feat: envoy-gateway

2025-09-17 18:24:14 +02:00 · 2025-08-19 00:13:40 +02:00
parent 5b82fd7742
commit c0dde8be0a
119 changed files with 998 additions and 1563 deletions
--- a/kubernetes/apps/default/calibre/app/helmrelease.yaml
+++ b/kubernetes/apps/default/calibre/app/helmrelease.yaml
--- a/kubernetes/apps/default/calibre/app/kustomization.yaml
+++ b/kubernetes/apps/default/calibre/app/kustomization.yaml
--- a/kubernetes/apps/default/calibre/ks.yaml
+++ b/kubernetes/apps/default/calibre/ks.yaml
--- a/kubernetes/apps/kube-system/cilium/gateway/external.yaml
+++ b/kubernetes/apps/kube-system/cilium/gateway/external.yaml
--- a/kubernetes/apps/kube-system/cilium/gateway/gatewayclass.yaml
+++ b/kubernetes/apps/kube-system/cilium/gateway/gatewayclass.yaml
--- a/kubernetes/apps/kube-system/cilium/gateway/internal.yaml
+++ b/kubernetes/apps/kube-system/cilium/gateway/internal.yaml
--- a/kubernetes/apps/kube-system/cilium/gateway/kustomization.yaml
+++ b/kubernetes/apps/kube-system/cilium/gateway/kustomization.yaml
--- a/kubernetes/apps/kube-system/cilium/gateway/redirect.yaml
+++ b/kubernetes/apps/kube-system/cilium/gateway/redirect.yaml
--- a/.archive/kubernetes/envoy-gateway/crds/helmrelease.yaml
+++ b/.archive/kubernetes/envoy-gateway/crds/helmrelease.yaml
@@ -1,36 +0,0 @@
---
-# yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: OCIRepository
-metadata:
-  name: envoy-gateway-crds
-spec:
-  interval: 30m
-  timeout: 60s
-  url: oci://docker.io/envoyproxy/gateway-helm
-  ref:
-    tag: 1.4.2
-  layerSelector:
-    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
-    operation: copy
---
-# yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: envoy-gateway-crds
-spec:
-  interval: 1h
-  timeout: 5m
-  chartRef:
-    kind: OCIRepository
-    name: envoy-gateway-crds
-  install:
-    crds: CreateReplace
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    crds: CreateReplace
-    remediation:
-      retries: 5
--- a/.archive/kubernetes/envoy-gateway/crds/kustomization.yaml
+++ b/.archive/kubernetes/envoy-gateway/crds/kustomization.yaml
@@ -1,6 +0,0 @@
---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./helmrelease.yaml
--- a/.archive/kubernetes/envoy-gateway/external/gateway.yaml
+++ b/.archive/kubernetes/envoy-gateway/external/gateway.yaml
@@ -1,35 +0,0 @@
---
-# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gateway_v1.json
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: external
-  # annotations:
-  #   external-dns.alpha.kubernetes.io/target: external.${SECRET_EXTERNAL_DOMAIN}
-spec:
-  gatewayClassName: envoy-gateway
-  addresses:
-    - type: IPAddress
-      value: 192.168.169.122
-  # infrastructure:
-  #   annotations:
-  #     external-dns.alpha.kubernetes.io/hostname: external.${SECRET_EXTERNAL_DOMAIN}
-  listeners:
-    - name: http
-      protocol: HTTP
-      port: 80
-      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
-      allowedRoutes:
-        namespaces:
-          from: Same
-    - name: https
-      protocol: HTTPS
-      port: 443
-      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
-      allowedRoutes:
-        namespaces:
-          from: All
-      tls:
-        certificateRefs:
-          - kind: Secret
-            name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls
--- a/.archive/kubernetes/envoy-gateway/external/kustomization.yaml
+++ b/.archive/kubernetes/envoy-gateway/external/kustomization.yaml
@@ -1,7 +0,0 @@
---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./gateway.yaml
-  - ./redirect.yaml
--- a/.archive/kubernetes/envoy-gateway/external/redirect.yaml
+++ b/.archive/kubernetes/envoy-gateway/external/redirect.yaml
@@ -1,18 +0,0 @@
---
-# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: https-redirect-external
-  annotations:
-    external-dns.alpha.kubernetes.io/controller: none
-spec:
-  parentRefs:
-    - name: external
-      port: 80
-  rules:
-    - filters:
-        - type: RequestRedirect
-          requestRedirect:
-            scheme: https
-            statusCode: 301
--- a/.archive/kubernetes/envoy-gateway/internal/gateway.yaml
+++ b/.archive/kubernetes/envoy-gateway/internal/gateway.yaml
@@ -1,35 +0,0 @@
---
-# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gateway_v1.json
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: internal
-  # annotations:
-  #   external-dns.alpha.kubernetes.io/target: internal.${SECRET_EXTERNAL_DOMAIN}
-spec:
-  gatewayClassName: envoy-gateway
-  addresses:
-    - type: IPAddress
-      value: 192.168.169.121
-  # infrastructure:
-  #   annotations:
-  #     external-dns.alpha.kubernetes.io/hostname: internal.${SECRET_EXTERNAL_DOMAIN}
-  listeners:
-    - name: http
-      protocol: HTTP
-      port: 80
-      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
-      allowedRoutes:
-        namespaces:
-          from: Same
-    - name: https
-      protocol: HTTPS
-      port: 443
-      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
-      allowedRoutes:
-        namespaces:
-          from: All
-      tls:
-        certificateRefs:
-          - kind: Secret
-            name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls
--- a/.archive/kubernetes/envoy-gateway/internal/kustomization.yaml
+++ b/.archive/kubernetes/envoy-gateway/internal/kustomization.yaml
@@ -1,8 +0,0 @@
---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./gateway.yaml
-  - ./redirect.yaml
-  - ./securitypolicy.yaml
--- a/.archive/kubernetes/envoy-gateway/internal/redirect.yaml
+++ b/.archive/kubernetes/envoy-gateway/internal/redirect.yaml
@@ -1,17 +0,0 @@
---
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: https-redirect-internal
-  annotations:
-    external-dns.alpha.kubernetes.io/controller: none
-spec:
-  parentRefs:
-    - name: internal
-      port: 80
-  rules:
-    - filters:
-        - type: RequestRedirect
-          requestRedirect:
-            scheme: https
-            statusCode: 301
--- a/.archive/kubernetes/envoy-gateway/internal/securitypolicy.yaml
+++ b/.archive/kubernetes/envoy-gateway/internal/securitypolicy.yaml
@@ -1,26 +0,0 @@
---
-apiVersion: gateway.envoyproxy.io/v1alpha1
-kind: SecurityPolicy
-metadata:
-  name: internal-secure
-spec:
-  extAuth:
-    failOpen: false
-    headersToExtAuth:
-      - X-Forwarded-Proto
-      - authorization
-      - proxy-authorization
-      - accept
-      - cookie
-    http:
-      backendRefs:
-        - group: ""
-          kind: Service
-          name: authelia
-          namespace: default
-          port: 80
-      path: /api/authz/ext-authz/
-  targetRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: internal
--- a/.archive/kubernetes/envoy-gateway/ks.yaml
+++ b/.archive/kubernetes/envoy-gateway/ks.yaml
@@ -1,111 +0,0 @@
---
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app envoy-gateway-crds
-  namespace: &namespace network
-spec:
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  interval: 1h
-  path: ./kubernetes/apps/network/envoy-gateway/crds
-  prune: true
-  retryInterval: 2m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-    namespace: flux-system
-  targetNamespace: *namespace
-  timeout: 5m
-  wait: false
---
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app envoy-gateway-operator
-  namespace: &namespace network
-spec:
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  interval: 1h
-  path: ./kubernetes/apps/network/envoy-gateway/operator
-  dependsOn:
-    - name: envoy-gateway-crds
-      namespace: *namespace
-  # healthChecks:
-  #   - apiVersion: helm.toolkit.fluxcd.io/v2
-  #     kind: HelmRelease
-  #     name: *app
-  #     namespace: *namespace
-  #   - apiVersion: gateway.networking.k8s.io/v1
-  #     kind: GatewayClass
-  #     name: envoy-gateway
-  # healthCheckExprs:
-  #   - apiVersion: gateway.networking.k8s.io/v1
-  #     kind: GatewayClass
-  #     failed: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'False')
-  #     inProgress: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'Unknown')
-  #     current: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'True')
-  prune: true
-  retryInterval: 2m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-    namespace: flux-system
-  targetNamespace: *namespace
-  timeout: 5m
-  wait: false
---
-# yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app envoy-gateway-internal
-  namespace: &namespace network
-spec:
-  interval: 1h
-  retryInterval: 2m
-  timeout: 5m
-  prune: true
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/network/envoy-gateway/internal
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-    namespace: flux-system
-  targetNamespace: *namespace
-  wait: false
-  dependsOn:
-    - name: envoy-gateway-operator
-      namespace: *namespace
---
-# yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app envoy-gateway-external
-  namespace: &namespace network
-spec:
-  interval: 1h
-  retryInterval: 2m
-  timeout: 5m
-  prune: true
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/network/envoy-gateway/external
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-    namespace: flux-system
-  targetNamespace: *namespace
-  wait: false
-  dependsOn:
-    - name: envoy-gateway-operator
-      namespace: *namespace
--- a/.archive/kubernetes/envoy-gateway/operator/gatewayclass.yaml
+++ b/.archive/kubernetes/envoy-gateway/operator/gatewayclass.yaml
@@ -1,23 +0,0 @@
---
-# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gatewayclass_v1.json
-apiVersion: gateway.networking.k8s.io/v1
-kind: GatewayClass
-metadata:
-  name: envoy-gateway
-spec:
-  controllerName: gateway.envoyproxy.io/gatewayclass-controller
-  parametersRef:
-    group: gateway.envoyproxy.io
-    kind: EnvoyProxy
-    name: proxy-config
-    namespace: network
---
-# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.envoyproxy.io/envoyproxy_v1alpha1.json
-apiVersion: gateway.envoyproxy.io/v1alpha1
-kind: EnvoyProxy
-metadata:
-  name: proxy-config
-spec:
-  backendTLS:
-    minVersion: "1.3"
-    maxVersion: "1.3"
--- a/.archive/kubernetes/envoy-gateway/operator/kustomization.yaml
+++ b/.archive/kubernetes/envoy-gateway/operator/kustomization.yaml
@@ -1,6 +0,0 @@
---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./gatewayclass.yaml
--- a/kubernetes/apps/default/homepage/app/config/bookmarks.yaml
+++ b/kubernetes/apps/default/homepage/app/config/bookmarks.yaml
--- a/kubernetes/apps/default/homepage/app/config/docker.yaml
+++ b/kubernetes/apps/default/homepage/app/config/docker.yaml
--- a/kubernetes/apps/default/homepage/app/config/kubernetes.yaml
+++ b/kubernetes/apps/default/homepage/app/config/kubernetes.yaml
--- a/kubernetes/apps/default/homepage/app/config/services.yaml
+++ b/kubernetes/apps/default/homepage/app/config/services.yaml
--- a/kubernetes/apps/default/homepage/app/config/settings.yaml
+++ b/kubernetes/apps/default/homepage/app/config/settings.yaml
--- a/kubernetes/apps/default/homepage/app/config/widgets.yaml
+++ b/kubernetes/apps/default/homepage/app/config/widgets.yaml
--- a/kubernetes/apps/default/homepage/app/externalsecret.yaml
+++ b/kubernetes/apps/default/homepage/app/externalsecret.yaml
--- a/kubernetes/apps/default/homepage/app/helmrelease.yaml
+++ b/kubernetes/apps/default/homepage/app/helmrelease.yaml
@@ -54,20 +54,17 @@ spec:
    serviceAccount:
      create: true
      name: *app
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        type: configMap
--- a/kubernetes/apps/default/homepage/app/kustomization.yaml
+++ b/kubernetes/apps/default/homepage/app/kustomization.yaml
--- a/kubernetes/apps/default/homepage/app/rbac.yaml
+++ b/kubernetes/apps/default/homepage/app/rbac.yaml
--- a/kubernetes/apps/default/homepage/ks.yaml
+++ b/kubernetes/apps/default/homepage/ks.yaml
--- a/kubernetes/apps/network/nginx/external/helmrelease.yaml
+++ b/kubernetes/apps/network/nginx/external/helmrelease.yaml
--- a/kubernetes/apps/network/nginx/external/kustomization.yaml
+++ b/kubernetes/apps/network/nginx/external/kustomization.yaml
--- a/kubernetes/apps/network/nginx/internal/helmrelease.yaml
+++ b/kubernetes/apps/network/nginx/internal/helmrelease.yaml
--- a/kubernetes/apps/network/nginx/internal/kustomization.yaml
+++ b/kubernetes/apps/network/nginx/internal/kustomization.yaml
--- a/kubernetes/apps/network/nginx/ks.yaml
+++ b/kubernetes/apps/network/nginx/ks.yaml
@@ -2,34 +2,6 @@
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
-metadata:
-  name: &app nginx-certificates
-  namespace: &namespace network
-spec:
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  dependsOn:
-    - name: cert-manager
-      namespace: cert-manager
-  interval: 1h
-  path: ./kubernetes/apps/network/nginx/certificates
-  postBuild:
-    substitute:
-      APP: *app
-  prune: true
-  retryInterval: 2m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-    namespace: flux-system
-  targetNamespace: *namespace
-  timeout: 5m
-  wait: false
---
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
 metadata:
  name: &app nginx-external
  namespace: &namespace network
--- a/kubernetes/apps/default/atuin/app/helmrelease.yaml
+++ b/kubernetes/apps/default/atuin/app/helmrelease.yaml
@@ -73,26 +73,12 @@ spec:
        hostnames: ["sh.${SECRET_EXTERNAL_DOMAIN}"]
        parentRefs:
          - name: internal
-            namespace: kube-system
+            namespace: network
            sectionName: https
        rules:
          - backendRefs:
-              - name: app
+              - name: *app
                port: *port
-    # ingress:
-    #   app:
-    #     enabled: true
-    #     className: internal
-    #     hosts:
-    #       - host: &host "sh.${SECRET_EXTERNAL_DOMAIN}"
-    #         paths:
-    #           - path: /
-    #             service:
-    #               identifier: app
-    #               port: http
-    #     tls:
-    #       - hosts:
-    #           - *host
    persistence:
      config:
        existingClaim: atuin
--- a/kubernetes/apps/default/authelia/app/config/configuration.yaml
+++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml
@@ -83,15 +83,6 @@ identity_providers:
    clients:
    # Genereate client_secret
    # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
-      - client_id: freshrss
-        client_name: freshrss
-        client_secret: '{{ secret "/config/secret/FRESHRSS_OAUTH_DIGEST" }}'
-        public: false
-        authorization_policy: two_factor
-        redirect_uris: ["https://freshrss.${SECRET_EXTERNAL_DOMAIN}:443/i/oidc/"]
-        scopes: [openid, profile, groups, email]
-        userinfo_signed_response_alg: none
-        token_endpoint_auth_method: client_secret_basic
      - client_name: grafana
        client_id: grafana
        client_secret: '{{ secret "/config/secret/GRAFANA_OAUTH_DIGEST" }}'
@@ -142,20 +133,3 @@ identity_providers:
        scopes: [openid, profile, groups, email]
        redirect_uris: ['https://paperless.${SECRET_EXTERNAL_DOMAIN}/accounts/oidc/authelia/login/callback']
        userinfo_signed_response_alg: none
-      - client_id: pgadmin
-        client_name: pgAdmin
-        client_secret: '{{ secret "/config/secret/PGADMIN_OAUTH_DIGEST" }}'
-        public: false
-        authorization_policy: two_factor
-        pre_configured_consent_duration: 1y
-        scopes: [openid, profile, email]
-        redirect_uris: ['https://pgadmin.${SECRET_EXTERNAL_DOMAIN}/oauth2/authorize']
-        userinfo_signed_response_alg: none
-        token_endpoint_auth_method: client_secret_basic
-      - client_id: windmill
-        client_name: Windmill
-        client_secret: '{{ secret "/config/secret/WINDMILL_OAUTH_DIGEST" }}'
-        authorization_policy: two_factor
-        redirect_uris: ['https://windmill.${SECRET_EXTERNAL_DOMAIN}/user/login_callback/authelia']
-        scopes: [openid, profile, groups, email]
-        userinfo_signed_response_alg: none
--- a/kubernetes/apps/default/authelia/app/externalsecret.yaml
+++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml
@@ -22,22 +22,16 @@ spec:
        # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
        # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
        OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}"
-        FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
-        FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}"
        GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
        GRAFANA_OAUTH_DIGEST: "{{ .GRAFANA_OAUTH_DIGEST }}"
        OUTLINE_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
        JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}"
-        PGADMIN_OAUTH_CLIENT_SECRET: "{{ .PGADMIN_OAUTH_CLIENT_SECRET }}"
-        PGADMIN_OAUTH_DIGEST: "{{ .PGADMIN_OAUTH_DIGEST }}"
        PAPERLESS_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        PAPERLESS_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        KOMGA_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        KOMGA_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
-        WINDMILL_OAUTH_CLIENT_SECRET: "{{ .WINDMILL_OAUTH_CLIENT_SECRET }}"
-        WINDMILL_OAUTH_DIGEST: "{{ .WINDMILL_OAUTH_DIGEST }}"
        SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
  dataFrom:
    - extract:
--- a/kubernetes/apps/default/authelia/app/helmrelease.yaml
+++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml
@@ -94,34 +94,45 @@ spec:
            path: /metrics
            interval: 1m
            scrapeTimeout: 10s
-    ingress:
-      app:
-        enabled: true
-        className: external
-        annotations:
-          nginx.ingress.kubernetes.io/configuration-snippet: |
-            add_header Cache-Control "no-store";
-            add_header Pragma "no-cache";
-            add_header X-Frame-Options "SAMEORIGIN";
-            add_header X-XSS-Protection "1; mode=block";
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/group: Infrastructure
-          gethomepage.dev/name: Authelia
-          gethomepage.dev/icon: authelia.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              authelia
-            )
-        hosts:
-          - host: &host auth.${SECRET_EXTERNAL_DOMAIN}
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+    # ingress:
+    #   app:
+    #     enabled: true
+    #     className: external
+    #     annotations:
+    #       nginx.ingress.kubernetes.io/configuration-snippet: |
+    #         add_header Cache-Control "no-store";
+    #         add_header Pragma "no-cache";
+    #         add_header X-Frame-Options "SAMEORIGIN";
+    #         add_header X-XSS-Protection "1; mode=block";
+    #       gethomepage.dev/enabled: "true"
+    #       gethomepage.dev/group: Infrastructure
+    #       gethomepage.dev/name: Authelia9091
+    #       gethomepage.dev/icon: authelia.png
+    #       gethomepage.dev/pod-selector: >-
+    #         app in (
+    #           authelia
+    #         )
+    #     hosts:
+    #       - host: &host auth.${SECRET_EXTERNAL_DOMAIN}
+    #         paths:
+    #           - path: /
+    #             service:
+    #               identifier: app
+    #               port: http
+    #     tls:
+    #       - hosts:
+    #           - *host
+    route:
+      main:
+        hostnames: ["auth.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: external
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/authelia/app/kustomization.yaml
+++ b/kubernetes/apps/default/authelia/app/kustomization.yaml
@@ -5,6 +5,7 @@ kind: Kustomization
 resources:
  - ./externalsecret.yaml
  - ./helmrelease.yaml
+  - ./referencegrant.yaml
 configMapGenerator:
  - name: authelia-configmap
    files:
--- a/kubernetes/apps/default/authelia/app/referencegrant.yaml
+++ b/kubernetes/apps/default/authelia/app/referencegrant.yaml
@@ -0,0 +1,30 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/referencegrant_v1beta1.json
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: authelia-to-default
+spec:
+  from:
+    - group: gateway.envoyproxy.io
+      kind: SecurityPolicy
+      namespace: default
+  to:
+    - group: ""
+      kind: Service
+      name: authelia
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/referencegrant_v1beta1.json
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: authelia-to-observability
+spec:
+  from:
+    - group: gateway.envoyproxy.io
+      kind: SecurityPolicy
+      namespace: observability
+  to:
+    - group: ""
+      kind: Service
+      name: authelia
--- a/kubernetes/apps/default/authelia/ks.yaml
+++ b/kubernetes/apps/default/authelia/ks.yaml
@@ -16,6 +16,8 @@ spec:
      namespace: database
    - name: external-secrets-stores
      namespace: external-secrets
+    - name: gateway-api-crds
+      namespace: network
  components:
    - ../../../../components/gatus/external
  interval: 1h
--- a/kubernetes/apps/default/bazarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/bazarr/app/helmrelease.yaml
@@ -86,31 +86,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/group: Media
-          gethomepage.dev/name: Bazarr
-          gethomepage.dev/icon: bazarr.png
-
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/exercisediary/app/helmrelease.yaml
+++ b/kubernetes/apps/default/exercisediary/app/helmrelease.yaml
@@ -42,35 +42,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: exercisediary
-          gethomepage.dev/description: Workout diary with GitHub-style year visualization.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: exercisediary.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              exercisediary
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: *port
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/exercisediary/ks.yaml
+++ b/kubernetes/apps/default/exercisediary/ks.yaml
@@ -10,6 +10,7 @@ spec:
    labels:
      app.kubernetes.io/name: *app
  components:
+    - ../../../../components/ext-auth
    - ../../../../components/gatus/external
    - ../../../../components/volsync
  dependsOn:
--- a/kubernetes/apps/default/flood/app/helmrelease.yaml
+++ b/kubernetes/apps/default/flood/app/helmrelease.yaml
@@ -51,31 +51,18 @@ spec:
        controller: *app
        ports:
          http:
-            port: 3000
-    ingress:
+            port: &port 3000
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/group: Media
-          gethomepage.dev/name: qBittorrent
-          gethomepage.dev/icon: qbittorrent.png
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/flood/ks.yaml
+++ b/kubernetes/apps/default/flood/ks.yaml
@@ -16,6 +16,7 @@ spec:
    - name: volsync
      namespace: volsync
  components:
+    - ../../../../components/ext-auth
    - ../../../../components/gatus/guarded
    - ../../../../components/volsync
  interval: 1h
--- a/kubernetes/apps/default/freshrss/app/helmrelease.yaml
+++ b/kubernetes/apps/default/freshrss/app/helmrelease.yaml
@@ -32,12 +32,6 @@ spec:
              TZ: ${TIMEZONE}
              CRON_MIN: 18,48
              DOMAIN: "https://freshrss.${SECRET_EXTERNAL_DOMAIN}/"
-              OIDC_ENABLED: 1
-              OIDC_PROVIDER_METADATA_URL: https://auth.${SECRET_EXTERNAL_DOMAIN}/.well-known/openid-configuration
-              OIDC_CLIENT_ID: freshrss
-              OIDC_REMOTE_USER_CLAIM: preferred_username
-              OIDC_SCOPES: openid groups email profile
-              OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto
            envFrom:
              - secretRef:
                  name: freshrss-secret
@@ -50,32 +44,18 @@ spec:
        controller: *app
        ports:
          http:
-            port: 80
-    ingress:
+            port: &port 80
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: FreshRSS
-          gethomepage.dev/description: Developer platform to turn scripts into workflows and UIs
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: freshrss.png
-          gethomepage.dev/href: https://windmill.${SECRET_EXTERNAL_DOMAIN}
-          gethomepage.dev/pod-selector: >-
-            app in (
-              freshrss
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/frigate/app/helmrelease.yaml
+++ b/kubernetes/apps/default/frigate/app/helmrelease.yaml
@@ -82,37 +82,18 @@ spec:
            port: *port
          rtsp:
            enabled: true
-            port: 8554
-    ingress:
+            port: &port 8554
+    route:
      app:
-        enabled: true
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Frigate
-          gethomepage.dev/description: NVR with realtime local object detection for IP cameras
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: frigate.png
-          gethomepage.dev/href: https://frigate.${SECRET_EXTERNAL_DOMAIN}
-          gethomepage.dev/pod-selector: >-
-            app in (
-              frigate
-            )
-        className: internal
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/frigate/ks.yaml
+++ b/kubernetes/apps/default/frigate/ks.yaml
@@ -15,6 +15,7 @@ spec:
    - name: node-feature-discovery-rules
      namespace: kube-system
  components:
+    - ../../../../components/ext-auth
    - ../../../../components/gatus/guarded
    - ../../../../components/volsync
  interval: 1h
--- a/kubernetes/apps/default/home-assistant/app/helmrelease.yaml
+++ b/kubernetes/apps/default/home-assistant/app/helmrelease.yaml
@@ -64,21 +64,18 @@ spec:
        externalTrafficPolicy: Local
        ports:
          http:
-            port: 8123
-    ingress:
+            port: &port 8123
+    route:
      app:
-        enabled: true
-        className: internal
-        hosts:
-          - host: &host "hass.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["hass.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/home-assistant/code/helmrelease.yaml
+++ b/kubernetes/apps/default/home-assistant/code/helmrelease.yaml
@@ -63,21 +63,18 @@ spec:
        controller: *app
        ports:
          http:
-            port: 8888
-    ingress:
+            port: &port 8888
+    route:
      app:
-        enabled: true
-        className: internal
-        hosts:
-          - host: &host hass-code.${SECRET_EXTERNAL_DOMAIN}
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["hass-code.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/homebox/app/helmrelease.yaml
+++ b/kubernetes/apps/default/homebox/app/helmrelease.yaml
@@ -41,31 +41,18 @@ spec:
        controller: *app
        ports:
          http:
-            port: 7745
-    ingress:
+            port: &port 7745
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Homebox
-          gethomepage.dev/description: Inventory and organization system built for the Home User
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: homebox.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              homebox
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/jellyfin/app/helmrelease.yaml
+++ b/kubernetes/apps/default/jellyfin/app/helmrelease.yaml
@@ -96,21 +96,18 @@ spec:
        externalTrafficPolicy: Local
        ports:
          http:
-            port: 8096
-    ingress:
+            port: &port 8096
+    route:
      app:
-        enabled: true
-        className: external
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: external
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/jellyseerr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/jellyseerr/app/helmrelease.yaml
@@ -69,23 +69,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: external
-        hosts:
-          - host: &host1 "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths: &paths
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-          - host: &host2 requests.${SECRET_EXTERNAL_DOMAIN}
-            paths: *paths
-        tls:
-          - hosts:
-              - *host1
-              - *host2
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}","requests.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        existingClaim: *app
--- a/kubernetes/apps/default/joplin/app/helmrelease.yaml
+++ b/kubernetes/apps/default/joplin/app/helmrelease.yaml
@@ -51,27 +51,14 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: external
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Joplin
-          gethomepage.dev/description: Secure note taking and to-do app with synchronisation capabilities
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: joplin.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              joplin
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: external
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
--- a/kubernetes/apps/default/komga/app/helmrelease.yaml
+++ b/kubernetes/apps/default/komga/app/helmrelease.yaml
@@ -42,30 +42,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Komga
-          gethomepage.dev/description: Media server for comics/mangas/BDs/magazines/eBooks with API and OPDS support
-          gethomepage.dev/group: Media
-          gethomepage.dev/icon: komga.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              komga
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/kustomization.yaml
+++ b/kubernetes/apps/default/kustomization.yaml
@@ -9,7 +9,6 @@ resources:
  - ./atuin/ks.yaml
  - ./authelia/ks.yaml
  - ./bazarr/ks.yaml
-  - ./calibre/ks.yaml
  - ./exercisediary/ks.yaml
  - ./flaresolverr/ks.yaml
  - ./flood/ks.yaml
@@ -18,7 +17,6 @@ resources:
  - ./home-assistant/ks.yaml
  - ./homebox/ks.yaml
  - ./homelab/ks.yaml
-  - ./homepage/ks.yaml
  - ./jellyfin/ks.yaml
  - ./jellyseerr/ks.yaml
  - ./joplin/ks.yaml
--- a/kubernetes/apps/default/libmedium/app/helmrelease.yaml
+++ b/kubernetes/apps/default/libmedium/app/helmrelease.yaml
@@ -37,36 +37,18 @@ spec:
        controller: *app
        ports:
          http:
-            port: 7000
-    ingress:
+            port: &port 7000
+    route:
      app:
-        enabled: true
-        className: external
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Libmedium
-          gethomepage.dev/description: Medium.com
-          gethomepage.dev/group: Alternative Frontends
-          gethomepage.dev/icon: medium.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              libmedium
-            )
-        hosts:
-          - host: &host "libmedium.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: external
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/libmedium/ks.yaml
+++ b/kubernetes/apps/default/libmedium/ks.yaml
@@ -10,6 +10,7 @@ spec:
    labels:
      app.kubernetes.io/name: *app
  components:
+    - ../../../../components/ext-auth
    - ../../../../components/gatus/external
  dependsOn:
    - name: external-secrets-stores
--- a/kubernetes/apps/default/lidarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/lidarr/app/helmrelease.yaml
@@ -39,6 +39,8 @@ spec:
              TZ: "${TIMEZONE}"
              LIDARR__APP__INSTANCENAME: Lidarr
              LIDARR__SERVER__PORT: &port 8080
+              LIDARR__AUTH__METHOD: External
+              LIDARR__AUTH__REQUIRED: DisabledForLocalAddresses
              LIDARR__LOG__LEVEL: info
              PUSHOVER_APP_URL: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
              PUSHOVER_PRIORITY: "0"
@@ -59,26 +61,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-        hosts:
-          - host: *host
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/linkding/app/helmrelease.yaml
+++ b/kubernetes/apps/default/linkding/app/helmrelease.yaml
@@ -55,30 +55,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Linkding
-          gethomepage.dev/description: Bookmark manager that is designed be to be minimal and fast
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: linkding.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              linkding
-            )
-        hosts:
-          - host: &host "links.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["links.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/lldap/app/helmrelease.yaml
+++ b/kubernetes/apps/default/lldap/app/helmrelease.yaml
@@ -54,30 +54,17 @@ spec:
          ldap:
            enabled: true
            port: *ldapPort
-    ingress:
+    route:
      app:
-        enabled: true
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: lldap
-          gethomepage.dev/description: Light LDAP implementation
-          gethomepage.dev/group: Infrastructure
-          gethomepage.dev/icon: lldap.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              lldap
-            )
-        className: internal
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      data:
        type: emptyDir
--- a/kubernetes/apps/default/lms/app/helmrelease.yaml
+++ b/kubernetes/apps/default/lms/app/helmrelease.yaml
@@ -44,7 +44,7 @@ spec:
        externalTrafficPolicy: Local
        ports:
          http:
-            port: 9000
+            port: &port 9000
          cli:
            enabled: true
            port: 9090
@@ -57,30 +57,17 @@ spec:
            enabled: true
            port: 3483
            protocol: UDP
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Lyrion Music Server
-          gethomepage.dev/description: Stream not only your local music collection, but content from many music services and internet radio stations to your players.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: lms.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              lms
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/lychee/app/helmrelease.yaml
+++ b/kubernetes/apps/default/lychee/app/helmrelease.yaml
@@ -72,30 +72,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: external
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Lychee
-          gethomepage.dev/description: Photo-management tool.
-          gethomepage.dev/group: Media
-          gethomepage.dev/icon: lychee.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              lychee
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: external
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/navidrome/app/helmrelease.yaml
+++ b/kubernetes/apps/default/navidrome/app/helmrelease.yaml
@@ -54,35 +54,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: external
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Navidrome
-          gethomepage.dev/description: Modern music server and streamer compatible with subsonic/airsonic.
-          gethomepage.dev/group: Media
-          gethomepage.dev/icon: Navidrome.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              navidrome
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: external
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/opengist/app/helmrelease.yaml
+++ b/kubernetes/apps/default/opengist/app/helmrelease.yaml
@@ -67,32 +67,20 @@ spec:
        controller: *app
        ports:
          http:
-            port: 6157
+            port: &port 6157
          # ssh:
          #   port: 2222
-    ingress:
+    route:
      app:
-        className: internal
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Opengist
-          gethomepage.dev/description: Photo-management tool.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: opengist.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              opengist
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                pathType: Prefix
-                service:
-                  identifier: app
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        type: configMap
--- a/kubernetes/apps/default/outline/app/helmrelease.yaml
+++ b/kubernetes/apps/default/outline/app/helmrelease.yaml
@@ -75,28 +75,15 @@ spec:
        controller: *app
        ports:
          http:
-            port: 8080
-    ingress:
+            port: &port 8080
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Outline
-          gethomepage.dev/description: A fast, collaborative, knowledge base.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: outline.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              outline
-            )
-        hosts:
-          - host: &host "docs.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["docs.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
--- a/kubernetes/apps/default/paperless/app/helmrelease.yaml
+++ b/kubernetes/apps/default/paperless/app/helmrelease.yaml
@@ -60,31 +60,18 @@ spec:
        controller: *app
        ports:
          http:
-            port: 8000
-    ingress:
+            port: &port 8000
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Paperless
-          gethomepage.dev/description: Document management system that transform physical documents into a searchable online archive.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: paperless.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              paperless
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      data:
        enabled: true
--- a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml
@@ -55,35 +55,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Prowlarr
-          gethomepage.dev/description: Torrent and Usenet Indexer manager/proxy.
-          gethomepage.dev/group: Media
-          gethomepage.dev/icon: prowlarr.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              prowlarr
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml
+++ b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml
@@ -59,20 +59,17 @@ spec:
            protocol: TCP
            targetPort: *port-bt
        externalTrafficPolicy: Local
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/radarr-archive/app/helmrelease.yaml
+++ b/kubernetes/apps/default/radarr-archive/app/helmrelease.yaml
@@ -65,26 +65,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-        hosts:
-          - host: *host
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/radarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/radarr/app/helmrelease.yaml
@@ -65,26 +65,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-        hosts:
-          - host: *host
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/readeck/app/helmrelease.yaml
+++ b/kubernetes/apps/default/readeck/app/helmrelease.yaml
@@ -48,35 +48,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Readeck
-          gethomepage.dev/description: Saves the precious readable content of web pages to keep forever.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: readeck.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              readeck
-            )
-        hosts:
-          - host: *host
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/redlib/app/helmrelease.yaml
+++ b/kubernetes/apps/default/redlib/app/helmrelease.yaml
@@ -51,32 +51,14 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: external
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Redlib
-          gethomepage.dev/description: Reddit.com
-          gethomepage.dev/group: Alternative Frontends
-          gethomepage.dev/icon: redlib.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              redlib
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: external
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
--- a/kubernetes/apps/default/redlib/ks.yaml
+++ b/kubernetes/apps/default/redlib/ks.yaml
@@ -10,6 +10,7 @@ spec:
    labels:
      app.kubernetes.io/name: *app
  components:
+    - ../../../../components/ext-auth
    - ../../../../components/gatus/external
  interval: 1h
  path: ./kubernetes/apps/default/redlib/app
--- a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml
+++ b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml
@@ -78,35 +78,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          # nginx.ingress.kubernetes.io/auth-method: GET
-          # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: SABnzbd
-          gethomepage.dev/description: Automated Usenet download tool.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: sabnzbd.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              sabnzbd
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/sharry/app/helmrelease.yaml
+++ b/kubernetes/apps/default/sharry/app/helmrelease.yaml
@@ -43,32 +43,18 @@ spec:
        controller: *app
        ports:
          http:
-            port: 9090
-    ingress:
+            port: &port 9090
+    route:
      app:
-        enabled: true
-        className: external
-        annotations:
-          nginx.ingress.kubernetes.io/proxy-body-size: "0"
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Sharry
-          gethomepage.dev/description: Share files with others in a simple way.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: sharry.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              sharry
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/sonarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/sonarr/app/helmrelease.yaml
@@ -78,26 +78,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/tdarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/tdarr/app/helmrelease.yaml
@@ -50,36 +50,18 @@ spec:
          server:
            enabled: true
            protocol: TCP
-            port: 8266
-    ingress:
+            port: &port 8266
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Tdarr
-          gethomepage.dev/description: Distributed transcode automation using FFmpeg/HandBrake + Audio/Video library analytics.
-          gethomepage.dev/group: Media
-          gethomepage.dev/icon: tdarr.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              tdarr
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/tdarr/ks.yaml
+++ b/kubernetes/apps/default/tdarr/ks.yaml
@@ -16,6 +16,7 @@ spec:
    - name: volsync
      namespace: volsync
  components:
+    - ../../../../components/ext-auth
    - ../../../../components/gatus/guarded
    - ../../../../components/volsync
  interval: 1h
--- a/kubernetes/apps/default/unifi/app/helmrelease.yaml
+++ b/kubernetes/apps/default/unifi/app/helmrelease.yaml
@@ -47,7 +47,7 @@ spec:
        loadBalancerIP: 192.168.169.103
        ports:
          http:
-            port: 8443
+            port: &port 8443
            protocol: HTTPS
          controller:
            enabled: true
@@ -77,31 +77,17 @@ spec:
            enabled: true
            port: 10001
            protocol: UDP
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/backend-protocol: HTTPS
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Unifi
-          gethomepage.dev/description: Centralized enterprise-grade networking for home and business.
-          gethomepage.dev/group: Infrastructure
-          gethomepage.dev/icon: unifi.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              unifi
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml
+++ b/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml
@@ -60,30 +60,17 @@ spec:
        ports:
          http:
            port: &port 80
-    ingress:
+    route:
      app:
-        enabled: true
-        className: external
-        annotations:
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Vaultwarden
-          gethomepage.dev/description: Open-source password manager compatible with Bitwarden clients.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: vaultwarden.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              vaultwarden
-            )
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: *port
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: external
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/vikunja/app/helmrelease.yaml
+++ b/kubernetes/apps/default/vikunja/app/helmrelease.yaml
@@ -49,33 +49,18 @@ spec:
        controller: *app
        ports:
          http:
-            port: 3456
-    ingress:
+            port: &port 3456
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          external-dns.alpha.kubernetes.io/enabled: "true"
-          external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}.
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Vikunja
-          gethomepage.dev/description: Tasks and project management platform.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: vikunja.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              vikunja
-            )
-        hosts:
-          - host: *host
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: external
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/webhook/app/helmrelease.yaml
+++ b/kubernetes/apps/default/webhook/app/helmrelease.yaml
@@ -56,20 +56,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: *port
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        type: configMap
--- a/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml
+++ b/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml
@@ -83,35 +83,17 @@ spec:
        ports:
          http:
            port: *port
-    ingress:
+    route:
      app:
-        enabled: true
-        className: internal
-        annotations:
-          nginx.ingress.kubernetes.io/auth-method: GET
-          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
-          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method
-          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
-          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/name: Zigbee2mqtt
-          gethomepage.dev/description: Bridge for connecting Zigbee devices to MQTT networks.
-          gethomepage.dev/group: Applications
-          gethomepage.dev/icon: zigbee2mqtt.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              zigbee2mqtt
-            )
-        hosts:
-          - host: &host "zigbee.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["zigbee.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/zigbee2mqtt/ks.yaml
+++ b/kubernetes/apps/default/zigbee2mqtt/ks.yaml
@@ -19,6 +19,7 @@ spec:
    - name: volsync
      namespace: volsync
  components:
+    - ../../../../components/ext-auth
    - ../../../../components/gatus/guarded
    - ../../../../components/volsync
  interval: 1h
--- a/kubernetes/apps/kube-system/cilium/README.md
+++ b/kubernetes/apps/kube-system/cilium/README.md
@@ -1,22 +0,0 @@
-# Cilium
-
-## UniFi BGP
-
-```sh
-router bgp 64513
-  bgp router-id 192.168.1.1
-  no bgp ebgp-requires-policy
-
-  neighbor k8s peer-group
-  neighbor k8s remote-as 64514
-
-  neighbor 192.168.42.10 peer-group k8s
-  neighbor 192.168.42.11 peer-group k8s
-  neighbor 192.168.42.12 peer-group k8s
-
-  address-family ipv4 unicast
-    neighbor k8s next-hop-self
-    neighbor k8s soft-reconfiguration inbound
-  exit-address-family
-exit
-```
--- a/kubernetes/apps/kube-system/cilium/ks.yaml
+++ b/kubernetes/apps/kube-system/cilium/ks.yaml
@@ -20,24 +20,3 @@ spec:
  targetNamespace: *namespace
  timeout: 5m
  wait: false
---
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app cilium-gateway
-  namespace: &namespace kube-system
-spec:
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  interval: 1h
-  path: ./kubernetes/apps/kube-system/cilium/gateway
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-    namespace: flux-system
-  targetNamespace: *namespace
-  timeout: 15m
-  wait: false
--- a/kubernetes/apps/kube-system/gateway-api-crds/ks.yaml
+++ b/kubernetes/apps/kube-system/gateway-api-crds/ks.yaml
@@ -1,22 +0,0 @@
---
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app gateway-api-crds
-  namespace: &namespace kube-system
-spec:
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  interval: 1h
-  path: ./kubernetes/apps/kube-system/gateway-api-crds/app
-  prune: true
-  retryInterval: 2m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-    namespace: flux-system
-  targetNamespace: *namespace
-  timeout: 5m
-  wait: false
--- a/kubernetes/apps/kube-system/kustomization.yaml
+++ b/kubernetes/apps/kube-system/kustomization.yaml
@@ -10,7 +10,6 @@ resources:
  - ./coredns/ks.yaml
  - ./descheduler/ks.yaml
  - ./intel-device-plugin/ks.yaml
-  - ./gateway-api-crds/ks.yaml
  - ./kubelet-csr-approver/ks.yaml
  - ./metrics-server/ks.yaml
  - ./node-feature-discovery/ks.yaml
--- a/kubernetes/apps/kube-system/gateway-api-crds/app/helmrelease.yaml
+++ b/kubernetes/apps/kube-system/gateway-api-crds/app/helmrelease.yaml
@@ -3,30 +3,41 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
-  name: gateway-api-crds
+  name: envoy-gateway
 spec:
  interval: 5m
  layerSelector:
    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
    operation: copy
  ref:
-    tag: 1.3.0
-  url: oci://ghcr.io/wiremind/wiremind-helm-charts/gateway-api-crds
+    tag: 1.5.0
+  url: oci://docker.io/envoyproxy/gateway-helm
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: gateway-api-crds
+  name: &app envoy-gateway
 spec:
-  interval: 1h
+  interval: 5m
  chartRef:
    kind: OCIRepository
-    name: gateway-api-crds
+    name: *app
+  driftDetection:
+    mode: warn
  install:
    remediation:
      retries: -1
+    crds: CreateReplace
  upgrade:
    cleanupOnFail: true
    remediation:
      retries: 3
+    crds: CreateReplace
+  values:
+    deployment:
+      envoyGateway:
+        rbac:
+          cluster: true
+        gateway:
+          controllerName: gateway.envoyproxy.io/gatewayclass-controller
--- a/kubernetes/apps/kube-system/gateway-api-crds/app/kustomization.yaml
+++ b/kubernetes/apps/kube-system/gateway-api-crds/app/kustomization.yaml
@@ -3,4 +3,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helmrelease.yaml
+  - helmrelease.yaml
+  - podmonitor.yaml
+  - servicemonitor.yaml
--- a/kubernetes/apps/network/envoy-gateway/app/podmonitor.yaml
+++ b/kubernetes/apps/network/envoy-gateway/app/podmonitor.yaml
@@ -0,0 +1,20 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: envoy-proxy
+spec:
+  jobLabel: envoy-proxy
+  namespaceSelector:
+    matchNames:
+      - network
+  podMetricsEndpoints:
+    - honorLabels: true
+      interval: 10s
+      path: /stats/prometheus
+      port: metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: proxy
+      app.kubernetes.io/name: envoy
--- a/kubernetes/apps/network/envoy-gateway/app/servicemonitor.yaml
+++ b/kubernetes/apps/network/envoy-gateway/app/servicemonitor.yaml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/servicemonitor_v1.json
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: envoy-gateway
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gateway-helm
+  namespaceSelector:
+    matchNames:
+      - network
+  endpoints:
+    - port: metrics
+      path: /metrics
+      interval: 10s
+      honorLabels: true
--- a/kubernetes/apps/network/envoy-gateway/config/backendtrafficpolicy.yaml
+++ b/kubernetes/apps/network/envoy-gateway/config/backendtrafficpolicy.yaml
@@ -0,0 +1,28 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: BackendTrafficPolicy
+metadata:
+  name: internal
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: internal
+  compression:
+    - type: Brotli
+    - type: Gzip
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: BackendTrafficPolicy
+metadata:
+  name: external
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: external
+  compression:
+    - type: Brotli
+    - type: Gzip
--- a/kubernetes/apps/network/envoy-gateway/config/certificate.yaml
+++ b/kubernetes/apps/network/envoy-gateway/config/certificate.yaml
--- a/kubernetes/apps/network/envoy-gateway/config/clienttrafficpolicy.yaml
+++ b/kubernetes/apps/network/envoy-gateway/config/clienttrafficpolicy.yaml
@@ -0,0 +1,38 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: ClientTrafficPolicy
+metadata:
+  name: internal
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: internal
+  clientIPDetection:
+    xForwardedFor:
+      numTrustedHops: 1
+  tls:
+    minVersion: '1.2'
+    alpnProtocols:
+      - h2
+      - http/1.1
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: ClientTrafficPolicy
+metadata:
+  name: external
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: external
+  clientIPDetection:
+    xForwardedFor:
+      numTrustedHops: 1
+  tls:
+    minVersion: '1.2'
+    alpnProtocols:
+      - h2
+      - http/1.1
--- a/kubernetes/apps/network/envoy-gateway/config/envoyproxy.yaml
+++ b/kubernetes/apps/network/envoy-gateway/config/envoyproxy.yaml
@@ -0,0 +1,31 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+  name: config
+spec:
+  # ipFamily: DualStack
+  telemetry:
+    metrics:
+      prometheus: {}
+  shutdown:
+    drainTimeout: 300s
+  logging:
+    level:
+      default: info
+  provider:
+    type: Kubernetes
+    kubernetes:
+      envoyDeployment:
+        replicas: 1
+        container:
+          resources:
+            requests:
+              cpu: 150m
+              memory: 640Mi
+            limits:
+              cpu: 500m
+              memory: 1Gi
+      envoyService:
+        externalTrafficPolicy: Cluster # cilium l2 announce doesn't support externalTrafficPolicy: Local
--- a/Show More
+++ b/Show More