From 6bcc3310076884b62e42c9ad5b61e5e97a515834 Mon Sep 17 00:00:00 2001
From: Steffen Illium <steffen.illium@gmail.com>
Date: Thu, 25 Apr 2024 23:36:26 +0200
Subject: [PATCH] middlewares

---
 .../03-traefik/base/deployment.yaml           |  6 +--
 .../03-traefik/base/kustomization.yaml        |  2 +-
 .../03-traefik/base/mid-authentik.yaml        | 21 -----------
 .../03-traefik/base/mid-no-auth.yaml          | 37 -------------------
 .../base/middlewares/authentik.yaml           | 21 +++++++++++
 .../03-traefik/base/middlewares/compress.yaml |  7 ++++
 .../default-headers.yaml}                     |  1 -
 .../03-traefik/base/middlewares/error.yaml    | 13 +++++++
 .../base/middlewares/no-auth-chain.yaml       | 14 +++++++
 .../base/middlewares/rate-limit.yaml          |  9 +++++
 .../base/middlewares/xfwd_exclude.yaml        | 11 ++++++
 11 files changed, 79 insertions(+), 63 deletions(-)
 delete mode 100644 infrastructure/03-traefik/base/mid-authentik.yaml
 delete mode 100644 infrastructure/03-traefik/base/mid-no-auth.yaml
 create mode 100644 infrastructure/03-traefik/base/middlewares/authentik.yaml
 create mode 100644 infrastructure/03-traefik/base/middlewares/compress.yaml
 rename infrastructure/03-traefik/base/{mid-default-headers.yaml => middlewares/default-headers.yaml} (99%)
 create mode 100644 infrastructure/03-traefik/base/middlewares/error.yaml
 create mode 100644 infrastructure/03-traefik/base/middlewares/no-auth-chain.yaml
 create mode 100644 infrastructure/03-traefik/base/middlewares/rate-limit.yaml
 create mode 100644 infrastructure/03-traefik/base/middlewares/xfwd_exclude.yaml

diff --git a/infrastructure/03-traefik/base/deployment.yaml b/infrastructure/03-traefik/base/deployment.yaml
index b970bbb..3c48970 100644
--- a/infrastructure/03-traefik/base/deployment.yaml
+++ b/infrastructure/03-traefik/base/deployment.yaml
@@ -38,13 +38,13 @@ spec:
           - --entrypoints.web-local.transport.respondingTimeouts.idleTimeout=0
 
           - --entrypoints.websecure-local.address=:443/tcp
-          - --entrypoints.websecure-local.http.middlewares=traefik-default-headers
+          - --entrypoints.websecure-local.http.middlewares=no-auth-chain
           - --entrypoints.websecure-local.http.tls=true
           - --entrypoints.websecure-local.transport.respondingTimeouts.readTimeout=300
           - --entrypoints.websecure-local.transport.respondingTimeouts.idleTimeout=0
 
           - --entrypoints.websecure-front.address=:8443/tcp
-          - --entrypoints.websecure-front.http.middlewares=traefik-default-headers
+          - --entrypoints.websecure-front.http.middlewares=no-auth-chain
           - --entrypoints.websecure-front.http.tls=true
           - --entrypoints.websecure-front.transport.respondingTimeouts.readTimeout=300
           - --entrypoints.websecure-front.transport.respondingTimeouts.idleTimeout=0
@@ -59,7 +59,7 @@ spec:
           - --metrics.prometheus=true
           - --metrics.prometheus.entrypoint=metrics
           - --providers.kubernetescrd
-          # - --providers.kubernetescrd.labelSelector=local=true
+          - --providers.kubernetescrd.labelSelector=local=true
           - --providers.kubernetescrd.allowExternalNameServices=true
           
           - --accesslog=false
diff --git a/infrastructure/03-traefik/base/kustomization.yaml b/infrastructure/03-traefik/base/kustomization.yaml
index 886984d..0f1a55d 100644
--- a/infrastructure/03-traefik/base/kustomization.yaml
+++ b/infrastructure/03-traefik/base/kustomization.yaml
@@ -9,6 +9,6 @@ resources:
 - deployment.yaml
 - networking
 - security
-- mid-default-headers.yaml
+- middlewares
 - namespace.yaml
 - pvc.yaml
diff --git a/infrastructure/03-traefik/base/mid-authentik.yaml b/infrastructure/03-traefik/base/mid-authentik.yaml
deleted file mode 100644
index bdc5864..0000000
--- a/infrastructure/03-traefik/base/mid-authentik.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: authentik-middleware
-  namespace: traefik
-spec:
-  forwardAuth:
-    address: https://auth.steffenillium.de/outpost.goauthentik.io/auth/traefik
-        trustForwardHeader: true
-        authResponseHeaders:
-            - X-authentik-username
-            - X-authentik-groups
-            - X-authentik-email
-            - X-authentik-name
-            - X-authentik-uid
-            - X-authentik-jwt
-            - X-authentik-meta-jwks
-            - X-authentik-meta-outpost
-            - X-authentik-meta-provider
-            - X-authentik-meta-app
-            - X-authentik-meta-version
diff --git a/infrastructure/03-traefik/base/mid-no-auth.yaml b/infrastructure/03-traefik/base/mid-no-auth.yaml
deleted file mode 100644
index f2cebd6..0000000
--- a/infrastructure/03-traefik/base/mid-no-auth.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: no-auth
-  namespace: traefik
-
-spec:
-  mid_error:
-    errors:
-      status:
-        - "400-599"
-      service: "srv_web@docker"
-      query: "https://steffenillium.de"
-
-  mid_compress:
-    compress: {}
-
-  mid_rate_limit:
-    rateLimit:
-      average: 50
-      burst: 200
-
-  mid_auth:
-    forwardAuth:
-      address: "http://oauth:4181"
-      trustForwardHeader: true
-      authResponseHeaders:
-        - "X-Forwarded-User"
-
-  noauth:
-    chain:
-      middlewares:
-        - mid_rate_limit
-        - mid_compress
-        - crowdsec
-        # - mid_error
-
diff --git a/infrastructure/03-traefik/base/middlewares/authentik.yaml b/infrastructure/03-traefik/base/middlewares/authentik.yaml
new file mode 100644
index 0000000..1320caf
--- /dev/null
+++ b/infrastructure/03-traefik/base/middlewares/authentik.yaml
@@ -0,0 +1,21 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authentik-middleware
+  namespace: traefik
+spec:
+  forwardAuth:
+    address: https://auth.steffenillium.de/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+        - X-authentik-username
+        - X-authentik-groups
+        - X-authentik-email
+        - X-authentik-name
+        - X-authentik-uid
+        - X-authentik-jwt
+        - X-authentik-meta-jwks
+        - X-authentik-meta-outpost
+        - X-authentik-meta-provider
+        - X-authentik-meta-app
+        - X-authentik-meta-version
diff --git a/infrastructure/03-traefik/base/middlewares/compress.yaml b/infrastructure/03-traefik/base/middlewares/compress.yaml
new file mode 100644
index 0000000..fcd4604
--- /dev/null
+++ b/infrastructure/03-traefik/base/middlewares/compress.yaml
@@ -0,0 +1,7 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: compress
+  namespace: traefik
+spec:
+  compress: {}
\ No newline at end of file
diff --git a/infrastructure/03-traefik/base/mid-default-headers.yaml b/infrastructure/03-traefik/base/middlewares/default-headers.yaml
similarity index 99%
rename from infrastructure/03-traefik/base/mid-default-headers.yaml
rename to infrastructure/03-traefik/base/middlewares/default-headers.yaml
index 585bfc8..b0884d2 100644
--- a/infrastructure/03-traefik/base/mid-default-headers.yaml
+++ b/infrastructure/03-traefik/base/middlewares/default-headers.yaml
@@ -3,7 +3,6 @@ kind: Middleware
 metadata:
   name: default-headers
   namespace: traefik
-
 spec:
   headers:
     browserXssFilter: true
diff --git a/infrastructure/03-traefik/base/middlewares/error.yaml b/infrastructure/03-traefik/base/middlewares/error.yaml
new file mode 100644
index 0000000..e7752a1
--- /dev/null
+++ b/infrastructure/03-traefik/base/middlewares/error.yaml
@@ -0,0 +1,13 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: error
+  namespace: traefik
+spec:
+  errors:
+    status:
+      - "400-599"
+    service: 
+      name: website
+      port: 80
+    query: "https://steffenillium.de/404.html"
diff --git a/infrastructure/03-traefik/base/middlewares/no-auth-chain.yaml b/infrastructure/03-traefik/base/middlewares/no-auth-chain.yaml
new file mode 100644
index 0000000..28e56ba
--- /dev/null
+++ b/infrastructure/03-traefik/base/middlewares/no-auth-chain.yaml
@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: no-auth-chain
+  namespace: traefik
+spec:
+  chain:
+    middlewares:
+      - rate_limit
+      - compress
+      - error
+      - xfwd_exclude
+      - default-headers
+      
diff --git a/infrastructure/03-traefik/base/middlewares/rate-limit.yaml b/infrastructure/03-traefik/base/middlewares/rate-limit.yaml
new file mode 100644
index 0000000..97699c8
--- /dev/null
+++ b/infrastructure/03-traefik/base/middlewares/rate-limit.yaml
@@ -0,0 +1,9 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rate_limit
+  namespace: traefik
+spec:
+  rateLimit:
+    average: 50
+    burst: 200
\ No newline at end of file
diff --git a/infrastructure/03-traefik/base/middlewares/xfwd_exclude.yaml b/infrastructure/03-traefik/base/middlewares/xfwd_exclude.yaml
new file mode 100644
index 0000000..5e4a3f4
--- /dev/null
+++ b/infrastructure/03-traefik/base/middlewares/xfwd_exclude.yaml
@@ -0,0 +1,11 @@
+# Exclude from `X-Forwarded-For`
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: xfwd_exclude
+spec:
+  ipWhiteList:
+    ipStrategy:
+      excludedIPs:
+        - 127.0.0.1/32
+        - 10.0.0.0/8