apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  namespace: kubernetes-dashboard
  name: allow-local-only
spec:
  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.0.0/16
      - 10.0.0.0/8
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
  namespace: kubernetes-dashboard
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: insecure-transport
  namespace: kubernetes-dashboard
spec:
  insecureSkipVerify: true
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: dashboard-certificate
  namespace: kubernetes-dashboard
spec:
  secretName: k8s-skrd-fun-tls
  dnsNames:
    - "k8s.skrd.fun"
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard-ingress
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  routes:
    - match: "Host(`k8s.skrd.fun`)"
      kind: Rule
      middlewares:
        - name: allow-local-only
        - name: redirect-https
      services:
        - name: kubernetes-dashboard-kong-proxy
          port: 443
          serversTransport: insecure-transport
  tls:
    secretName: k8s-skrd-fun-tls