feat(k8s/external): add Home Assistant external routing via Traefik
This commit is contained in:
25
kubernetes/app/external/homeassistant/ingress.yaml
vendored
Normal file
25
kubernetes/app/external/homeassistant/ingress.yaml
vendored
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: homeassistant
|
||||||
|
namespace: homeassistant
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt
|
||||||
|
traefik.ingress.kubernetes.io/router.middlewares: homeassistant-security-headers@kubernetescrd
|
||||||
|
spec:
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- ${HOMEASSISTANT_HOST}
|
||||||
|
secretName: homeassistant-tls
|
||||||
|
rules:
|
||||||
|
- host: ${HOMEASSISTANT_HOST}
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: homeassistant
|
||||||
|
port:
|
||||||
|
number: 8123
|
||||||
19
kubernetes/app/external/homeassistant/middleware.yaml
vendored
Normal file
19
kubernetes/app/external/homeassistant/middleware.yaml
vendored
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: security-headers
|
||||||
|
namespace: homeassistant
|
||||||
|
spec:
|
||||||
|
headers:
|
||||||
|
sslRedirect: true
|
||||||
|
stsIncludeSubdomains: true
|
||||||
|
stsPreload: true
|
||||||
|
stsSeconds: 315360000
|
||||||
|
browserXssFilter: true
|
||||||
|
contentTypeNosniff: true
|
||||||
|
forceSTSHeader: true
|
||||||
|
frameDeny: true
|
||||||
|
customFrameOptionsValue: SAMEORIGIN
|
||||||
|
hostsProxyHeaders:
|
||||||
|
- "X-Forwarded-Host"
|
||||||
7
kubernetes/app/external/homeassistant/namespace.yaml
vendored
Normal file
7
kubernetes/app/external/homeassistant/namespace.yaml
vendored
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: homeassistant
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: homeassistant
|
||||||
11
kubernetes/app/external/homeassistant/service.yaml
vendored
Normal file
11
kubernetes/app/external/homeassistant/service.yaml
vendored
Normal file
@@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: homeassistant
|
||||||
|
namespace: homeassistant
|
||||||
|
spec:
|
||||||
|
type: ExternalName
|
||||||
|
externalName: ${HOMEASSISTANT_INTERNAL_HOST}
|
||||||
|
ports:
|
||||||
|
- port: 8123
|
||||||
17
kubernetes/app/external/ks.yaml
vendored
Normal file
17
kubernetes/app/external/ks.yaml
vendored
Normal file
@@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: external-vars
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
interval: 10m
|
||||||
|
path: ./kubernetes/app/external/vars
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: flux-system
|
||||||
|
decryption:
|
||||||
|
provider: sops
|
||||||
|
secretRef:
|
||||||
|
name: sops-age
|
||||||
23
kubernetes/app/external/vars/homeassistant.sops.yaml
vendored
Normal file
23
kubernetes/app/external/vars/homeassistant.sops.yaml
vendored
Normal file
@@ -0,0 +1,23 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: homeassistant-vars
|
||||||
|
namespace: flux-system
|
||||||
|
stringData:
|
||||||
|
HOMEASSISTANT_HOST: ENC[AES256_GCM,data:xHMOIu+pt7T/fbnfyD5B/InyCO7ZB1S2203agJ8uxjKIkA==,iv:z9Oh/JQo6cVUbKUcrHUFheXw5KU0U8byLH3OEwv0TyQ=,tag:0ThkPR7vJAxYsm1x0gs/bg==,type:str]
|
||||||
|
HOMEASSISTANT_INTERNAL_HOST: ENC[AES256_GCM,data:qq0NQ7hiEEpP6qyuBjxEwo5NPAifWQ==,iv:UD3rstcgk5nypLuyCbWEjCXb0yArWRWXUkGXuyOWrYk=,tag:QPBWyRtb611kVrsPwXtmwQ==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5M0NPOEF2dTNrdlU2NldK
|
||||||
|
T09oWkErRFFYeENKK21NSjhOdmpUa0d3clMwCk9BRElxc2JEbFFyb0RKZ3oyaXhJ
|
||||||
|
ckErd3pDNFlHV2srUFlaNEwvRUYvaVEKLS0tIHNMeG1WOG9VOFY1Vk1PR3hnQ1Zk
|
||||||
|
U3Q2RGZZeVhVemo5L2ZkMHpsSU4xNzgK6SDl+uBDB4vQLHKVdJ4NndPo4VRSKWyX
|
||||||
|
f4gertz0xd70GN+X13x10KHikmAHhk7WoYgXzGsbhaLIsFJUPN71JA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2026-02-22T21:15:14Z"
|
||||||
|
mac: ENC[AES256_GCM,data:oQ5J6G5UIByo1Y0RE6wMJOosvgq1mXQiks3WZVv03HOpMZ7Tp8YWhTMinTSu+arJDnk8aZyUXkElPGYilc46BH/2pMXX/GHoeuFODUb/IjyjJyLLyoFEYGEAoI79gJxbBrChFG2iXoExTagbrAq4RooMnFb6XEStYjFNp/MOmTA=,iv:JmkHL/ALdz+fscZ3ZXoiKi/dm5Mkk2EEXAd0Ldek3DM=,tag:QD61z/DCmXCnQyukk65OJA==,type:str]
|
||||||
|
encrypted_regex: ^(data|stringData|email)$
|
||||||
|
version: 3.11.0
|
||||||
@@ -14,6 +14,7 @@ spec:
|
|||||||
dependsOn:
|
dependsOn:
|
||||||
- name: infrastructure-configs
|
- name: infrastructure-configs
|
||||||
- name: config
|
- name: config
|
||||||
|
- name: external-vars
|
||||||
decryption:
|
decryption:
|
||||||
provider: sops
|
provider: sops
|
||||||
secretRef:
|
secretRef:
|
||||||
@@ -22,3 +23,5 @@ spec:
|
|||||||
substituteFrom:
|
substituteFrom:
|
||||||
- kind: Secret
|
- kind: Secret
|
||||||
name: cluster-vars
|
name: cluster-vars
|
||||||
|
- kind: Secret
|
||||||
|
name: homeassistant-vars
|
||||||
|
|||||||
@@ -5,3 +5,4 @@ resources:
|
|||||||
- config/ks.yaml
|
- config/ks.yaml
|
||||||
- infrastructure/ks.yaml
|
- infrastructure/ks.yaml
|
||||||
- app/ks.yaml
|
- app/ks.yaml
|
||||||
|
- app/external/ks.yaml
|
||||||
|
|||||||
Reference in New Issue
Block a user