feat(ingress): Traefik ingress to revproxy for web UI; ClusterIP revproxy in k3s example

Made-with: Cursor

gitops/README.md

@@ -50,7 +50,11 @@ See [docs/BOOTSTRAP.md](docs/BOOTSTRAP.md) for Argo CD access to `git.luneski.fr
 
 Helm 3.19 may return empty content for `.Files.Get` on Windows; this chart uses `fromYaml (.Files.AsConfig)` as a workaround so packaged files still render correctly.
 
+## Ingress (web UI)
+
+Enable `ingress.enabled` and set `ingress.host` (and optional TLS). Traffic is sent to Service **`revproxy`** (internal nginx). On k3s, `ingress.className: traefik` matches the default controller.
+
 ## Not migrated in this chart
 
-- **Edge proxy stack** (`app/proxy/docker-compose.yml`, host 80/443) — use k3s **Traefik** / **Ingress** + **cert-manager**, or a separate DaemonSet/nginx chart.
+- **Edge proxy stack** (`app/proxy/docker-compose.yml`, host 80/443 Swarm mode) — replaced for K8s by this **Ingress** + `revproxy`; optional **cert-manager** for TLS at the Ingress.
 - **Swarm-only secrets** (e.g. `ssl_passphrase`) — handle via Kubernetes Secrets or external operators.

gitops/charts/onelab/templates/ingress.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: onelab-revproxy
+  labels:
+    {{- include "onelab.labels" . | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/sync-wave: {{ .Values.syncWaves.apps | quote }}
+    {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className | quote }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host | quote }}
+      secretName: {{ if .Values.ingress.tlsSecretName }}{{ .Values.ingress.tlsSecretName | quote }}{{ else }}{{ printf "%s-tls" .Release.Name | quote }}{{ end }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.host | quote }}
+      http:
+        paths:
+          - path: {{ .Values.ingress.path | quote }}
+            pathType: {{ .Values.ingress.pathType | quote }}
+            backend:
+              service:
+                name: revproxy
+                port:
+                  name: http
+{{- end }}

gitops/charts/onelab/values.yaml

@@ -87,6 +87,17 @@ revproxy:
   nodePort: 30080
   ipv6Listen: true
 
+# HTTP routing to internal nginx (revproxy). On k3s, set className: traefik (default controller).
+ingress:
+  enabled: false
+  className: ""
+  host: onelab.local
+  path: /
+  pathType: Prefix
+  annotations: {}
+  tls: false
+  tlsSecretName: ""
+
 # Replica counts (api.apidevice etc. override defaults in templates/workloads.yaml via this map)
 replicas:
   api: 2

gitops/values/k3s-example.yaml

@@ -23,7 +23,8 @@ postgresql:
     password: "DBPasswordPlaceholder"
 
 onelab:
-  domain: "https://localhost"
+  # Match how users reach the UI (Ingress host); use https:// when ingress.tls is true.
+  domain: "http://onelab.local"
   secrets:
     authTokenKey: "TokenAuthPlaceholder"
     monitoringToken: "TokenMonitoringPlaceholder"
@@ -32,6 +33,18 @@ onelab:
     appid: "zxvgsagz"
     secret: "QUw2jEV8utIpe9DeYjOqBjhBY9VxjXddKUCISUNu"
 
+# ClusterIP keeps traffic via Ingress only; use NodePort instead if you need direct node:port access.
 revproxy:
-  serviceType: NodePort
+  serviceType: ClusterIP
-  nodePort: 30080
+
+ingress:
+  enabled: true
+  className: traefik
+  # Set DNS or /etc/hosts to this host pointing at your ingress (e.g. worker external IP or LB).
+  host: onelab.local
+  path: /
+  pathType: Prefix
+  annotations: {}
+  tls: false
+  # tls: true
+  # tlsSecretName: onelab-tls   # create with cert-manager or kubectl