fix nas ingress
This commit is contained in:
Roger Oriol
@@ -24,8 +24,7 @@ spec:
|
|||||||
- key encipherment
|
- key encipherment
|
||||||
---
|
---
|
||||||
# Selector-less Service + manual Endpoints pointing at the NAS.
|
# Selector-less Service + manual Endpoints pointing at the NAS.
|
||||||
# Requires the argocd-cm `resource.exclusions` to NOT exclude Endpoints
|
# (Endpoints is no longer excluded in argocd-cm, so ArgoCD manages it.)
|
||||||
# (the default K3s/ArgoCD exclusion strips all Endpoints objects).
|
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
@@ -51,33 +50,28 @@ subsets:
|
|||||||
- port: 5001
|
- port: 5001
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
---
|
---
|
||||||
apiVersion: networking.k8s.io/v1
|
# Traefik IngressRoute (CRD provider) where scheme: https is a first-class
|
||||||
kind: Ingress
|
# field. The standard kubernetes Ingress `service.serversscheme` annotation is
|
||||||
|
# ignored for selector-less/Endpoints-backed services in Traefik v3, which
|
||||||
|
# caused Traefik to dial the NAS with plain HTTP -> 400 from DSM's nginx.
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
metadata:
|
metadata:
|
||||||
name: nas
|
name: nas
|
||||||
namespace: nas-proxy
|
namespace: nas-proxy
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
||||||
# Tell Traefik the backend is HTTPS (DSM uses HTTPS on 5001)
|
|
||||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
||||||
# Skip backend TLS verification since DSM uses a self-signed cert
|
|
||||||
traefik.ingress.kubernetes.io/service.serversscheme: https
|
|
||||||
traefik.ingress.kubernetes.io/service.serverstransport: skip-verify@file
|
|
||||||
traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120"
|
|
||||||
spec:
|
spec:
|
||||||
ingressClassName: traefik
|
entryPoints:
|
||||||
|
- websecure
|
||||||
|
routes:
|
||||||
|
- match: Host(`nas.rogi.casa`)
|
||||||
|
kind: Rule
|
||||||
|
services:
|
||||||
|
- kind: Service
|
||||||
|
name: synology-nas
|
||||||
|
namespace: nas-proxy
|
||||||
|
port: 5001
|
||||||
|
scheme: https
|
||||||
|
serversTransport: skip-verify
|
||||||
|
passHostHeader: true
|
||||||
tls:
|
tls:
|
||||||
- hosts:
|
secretName: nas-tls
|
||||||
- nas.rogi.casa
|
|
||||||
secretName: nas-tls
|
|
||||||
rules:
|
|
||||||
- host: nas.rogi.casa
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- path: /
|
|
||||||
pathType: Prefix
|
|
||||||
backend:
|
|
||||||
service:
|
|
||||||
name: synology-nas
|
|
||||||
port:
|
|
||||||
number: 5001
|
|
||||||
|
|||||||
Reference in New Issue
Block a user