# ============================================================ # Velocity-OS — K3s Traefik Ingress # Domain: velocity.local | TLS: self-signed via cert-manager # ============================================================ # ── cert-manager ClusterIssuer (self-signed for velocity.local) ── --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: velocity-selfsigned-issuer spec: selfSigned: {} --- # Self-signed CA Certificate apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: velocity-local-ca namespace: velocity-infra spec: isCA: true commonName: velocity-local-ca secretName: velocity-local-ca-secret privateKey: algorithm: ECDSA size: 256 issuerRef: name: velocity-selfsigned-issuer kind: ClusterIssuer group: cert-manager.io --- # CA-backed ClusterIssuer for velocity.local apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: velocity-ca-issuer spec: ca: secretName: velocity-local-ca-secret --- # TLS Certificate for velocity.local apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: velocity-local-tls namespace: velocity-os spec: secretName: velocity-local-tls-secret duration: 8760h # 1 year renewBefore: 720h # renew 30 days before expiry subject: organizations: [Desineuron] commonName: velocity.local dnsNames: - velocity.local - "*.velocity.local" issuerRef: name: velocity-ca-issuer kind: ClusterIssuer group: cert-manager.io --- # ── Main Ingress ───────────────────────────────────────────── apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: velocity-os-ingress namespace: velocity-os annotations: # Traefik (K3s built-in) kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" # WebSocket support (Sentinel, Oracle canvas, Catalyst) traefik.ingress.kubernetes.io/router.middlewares: velocity-os-ws-headers@kubernetescrd spec: tls: - hosts: - velocity.local secretName: velocity-local-tls-secret rules: - host: velocity.local http: paths: # API (FastAPI backend) - path: /api pathType: Prefix backend: service: name: core-api port: number: 8443 # WebSockets (must route before generic /api catch) - path: /ws pathType: Prefix backend: service: name: core-api port: number: 8443 # Dream Weaver gateway - path: /dream-weaver pathType: Prefix backend: service: name: media-engine port: number: 8290 # Vault public links (no auth) - path: /vault pathType: Prefix backend: service: name: core-api port: number: 8443 # WebOS (React SPA — catch-all last) - path: / pathType: Prefix backend: service: name: webos port: number: 80 --- # ── Traefik Middleware: WebSocket upgrade headers ───────────── apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: ws-headers namespace: velocity-os spec: headers: customRequestHeaders: Connection: "Upgrade" Upgrade: "websocket" --- # ── Traefik Middleware: Security headers ───────────────────── apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: security-headers namespace: velocity-os spec: headers: stsSeconds: 31536000 stsIncludeSubdomains: true forceSTSHeader: true contentTypeNosniff: true browserXssFilter: true referrerPolicy: strict-origin-when-cross-origin frameDeny: true