From 5bb5b5b2a23f40655c4abb1a998ef8c0b7fb98cd Mon Sep 17 00:00:00 2001 From: Fred Date: Thu, 14 May 2026 17:05:56 +0200 Subject: [PATCH 1/2] feat(adguard/beelink): add API IngressRoute without Authentik for Homepage widget Homepage runs on genmachine and cannot use k0s internal service URLs (different clusters). The external URL adguard.k0s-fullstack.fredcorp.com is behind Authentik forwardAuth which returns the login HTML page instead of AdGuard JSON stats. Solution: dedicated IngressRoute on adguard-api.k0s-fullstack.fredcorp.com without Authentik middleware. AdGuard's own basic auth handles access control. DNS wildcard *.k0s-fullstack.fredcorp.com -> 192.168.1.191 already covers the new hostname (no DNS change needed). - adguard/beelink/templates/ingressroute-homepage.yaml: Certificate + IngressRoute for adguard-api.k0s-fullstack.fredcorp.com routing to adguard-adguard-home-http:80 with no middlewares - homepage config: widget url -> adguard-api.k0s-fullstack.fredcorp.com Pre-requisite: sa-homepage user must exist in beelink AdGuard with the password stored at Vault adguard/creds (same as genmachine AdGuard). Co-Authored-By: Claude Sonnet 4.6 --- .../templates/ingressroute-homepage.yaml | 29 +++++++++++++++++++ .../homepage/genmachine/templates/config.yaml | 2 +- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 gitops/manifests/adguard/beelink/templates/ingressroute-homepage.yaml diff --git a/gitops/manifests/adguard/beelink/templates/ingressroute-homepage.yaml b/gitops/manifests/adguard/beelink/templates/ingressroute-homepage.yaml new file mode 100644 index 000000000..dc8c9a34c --- /dev/null +++ b/gitops/manifests/adguard/beelink/templates/ingressroute-homepage.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: adguard-api-tls-cert +spec: + secretName: adguard-api-tls-cert + issuerRef: + kind: ClusterIssuer + name: fredcorp-ca + commonName: adguard-api.k0s-fullstack.fredcorp.com + dnsNames: + - adguard-api.k0s-fullstack.fredcorp.com +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: adguard-homepage-api +spec: + entryPoints: + - websecure + routes: + - kind: Rule + match: Host(`adguard-api.k0s-fullstack.fredcorp.com`) + services: + - name: adguard-adguard-home-http + port: 80 + tls: + secretName: adguard-api-tls-cert diff --git a/gitops/manifests/homepage/genmachine/templates/config.yaml b/gitops/manifests/homepage/genmachine/templates/config.yaml index f333efa40..7dc9a816e 100644 --- a/gitops/manifests/homepage/genmachine/templates/config.yaml +++ b/gitops/manifests/homepage/genmachine/templates/config.yaml @@ -146,7 +146,7 @@ data: description: DNS resolver widget: type: adguard - url: https://adguard.k0s-fullstack.fredcorp.com + url: https://adguard-api.k0s-fullstack.fredcorp.com username: "{{ "{{" }}HOMEPAGE_FILE_ADGUARD_USER{{ "}}" }}" password: "{{ "{{" }}HOMEPAGE_FILE_ADGUARD_PASSWORD{{ "}}" }}" fields: ["queries", "blocked", "filtered", "latency"] From 492b4823254023d8125a81061f58e057459c6762 Mon Sep 17 00:00:00 2001 From: Fred Date: Thu, 14 May 2026 18:54:03 +0200 Subject: [PATCH 2/2] fix(adguard/beelink): replace IngressRoute with standard Ingress for API endpoint IngressRoute (Traefik CRD) was inconsistent with the existing beelink AdGuard pattern which uses standard Kubernetes Ingress objects. Standard Ingress with cert-manager annotations is simpler: no separate Certificate resource needed, cert-manager handles TLS automatically, one resource instead of two. No Authentik middleware annotation = no Authentik interception. AdGuard basic auth remains the access control layer. Co-Authored-By: Claude Sonnet 4.6 --- .../templates/ingressroute-homepage.yaml | 45 +++++++++---------- 1 file changed, 21 insertions(+), 24 deletions(-) diff --git a/gitops/manifests/adguard/beelink/templates/ingressroute-homepage.yaml b/gitops/manifests/adguard/beelink/templates/ingressroute-homepage.yaml index dc8c9a34c..62be69026 100644 --- a/gitops/manifests/adguard/beelink/templates/ingressroute-homepage.yaml +++ b/gitops/manifests/adguard/beelink/templates/ingressroute-homepage.yaml @@ -1,29 +1,26 @@ --- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: adguard-api-tls-cert -spec: - secretName: adguard-api-tls-cert - issuerRef: - kind: ClusterIssuer - name: fredcorp-ca - commonName: adguard-api.k0s-fullstack.fredcorp.com - dnsNames: - - adguard-api.k0s-fullstack.fredcorp.com ---- -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute +apiVersion: networking.k8s.io/v1 +kind: Ingress metadata: name: adguard-homepage-api + annotations: + cert-manager.io/cluster-issuer: fredcorp-ca + cert-manager.io/common-name: adguard-api.k0s-fullstack.fredcorp.com + traefik.ingress.kubernetes.io/router.entrypoints: websecure spec: - entryPoints: - - websecure - routes: - - kind: Rule - match: Host(`adguard-api.k0s-fullstack.fredcorp.com`) - services: - - name: adguard-adguard-home-http - port: 80 + ingressClassName: traefik + rules: + - host: adguard-api.k0s-fullstack.fredcorp.com + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: adguard-adguard-home-http + port: + number: 80 tls: - secretName: adguard-api-tls-cert + - secretName: adguard-api-tls-cert + hosts: + - adguard-api.k0s-fullstack.fredcorp.com