feat(k8s/external): add Home Assistant external routing via Traefik

kubernetes/app/external/homeassistant/ingress.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: homeassistant
+  namespace: homeassistant
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: homeassistant-security-headers@kubernetescrd
+spec:
+  tls:
+    - hosts:
+        - ${HOMEASSISTANT_HOST}
+      secretName: homeassistant-tls
+  rules:
+    - host: ${HOMEASSISTANT_HOST}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: homeassistant
+                port:
+                  number: 8123

kubernetes/app/external/homeassistant/middleware.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+  namespace: homeassistant
+spec:
+  headers:
+    sslRedirect: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 315360000
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    frameDeny: true
+    customFrameOptionsValue: SAMEORIGIN
+    hostsProxyHeaders:
+      - "X-Forwarded-Host"

kubernetes/app/external/homeassistant/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: homeassistant
+  labels:
+    app.kubernetes.io/name: homeassistant

kubernetes/app/external/homeassistant/service.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: homeassistant
+  namespace: homeassistant
+spec:
+  type: ExternalName
+  externalName: ${HOMEASSISTANT_INTERNAL_HOST}
+  ports:
+    - port: 8123