refactor ingresses

README.md

@@ -25,18 +25,20 @@ Aquest clúster K3s gestiona els següents serveis:
 ```
 .
 ├── README.md                    # Aquest fitxer
-├── ingress.yaml                 # Configuració d'Ingress principal (Traefik)
-├── nas.yaml                     # Servei extern per al NAS
 ├── <aplicació>/                 # Cada aplicació té el seu directori
 │   ├── deployment.yaml          # Definició del Deployment
-│   ├── service.yaml             # Definició del Service
+│   ├── service.yaml            # Definició del Service
-│   ├── ingress.yaml             # Configuració d'Ingress (opcional)
+│   ├── ingress.yaml             # Configuració d'Ingress de l'aplicació
 │   ├── namespace.yaml           # Namespace dedicat (opcional)
-│   ├── configmap.yaml           # ConfigMaps (opcional)
+│   ├── configmap.yaml          # ConfigMaps (opcional)
 │   └── pvc.yaml                 # PersistentVolumeClaims (opcional)
-└── monitoring/                  # Stack de monitorització complet
+└── nas/                         # Servei extern per al NAS
+    ├── nas.yaml                 # Service i Endpoints externs
+    └── ingress.yaml             # Ingress del NAS
 ```
 
+> **Nota**: Cada aplicació té el seu propi `ingress.yaml` dins del seu directori. Ja no hi ha cap `ingress.yaml` centralitzat a l'arrel.
+
 ## 🚀 Desplegament
 
 ### Prerequisits
@@ -66,9 +68,8 @@ for dir in */; do
   kubectl apply -f "$dir"
 done
 
-# O aplicar recursos globals primer
+# O aplicar recursos globals primer (opcional)
-kubectl apply -f ingress.yaml
+kubectl apply -f nas/
-kubectl apply -f nas.yaml
 ```
 
 ### Eliminar una Aplicació
@@ -83,18 +84,43 @@ kubectl delete -f <aplicació>/<fitxer>.yaml
 
 ## 🌐 Ingress i Networking
 
-### Configuració d'Ingress Principal
+### Configuració d'Ingress per Aplicació
 
-El fitxer [ingress.yaml](ingress.yaml) conté la configuració centralitzada d'Ingress utilitzant **Traefik** (controlador per defecte de K3s). Característiques:
+Cada aplicació té el seu propi fitxer `ingress.yaml` dins del seu directori, seguint el model de [pihole/ingress.yaml](pihole/ingress.yaml). Característiques:
 
-- **TLS/SSL**: Certificats wildcard `*.rogi.casa` gestionats per cert-manager
+- **Traefik**: Controlador per defecte de K3s (`ingressClassName: traefik`)
-- **Cloudflare Origin Issuer**: Utilitzat per generar certificats
+- **TLS/SSL**: Certificats per host gestionats per cert-manager amb el cluster-issuer `letsencrypt-prod`
-- **Redirect HTTPS**: Redireccions automàtiques de HTTP a HTTPS
+- **Secret per aplicació**: Cada ingress té el seu propi `<aplicació>-tls`
-- **Compressió**: Habilitada per defecte
+- **Namespace dedicat**: Cada ingress pertany al namespace de la seva aplicació
 
-### Aplicacions amb Ingress Dedicat
+Exemple (`pihole/ingress.yaml`):
 
-Algunes aplicacions tenen el seu propi fitxer `ingress.yaml` dins del seu directori per a configuracions específiques.
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pihole
+  namespace: pihole
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - pihole.rogi.casa
+    secretName: pihole-tls
+  rules:
+  - host: pihole.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: pihole-web
+              port:
+                number: 80
+```
 
 ## 💾 Persistència de Dades
 
@@ -218,7 +244,7 @@ kubectl get pv
 
 ## 📝 Bones Pràctiques
 
-1. **Namespaces**: Les aplicacions complexes utilitzen namespaces dedicats (n8n, monitoring, phoenix)
+1. **Namespaces**: Totes les aplicacions tenen un namespace dedicat; cap queda al namespace `default`
 2. **Labels**: Tots els recursos utilitzen labels consistents per facilitar la gestió
 3. **Resources Limits**: Configura limits de CPU/memòria per evitar overconsumption
 4. **Health Checks**: Implementa liveness i readiness probes quan sigui possible
@@ -245,7 +271,7 @@ kubectl rollout undo deployment/<nom> -n <namespace>
 ## 🌟 Serveis Externs
 
 ### NAS
-El fitxer [nas.yaml](nas.yaml) configura un servei extern que apunta al NAS local (10.88.88.238:5000) sense desplegar pods dins del clúster.
+El fitxer [nas/nas.yaml](nas/nas.yaml) configura un servei extern que apunta al NAS local (10.88.88.238:5000) sense desplegar pods dins del clúster. L'Ingress corresponent és a [nas/ingress.yaml](nas/ingress.yaml).
 
 ## 📚 Recursos Addicionals
 

gitea/ingress.yaml

@@ -1,4 +1,3 @@
-# gitea-ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -10,10 +9,10 @@ spec:
   ingressClassName: traefik
   tls:
   - hosts:
-    - git.rogi.casa
+    - gitea.rogi.casa
     secretName: gitea-tls
   rules:
-  - host: git.rogi.casa
+  - host: gitea.rogi.casa
     http:
       paths:
       - path: /

glance/config-map.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: glance-config
+  namespace: glance
 data:
   glance.yml: |
     pages:

glance/glance.yaml

@@ -1,7 +1,13 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: glance
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: glance
+  namespace: glance
 spec:
   replicas: 1
   selector:
@@ -29,7 +35,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: glance-service
-  namespace: default
+  namespace: glance
 spec:
   type: ClusterIP
   selector:

glance/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: glance
+  namespace: glance
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - glance.rogi.casa
+    secretName: glance-tls
+  rules:
+  - host: glance.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: glance-service
+              port:
+                number: 80

gym-tracker/deployment.yaml

@@ -1,7 +1,13 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gym-tracker
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: gym-tracker
+  namespace: gym-tracker
   labels:
     app: gym-tracker
 spec:
@@ -67,6 +73,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: gym-tracker
+  namespace: gym-tracker
   labels:
     app: gym-tracker
 spec:
@@ -87,6 +94,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: gym-tracker-data
+  namespace: gym-tracker
   labels:
     app: gym-tracker
 spec:

gym-tracker/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gym-tracker
+  namespace: gym-tracker
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - gym.rogi.casa
+    secretName: gym-tracker-tls
+  rules:
+  - host: gym.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: gym-tracker
+              port:
+                number: 80

homeassistant/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: homeassistant
+  namespace: home-assistant
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - homeassistant.rogi.casa
+    secretName: homeassistant-tls
+  rules:
+  - host: homeassistant.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: home-assistant
+              port:
+                number: 80

ingress.yaml

@@ -1,307 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: rogicasa-ingress
-  namespace: default
-  annotations:
-    # Use Traefik as the ingress controller (default in k3s)
-    kubernetes.io/ingress.class: "traefik"
-    # Enable SSL redirect
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    # Optional: enable compression
-    traefik.ingress.kubernetes.io/compress: "true"
-    cert-manager.io/issuer: prod-issuer
-    cert-manager.io/issuer-kind: OriginIssuer
-    cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
-spec:
-  tls:
-    - hosts:
-      - "*.rogi.casa"
-      secretName: rogicasa-tls
-  rules:
-  - host: glance.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: glance-service
-              port:
-                number: 80
-  - host: pihole.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: pihole-web
-              port:
-                number: 80
-  - host: litellm.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: litellm-service
-              port:
-                number: 80
-  - host: openai.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: open-webui-service
-              port:
-                number: 80
-  - host: gym.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: gym-tracker
-              port:
-                number: 80
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: gitea-ingress
-  namespace: gitea
-  annotations:
-    # Use Traefik as the ingress controller (default in k3s)
-    kubernetes.io/ingress.class: "traefik"
-    # Enable SSL redirect
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    # Optional: enable compression
-    traefik.ingress.kubernetes.io/compress: "true"
-    cert-manager.io/issuer: prod-issuer
-    cert-manager.io/issuer-kind: OriginIssuer
-    cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
-spec:
-  tls:
-    - hosts:
-      - "*.rogi.casa"
-      secretName: rogicasa-tls
-  rules:
-  - host: gitea.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: gitea
-              port:
-                number: 80
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: monitoring-ingress
-  namespace: monitoring
-  annotations:
-    # Use Traefik as the ingress controller (default in k3s)
-    kubernetes.io/ingress.class: "traefik"
-    # Enable SSL redirect
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    # Optional: enable compression
-    traefik.ingress.kubernetes.io/compress: "true"
-    cert-manager.io/issuer: prod-issuer
-    cert-manager.io/issuer-kind: OriginIssuer
-    cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
-spec:
-  tls:
-    - hosts:
-      - "*.rogi.casa"
-      secretName: rogicasa-tls
-  rules:
-  - host: grafana.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: grafana
-              port:
-                number: 80
-  - host: prometheus.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: prometheus-k8s
-              port:
-                number: 80
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: vaultwarden-ingress
-  namespace: vaultwarden
-  annotations:
-    # Use Traefik as the ingress controller (default in k3s)
-    kubernetes.io/ingress.class: "traefik"
-    # Enable SSL redirect
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    # Optional: enable compression
-    traefik.ingress.kubernetes.io/compress: "true"
-    cert-manager.io/issuer: prod-issuer
-    cert-manager.io/issuer-kind: OriginIssuer
-    cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
-spec:
-  tls:
-    - hosts:
-      - "*.rogi.casa"
-      secretName: rogicasa-tls
-  rules:
-  - host: vaultwarden.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: vaultwarden
-              port:
-                number: 80
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: homeassistant-ingress
-  namespace: home-assistant
-  annotations:
-    # Use Traefik as the ingress controller (default in k3s)
-    kubernetes.io/ingress.class: "traefik"
-    # Enable SSL redirect
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    # Optional: enable compression
-    traefik.ingress.kubernetes.io/compress: "true"
-    cert-manager.io/issuer: prod-issuer
-    cert-manager.io/issuer-kind: OriginIssuer
-    cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
-spec:
-  tls:
-    - hosts:
-      - "*.rogi.casa"
-      secretName: rogicasa-tls
-  rules:
-  - host: homeassistant.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: home-assistant
-              port:
-                number: 80
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: minecraft-ingress
-  namespace: minecraft
-  annotations:
-    # Use Traefik as the ingress controller (default in k3s)
-    kubernetes.io/ingress.class: "traefik"
-    # Enable SSL redirect
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    # Optional: enable compression
-    traefik.ingress.kubernetes.io/compress: "true"
-    cert-manager.io/issuer: prod-issuer
-    cert-manager.io/issuer-kind: OriginIssuer
-    cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
-spec:
-  tls:
-    - hosts:
-      - "*.rogi.casa"
-      secretName: rogicasa-tls
-  rules:
-  - host: minecraft.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: minecraft-server
-              port:
-                number: 25565
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-ingress
-  namespace: argocd
-  annotations:
-    # Use Traefik as the ingress controller (default in k3s)
-    kubernetes.io/ingress.class: "traefik"
-    # Enable SSL redirect
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    # Optional: enable compression
-    traefik.ingress.kubernetes.io/compress: "true"
-    cert-manager.io/issuer: prod-issuer
-    cert-manager.io/issuer-kind: OriginIssuer
-    cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
-spec:
-  tls:
-    - hosts:
-      - "*.rogi.casa"
-      secretName: rogicasa-tls
-  rules:
-  - host: argocd.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: argocd-server
-              port:
-                number: 80
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: nas-ingress
-  namespace: default
-  annotations:
-    # Use Traefik as the ingress controller (default in k3s)
-    kubernetes.io/ingress.class: "traefik"
-    # Enable SSL redirect
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    # Optional: enable compression
-    traefik.ingress.kubernetes.io/compress: "true"
-    # Allow large file uploads (5GB) for NAS
-    traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120"
-    cert-manager.io/issuer: prod-issuer
-    cert-manager.io/issuer-kind: OriginIssuer
-    cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
-spec:
-  tls:
-    - hosts:
-      - "*.rogi.casa"
-      secretName: rogicasa-tls
-  rules:
-  - host: nas.rogi.casa
-    http:
-      paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: external-ip
-              port:
-                number: 80

litellm/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: litellm
+  namespace: litellm
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - litellm.rogi.casa
+    secretName: litellm-tls
+  rules:
+  - host: litellm.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: litellm-service
+              port:
+                number: 80

litellm/litellm.yaml

@@ -1,7 +1,13 @@
 apiVersion: v1
+kind: Namespace
+metadata:
+  name: litellm
+---
+apiVersion: v1
 kind: ConfigMap
 metadata:
   name: litellm-config-file
+  namespace: litellm
 data:
   config.yaml: |
     model_list:
@@ -50,6 +56,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: litellm-deployment
+  namespace: litellm
   labels:
     app: litellm
 spec:
@@ -88,7 +95,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: litellm-service
-  namespace: default
+  namespace: litellm
 spec:
   type: ClusterIP
   selector:

litellm/postgres.yaml

@@ -18,6 +18,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: postgres-volume-claim
+  namespace: litellm
   labels:
     app: postgres
 spec:
@@ -32,6 +33,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: postgres
+  namespace: litellm
 spec:
   replicas: 1
   selector:
@@ -63,6 +65,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: postgres
+  namespace: litellm
   labels:
     app: postgres
 spec:

minecraft-server/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: minecraft
+  namespace: minecraft
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - minecraft.rogi.casa
+    secretName: minecraft-tls
+  rules:
+  - host: minecraft.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: minecraft-server
+              port:
+                number: 25565

monitoring/ingress.yaml

@@ -0,0 +1,35 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: monitoring
+  namespace: monitoring
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - grafana.rogi.casa
+    - prometheus.rogi.casa
+    secretName: monitoring-tls
+  rules:
+  - host: grafana.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: grafana
+              port:
+                number: 80
+  - host: prometheus.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: prometheus-k8s
+              port:
+                number: 80

myorg-assistant/configmap.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: myorg-assistant-config
-  namespace: default
+  namespace: myorg-assistant
 data:
   # LiteLLM Configuration
   LITELLM_ENDPOINT: "http://litellm-service.default.svc.cluster.local:4000"

myorg-assistant/cronjobs/deadline-checker.yaml

@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: myorg-deadline-checker
-  namespace: default
+  namespace: myorg-assistant
   labels:
     app: myorg-assistant
     job: deadline-checker

myorg-assistant/cronjobs/evening-summary.yaml

@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: myorg-evening-summary
-  namespace: default
+  namespace: myorg-assistant
   labels:
     app: myorg-assistant
     job: evening-summary

myorg-assistant/cronjobs/git-sync.yaml

@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: myorg-git-sync
-  namespace: default
+  namespace: myorg-assistant
   labels:
     app: myorg-assistant
     job: git-sync

myorg-assistant/cronjobs/morning-briefing.yaml

@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: myorg-morning-briefing
-  namespace: default
+  namespace: myorg-assistant
   labels:
     app: myorg-assistant
     job: morning-briefing

myorg-assistant/cronjobs/waiting-followup.yaml

@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: myorg-waiting-followup
-  namespace: default
+  namespace: myorg-assistant
   labels:
     app: myorg-assistant
     job: waiting-followup

myorg-assistant/deployment.yaml

@@ -1,8 +1,13 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: myorg-assistant
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: myorg-assistant
-  namespace: default
+  namespace: myorg-assistant
   labels:
     app: myorg-assistant
 spec:

myorg-assistant/ingress.yaml

@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: myorg-ingress
-  namespace: default
+  namespace: myorg-assistant
   annotations:
     # Use Traefik as the ingress controller (default in k3s)
     kubernetes.io/ingress.class: "traefik"

myorg-assistant/pvc.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: myorg-assistant-pvc
-  namespace: default
+  namespace: myorg-assistant
 spec:
   accessModes:
     - ReadWriteOnce

myorg-assistant/service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: myorg-assistant-service
-  namespace: default
+  namespace: myorg-assistant
   labels:
     app: myorg-assistant
 spec:

nas.yaml

@@ -1,45 +0,0 @@
-#apiVersion: networking.k8s.io/v1
-#kind: Ingress
-#metadata:
-#  name: nas-redirect
-#  annotations:
-#    nginx.ingress.kubernetes.io/permanent-redirect: "http://10.88.88.238:5000"
-#spec:
-#  rules:
-#  - host: nas.rogi.casa
-#    http:
-#      paths:
-#      - path: /
-#        pathType: Prefix
-#        backend:
-#          service:
-#            name: dummy-service
-#            port:
-#              number: 80
-apiVersion: v1
-kind: Service
-metadata:
-  name: external-ip
-spec:
-  ports:
-  - name: app
-    port: 80
-    protocol: TCP
-    targetPort: 5000
-  clusterIP: None
-  type: ClusterIP
----
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: external-ip
-subsets:
-- addresses:
-  - ip: 10.88.88.238
-  ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-
-
-

nas/ingress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nas
+  namespace: nas
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    # Allow large file uploads (5GB) for NAS
+    traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120"
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - nas.rogi.casa
+    secretName: nas-tls
+  rules:
+  - host: nas.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: external-ip
+              port:
+                number: 80

nas/nas.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nas
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-ip
+  namespace: nas
+spec:
+  ports:
+  - name: app
+    port: 80
+    protocol: TCP
+    targetPort: 5000
+  clusterIP: None
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: external-ip
+  namespace: nas
+subsets:
+- addresses:
+  - ip: 10.88.88.238
+  ports:
+  - name: app
+    port: 5000
+    protocol: TCP

openwebui/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openwebui
+  namespace: openwebui
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - openai.rogi.casa
+    secretName: openwebui-tls
+  rules:
+  - host: openai.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: open-webui-service
+              port:
+                number: 80

openwebui/openwebui.yaml

@@ -1,7 +1,13 @@
 apiVersion: v1
+kind: Namespace
+metadata:
+  name: openwebui
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: openwebui-pvc
+  namespace: openwebui
 spec:
   accessModes:
     - ReadWriteOnce
@@ -15,6 +21,7 @@ metadata:
   labels:
     app: open-webui
   name: open-webui
+  namespace: openwebui
 spec:
   replicas: 1
   selector:
@@ -84,6 +91,7 @@ metadata:
   labels:
     app: open-webui
   name: open-webui-service
+  namespace: openwebui
 spec:
   ports:
     - name: http

qbittorrent/ingress.yaml

@@ -2,6 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: qbittorrent-ingress
+  namespace: qbittorrent
   annotations:
     kubernetes.io/ingress.class: "traefik"
     traefik.ingress.kubernetes.io/redirect-entry-point: https

qbittorrent/qbittorrent.yaml

@@ -1,7 +1,13 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: qbittorrent
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: qbittorrent
+  namespace: qbittorrent
   labels:
     app: qbittorrent
 spec:
@@ -48,6 +54,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: qbittorrent-config
+  namespace: qbittorrent
   labels:
     app: qbittorrent
 spec:
@@ -76,6 +83,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: qbittorrent-downloads
+  namespace: qbittorrent
   labels:
     app: qbittorrent
 spec:
@@ -91,6 +99,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: qbittorrent
+  namespace: qbittorrent
   labels:
     app: qbittorrent
 spec:

vaultwarden/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vaultwarden
+  namespace: vaultwarden
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - vaultwarden.rogi.casa
+    secretName: vaultwarden-tls
+  rules:
+  - host: vaultwarden.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: vaultwarden
+              port:
+                number: 80