From 3ace05a695aba6196131794da86baf37af4dc037 Mon Sep 17 00:00:00 2001
From: gilgamezh <mail@gilgamezh.me>
Date: Thu, 7 May 2026 10:36:22 +0200
Subject: [PATCH] build: migrate ingresses for Traefik v3 (k3s upgrade)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

k3s update bumped Traefik chart 37 → 39, dropping v2 support. Replace
the v2-only `whitelist.sourcerange` annotation on the gitea ingress
with an `ipAllowList` Middleware (resources/gitea-middleware.yaml),
referenced via `router.middlewares`. Switch the default-ns ingresses
(kube-plex, radarr, sonarr, lidarr) from the deprecated
`kubernetes.io/ingress.class` annotation to `spec.ingressClassName`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 non_argo_values/gitea_values.yaml |  4 ++--
 resources/gitea-middleware.yaml   | 12 ++++++++++++
 resources/ingress.yaml            |  8 ++++----
 3 files changed, 18 insertions(+), 6 deletions(-)
 create mode 100644 resources/gitea-middleware.yaml

diff --git a/non_argo_values/gitea_values.yaml b/non_argo_values/gitea_values.yaml
index bdc537d..711b0b3 100644
--- a/non_argo_values/gitea_values.yaml
+++ b/non_argo_values/gitea_values.yaml
@@ -21,8 +21,8 @@ ingress:
   className: traefik
   pathType: Prefix
   annotations:
-    # Restrict to LAN access (matching your existing pattern)
-    traefik.ingress.kubernetes.io/whitelist.sourcerange: "192.168.0.0/16,10.0.0.0/8,172.16.0.0/12"
+    # Restrict to LAN access via Traefik v3 Middleware (resources/gitea-middleware.yaml)
+    traefik.ingress.kubernetes.io/router.middlewares: "gitea-lan-only@kubernetescrd"
     cert-manager.io/cluster-issuer: "letsencrypt-production"
   hosts:
     - host: gitea.gilgamezh.me
diff --git a/resources/gitea-middleware.yaml b/resources/gitea-middleware.yaml
new file mode 100644
index 0000000..dd3b2ad
--- /dev/null
+++ b/resources/gitea-middleware.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: lan-only
+  namespace: gitea
+spec:
+  ipAllowList:
+    sourceRange:
+      - 192.168.0.0/16
+      - 10.0.0.0/8
+      - 172.16.0.0/12
diff --git a/resources/ingress.yaml b/resources/ingress.yaml
index 9ca44f7..7fe60cf 100644
--- a/resources/ingress.yaml
+++ b/resources/ingress.yaml
@@ -4,12 +4,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: kube-plex
   name: kube-plex
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: tp2.gilgamezh.me
       http:
@@ -31,12 +31,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: radarr
   name: radarr
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: radarr.gilgamezh.me
       http:
@@ -58,12 +58,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: sonarr
   name: sonarr
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: sonarr.gilgamezh.me
       http:
@@ -85,12 +85,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: lidarr
   name: lidarr
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: lidarr.gilgamezh.me
       http: