build: migrate ingresses for Traefik v3 (k3s upgrade)

k3s update bumped Traefik chart 37 → 39, dropping v2 support. Replace the v2-only `whitelist.sourcerange` annotation on the gitea ingress with an `ipAllowList` Middleware (resources/gitea-middleware.yaml), referenced via `router.middlewares`. Switch the default-ns ingresses (kube-plex, radarr, sonarr, lidarr) from the deprecated `kubernetes.io/ingress.class` annotation to `spec.ingressClassName`. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 10:36:22 +02:00
parent 290ce6a103
commit 3ace05a695
3 changed files with 18 additions and 6 deletions
@@ -21,8 +21,8 @@ ingress:
  className: traefik
  pathType: Prefix
  annotations:
-    # Restrict to LAN access (matching your existing pattern)
-    traefik.ingress.kubernetes.io/whitelist.sourcerange: "192.168.0.0/16,10.0.0.0/8,172.16.0.0/12"
+    # Restrict to LAN access via Traefik v3 Middleware (resources/gitea-middleware.yaml)
+    traefik.ingress.kubernetes.io/router.middlewares: "gitea-lan-only@kubernetescrd"
    cert-manager.io/cluster-issuer: "letsencrypt-production"
  hosts:
    - host: gitea.gilgamezh.me
@@ -0,0 +1,12 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: lan-only
+  namespace: gitea
+spec:
+  ipAllowList:
+    sourceRange:
+      - 192.168.0.0/16
+      - 10.0.0.0/8
+      - 172.16.0.0/12
@@ -4,12 +4,12 @@ kind: Ingress
 metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
  labels:
    app: kube-plex
  name: kube-plex
  namespace: default
 spec:
+  ingressClassName: traefik
  rules:
    - host: tp2.gilgamezh.me
      http:
@@ -31,12 +31,12 @@ kind: Ingress
 metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
  labels:
    app: radarr
  name: radarr
  namespace: default
 spec:
+  ingressClassName: traefik
  rules:
    - host: radarr.gilgamezh.me
      http:
@@ -58,12 +58,12 @@ kind: Ingress
 metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
  labels:
    app: sonarr
  name: sonarr
  namespace: default
 spec:
+  ingressClassName: traefik
  rules:
    - host: sonarr.gilgamezh.me
      http:
@@ -85,12 +85,12 @@ kind: Ingress
 metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
  labels:
    app: lidarr
  name: lidarr
  namespace: default
 spec:
+  ingressClassName: traefik
  rules:
    - host: lidarr.gilgamezh.me
      http: