viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(ingress): wire up backend_protocol, remove dead ssl_redirect variable

Browse source 
Post nginx→Traefik migration cleanup:
- backend_protocol now sets serversscheme + serverstransport annotations
  for HTTPS backends (k8s-dashboard, pfsense, nas, idrac, proxmox, etc.)
- Remove ssl_redirect variable (nginx-only, silently ignored by Traefik)
  and all 9 caller references

[ci skip]

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-03-18 08:45:56 +00:00
parent 8c4942779f
commit e097b7eb29
9 changed files with 3 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

8
modules/kubernetes/ingress_factory/main.tf
View file

@ -35,10 +35,6 @@ variable "max_body_size" {
variable "extra_annotations" {
default = {}
}
variable "ssl_redirect" {
default = true
type = bool
}
variable "allow_local_access_only" {
default = false
type = bool
@ -125,7 +121,9 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
"${var.namespace}-body-size-${var.name}@kubernetescrd",
], var.extra_middlewares)))
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
"traefik.ingress.kubernetes.io/service.serversscheme" = var.backend_protocol == "HTTPS" ? "https" : null
"traefik.ingress.kubernetes.io/service.serverstransport" = var.backend_protocol == "HTTPS" ? "traefik-insecure-skip-verify@kubernetescrd" : null
}, var.extra_annotations)
}

1
stacks/frigate/main.tf
View file

@ -277,7 +277,6 @@ module "ingress-internal" {
service_name = "frigate"
tls_secret_name = var.tls_secret_name
allow_local_access_only = true
ssl_redirect = false
extra_annotations = {
"gethomepage.dev/enabled" = "false"
}

1
stacks/monitoring/modules/monitoring/idrac.tf
View file

@ -125,6 +125,5 @@ module "idrac-redfish-exporter-ingress" {
root_domain = "viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
allow_local_access_only = true
ssl_redirect = false
port = 9090
}

1
stacks/monitoring/modules/monitoring/snmp_exporter.tf
View file

@ -125,6 +125,5 @@ module "snmp-exporter-ingress" {
root_domain = "viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
allow_local_access_only = true
ssl_redirect = false
port = 9116
}

1
stacks/nvidia/modules/nvidia/main.tf
View file

@ -208,7 +208,6 @@ module "ingress" {
root_domain = "viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
allow_local_access_only = true
ssl_redirect = false
}
# resource "kubernetes_ingress_v1" "nvidia-exporter" {

2
stacks/ollama/main.tf
View file

@ -194,7 +194,6 @@ module "ollama-ingress" {
root_domain = "viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
allow_local_access_only = true
ssl_redirect = false
port = 11434
extra_annotations = {
"gethomepage.dev/enabled" = "false"
@ -245,7 +244,6 @@ module "ollama-api-ingress" {
service_name = "ollama"
root_domain = "viktorbarzin.me"
tls_secret_name = var.tls_secret_name
ssl_redirect = true
port = 11434
extra_annotations = {
"traefik.ingress.kubernetes.io/router.middlewares" = "ollama-ollama-api-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-crowdsec@kubernetescrd"

1
stacks/platform/modules/monitoring/idrac.tf
View file

@ -124,6 +124,5 @@ module "idrac-redfish-exporter-ingress" {
root_domain = "viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
allow_local_access_only = true
ssl_redirect = false
port = 9090
}

1
stacks/platform/modules/monitoring/snmp_exporter.tf
View file

@ -125,6 +125,5 @@ module "snmp-exporter-ingress" {
root_domain = "viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
allow_local_access_only = true
ssl_redirect = false
port = 9116
}

1
stacks/platform/modules/nvidia/main.tf
View file

@ -182,7 +182,6 @@ module "ingress" {
root_domain = "viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
allow_local_access_only = true
ssl_redirect = false
}
# resource "kubernetes_ingress_v1" "nvidia-exporter" {