ingress revision

deploy/app/helm-values.yaml

@@ -152,10 +152,9 @@ persistence:
 
 service:
   ssh:
-    type: LoadBalancer
+    clusterIP: ""   # empty string → Kubernetes assigns a routable ClusterIP
-    enabled: true
+    type: ClusterIP
     port: 2222
-    externalTrafficPolicy: Local
   http:
     clusterIP: ""   # empty string → Kubernetes assigns a routable ClusterIP
     type: ClusterIP

deploy/infra/ingress-ssh-public.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: ssh-public
+  annotations:
+    kubernetes.io/ingress.class: traefik-public
+spec:
+  entryPoints:
+    - tcp2222
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-ssh
+          port: 2222

deploy/infra/ingress-ssh.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: ssh
+  annotations:
+    kubernetes.io/ingress.class: traefik
+spec:
+  entryPoints:
+    - tcp2222
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-ssh
+          port: 2222

deploy/infra/ingress-web-public.yaml

@@ -1,10 +1,12 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: public-https
+  name: web-public
+  annotations:
+    kubernetes.io/ingress.class: traefik-public
 spec:
   entryPoints:
-    - public-https
+    - websecure
   routes:
     - match: Host(`git.limbosolutions.com`) && !PathPrefix(`/-/admin`)
       kind: Rule

deploy/infra/ingress-web.yaml

@@ -1,7 +1,9 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: websecure
+  name: web
+  annotations:
+    kubernetes.io/ingress.class: traefik
 spec:
   entryPoints:
     - websecure

deploy/infra/kustomization.yaml

@@ -5,8 +5,10 @@ resources:
   - cd-serviceaccount.yaml
   - network-policies.yaml
   - certificate.yaml
-  - websecure-ingress-route.yaml
+  - ingress-web.yaml
-  - public-https-ingress-route.yaml
+  - ingress-web-public.yaml
+  - ingress-ssh.yaml
+  - ingress-ssh-public.yaml
 generatorOptions:
   disableNameSuffixHash: true
 

deploy/infra/network-policies.yaml

@@ -14,29 +14,10 @@ spec:
 
     
 ---
-
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: allow-ssh-to-gitea
+  name: allow-traefik-ingress
-spec:
-  endpointSelector:
-    matchLabels:
-      app.kubernetes.io/name: gitea
-
-  ingress:
-    - fromCIDRSet:
-        - cidr: 0.0.0.0/0
-      toPorts:
-        - ports:
-            - port: "2222"
-              protocol: TCP
----
-
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-gitea-ingress
 spec:
   endpointSelector:
     matchLabels:
@@ -44,7 +25,7 @@ spec:
 
   ingress:
     # -------------------------------------------------------------
-    # Allow Traefik (in kube-system) to reach Gitea on port 3000
+    # Allow Traefik (in kube-system) to reach Gitea on port 3000 and 2222
     # -------------------------------------------------------------
     - fromEndpoints:
         - matchLabels:
@@ -53,9 +34,12 @@ spec:
             - key: k8s:io.kubernetes.pod.namespace
               operator: In
               values:
-                - kube-system
+                - traefik
+                - traefik-public
       toPorts:
         - ports:
             - port: "3000"
               protocol: TCP
-
+        - ports:
+            - port: "2222"
+              protocol: TCP