From 0ee041fb98096cf17fe497efaa9d44f26f61275c Mon Sep 17 00:00:00 2001
From: Earl Warren <contact@earl-warren.org>
Date: Mon, 21 Oct 2024 20:22:45 +0200
Subject: [PATCH] use traefik as a reverse proxy for ssh too

It is more uniform. It also allows to set

externalTrafficPolicy: Local

with the benefit of logging the ip of the incoming connection.
---
 k3s-host/traefik.yml           | 11 ++++++++---
 k8s-forgejo/forgejo-values.yml |  7 +++----
 k8s-forgejo/next-values.yml    | 19 ++++++++++++++++++-
 3 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/k3s-host/traefik.yml b/k3s-host/traefik.yml
index fcf6ecb..6fc7f96 100644
--- a/k3s-host/traefik.yml
+++ b/k3s-host/traefik.yml
@@ -5,18 +5,23 @@ metadata:
   namespace: kube-system
 spec:
   valuesContent: |-
+    deployment:
+      replicas: 2
     ports:
       web:
         port: 80
         redirectTo:
           port: websecure
           priority: 1
-        deployment:
-          replicas: 2
+      ssh-next:
+        port: 2020
+        exposedPort: 2020
+        expose: true
     service:
       annotations:
-        metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
         metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6
+      spec:
+        externalTrafficPolicy: Local
     logs:
       access:
         enabled: true
diff --git a/k8s-forgejo/forgejo-values.yml b/k8s-forgejo/forgejo-values.yml
index c6cf783..d509abc 100644
--- a/k8s-forgejo/forgejo-values.yml
+++ b/k8s-forgejo/forgejo-values.yml
@@ -16,12 +16,11 @@ service:
   http:
     type: ClusterIP
     ipFamilyPolicy: PreferDualStack
+    clusterIP: ~
     port: 3000
   ssh:
-    type: LoadBalancer
-    annotations:
-      metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6
-      metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
+    type: ClusterIP
+    clusterIP: ~
     ipFamilyPolicy: PreferDualStack
 
 redis-cluster:
diff --git a/k8s-forgejo/next-values.yml b/k8s-forgejo/next-values.yml
index ca471b1..b7bcdc8 100644
--- a/k8s-forgejo/next-values.yml
+++ b/k8s-forgejo/next-values.yml
@@ -17,7 +17,24 @@ ingress:
 
 service:
   ssh:
-    port: 2020
+    port: 2222
+
+extraDeploy:
+  # Route from traefik to forgejo
+  - apiVersion: traefik.io/v1alpha1
+    kind: IngressRouteTCP
+    metadata:
+      name: forgejo-next-ssh
+      annotations:
+        kubernetes.io/ingress.class: traefik
+    spec:
+      entryPoints:
+        - ssh-next # name from traefik port
+      routes:
+        - match: HostSNI(`*`)
+          services:
+            - name: forgejo-next-ssh
+              port: 2222 # forgejo ssh port on kubernetes service
 
 persistence:
   claimName: forgejo-next