet: - - cidr: 0.0.0.0/0 - toPorts: - - ports: - - port: "2222" - protocol: TCP ---- - -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: allow-gitea-ingress + name: allow-traefik-ingress spec: endpointSelector: matchLabels: @@ -44,7 +25,7 @@ spec: ingress: # ------------------------------------------------------------- - # Allow Traefik (in kube-system) to reach Gitea on port 3000 + # Allow Traefik (in kube-system) to reach Gitea on port 3000 and 2222 # ------------------------------------------------------------- - fromEndpoints: - matchLabels: @@ -53,9 +34,12 @@ spec: - key: k8s:io.kubernetes.pod.namespace operator: In values: - - kube-system + - traefik + - traefik-public toPorts: - ports: - port: "3000" protocol: TCP - + - ports: + - port: "2222" + protocol: TCP \ No newline at end of file