diff --git a/gitops/README.md b/gitops/README.md index ca29426..2ae4042 100644 --- a/gitops/README.md +++ b/gitops/README.md @@ -50,7 +50,11 @@ See [docs/BOOTSTRAP.md](docs/BOOTSTRAP.md) for Argo CD access to `git.luneski.fr Helm 3.19 may return empty content for `.Files.Get` on Windows; this chart uses `fromYaml (.Files.AsConfig)` as a workaround so packaged files still render correctly. +## Ingress (web UI) + +Enable `ingress.enabled` and set `ingress.host` (and optional TLS). Traffic is sent to Service **`revproxy`** (internal nginx). On k3s, `ingress.className: traefik` matches the default controller. + ## Not migrated in this chart -- **Edge proxy stack** (`app/proxy/docker-compose.yml`, host 80/443) — use k3s **Traefik** / **Ingress** + **cert-manager**, or a separate DaemonSet/nginx chart. +- **Edge proxy stack** (`app/proxy/docker-compose.yml`, host 80/443 Swarm mode) — replaced for K8s by this **Ingress** + `revproxy`; optional **cert-manager** for TLS at the Ingress. - **Swarm-only secrets** (e.g. `ssl_passphrase`) — handle via Kubernetes Secrets or external operators. diff --git a/gitops/charts/onelab/templates/ingress.yaml b/gitops/charts/onelab/templates/ingress.yaml new file mode 100644 index 0000000..fcb0b64 --- /dev/null +++ b/gitops/charts/onelab/templates/ingress.yaml @@ -0,0 +1,34 @@ +{{- if .Values.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: onelab-revproxy + labels: + {{- include "onelab.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: {{ .Values.syncWaves.apps | quote }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className | quote }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + - hosts: + - {{ .Values.ingress.host | quote }} + secretName: {{ if .Values.ingress.tlsSecretName }}{{ .Values.ingress.tlsSecretName | quote }}{{ else }}{{ printf "%s-tls" .Release.Name | quote }}{{ end }} + {{- end }} + rules: + - host: {{ .Values.ingress.host | quote }} + http: + paths: + - path: {{ .Values.ingress.path | quote }} + pathType: {{ .Values.ingress.pathType | quote }} + backend: + service: + name: revproxy + port: + name: http +{{- end }} diff --git a/gitops/charts/onelab/values.yaml b/gitops/charts/onelab/values.yaml index 6c811d3..438f501 100644 --- a/gitops/charts/onelab/values.yaml +++ b/gitops/charts/onelab/values.yaml @@ -87,6 +87,17 @@ revproxy: nodePort: 30080 ipv6Listen: true +# HTTP routing to internal nginx (revproxy). On k3s, set className: traefik (default controller). +ingress: + enabled: false + className: "" + host: onelab.local + path: / + pathType: Prefix + annotations: {} + tls: false + tlsSecretName: "" + # Replica counts (api.apidevice etc. override defaults in templates/workloads.yaml via this map) replicas: api: 2 diff --git a/gitops/values/k3s-example.yaml b/gitops/values/k3s-example.yaml index fe4d42b..5bd4819 100644 --- a/gitops/values/k3s-example.yaml +++ b/gitops/values/k3s-example.yaml @@ -23,7 +23,8 @@ postgresql: password: "DBPasswordPlaceholder" onelab: - domain: "https://localhost" + # Match how users reach the UI (Ingress host); use https:// when ingress.tls is true. + domain: "http://onelab.local" secrets: authTokenKey: "TokenAuthPlaceholder" monitoringToken: "TokenMonitoringPlaceholder" @@ -32,6 +33,18 @@ onelab: appid: "zxvgsagz" secret: "QUw2jEV8utIpe9DeYjOqBjhBY9VxjXddKUCISUNu" +# ClusterIP keeps traffic via Ingress only; use NodePort instead if you need direct node:port access. revproxy: - serviceType: NodePort - nodePort: 30080 + serviceType: ClusterIP + +ingress: + enabled: true + className: traefik + # Set DNS or /etc/hosts to this host pointing at your ingress (e.g. worker external IP or LB). + host: onelab.local + path: / + pathType: Prefix + annotations: {} + tls: false + # tls: true + # tlsSecretName: onelab-tls # create with cert-manager or kubectl