use traefik as a reverse proxy for ssh too

It is more uniform. It also allows to set

externalTrafficPolicy: Local

with the benefit of logging the ip of the incoming connection.

k3s-host/traefik.yml

@@ -5,18 +5,23 @@ metadata:
   namespace: kube-system
 spec:
   valuesContent: |-
+    deployment:
+      replicas: 2
     ports:
       web:
         port: 80
         redirectTo:
           port: websecure
           priority: 1
-        deployment:
-          replicas: 2
+      ssh-next:
+        port: 2020
+        exposedPort: 2020
+        expose: true
     service:
       annotations:
-        metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
         metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6
+      spec:
+        externalTrafficPolicy: Local
     logs:
       access:
         enabled: true

k8s-forgejo/forgejo-values.yml

@@ -16,12 +16,11 @@ service:
   http:
     type: ClusterIP
     ipFamilyPolicy: PreferDualStack
+    clusterIP: ~
     port: 3000
   ssh:
-    type: LoadBalancer
-    annotations:
-      metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6
-      metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
+    type: ClusterIP
+    clusterIP: ~
     ipFamilyPolicy: PreferDualStack
 
 redis-cluster:

k8s-forgejo/next-values.yml

@@ -17,7 +17,24 @@ ingress:
 
 service:
   ssh:
-    port: 2020
+    port: 2222
+
+extraDeploy:
+  # Route from traefik to forgejo
+  - apiVersion: traefik.io/v1alpha1
+    kind: IngressRouteTCP
+    metadata:
+      name: forgejo-next-ssh
+      annotations:
+        kubernetes.io/ingress.class: traefik
+    spec:
+      entryPoints:
+        - ssh-next # name from traefik port
+      routes:
+        - match: HostSNI(`*`)
+          services:
+            - name: forgejo-next-ssh
+              port: 2222 # forgejo ssh port on kubernetes service
 
 persistence:
   claimName: forgejo-next