steffen/kubedeploy-k3s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

middlewares

Browse Source
This commit is contained in:
Steffen Illium
2024-04-25 23:36:26 +02:00
parent ade83e2e83
commit 6bcc331007
11 changed files with 79 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
infrastructure/03-traefik/base/deployment.yaml
View File

@ -38,13 +38,13 @@ spec:
- --entrypoints.web-local.transport.respondingTimeouts.idleTimeout=0 - --entrypoints.web-local.transport.respondingTimeouts.idleTimeout=0
- --entrypoints.websecure-local.address=:443/tcp - --entrypoints.websecure-local.address=:443/tcp
- --entrypoints.websecure-local.http.middlewares=traefik-default-headers - --entrypoints.websecure-local.http.middlewares=no-auth-chain
- --entrypoints.websecure-local.http.tls=true - --entrypoints.websecure-local.http.tls=true
- --entrypoints.websecure-local.transport.respondingTimeouts.readTimeout=300 - --entrypoints.websecure-local.transport.respondingTimeouts.readTimeout=300
- --entrypoints.websecure-local.transport.respondingTimeouts.idleTimeout=0 - --entrypoints.websecure-local.transport.respondingTimeouts.idleTimeout=0
- --entrypoints.websecure-front.address=:8443/tcp - --entrypoints.websecure-front.address=:8443/tcp
- --entrypoints.websecure-front.http.middlewares=traefik-default-headers - --entrypoints.websecure-front.http.middlewares=no-auth-chain
- --entrypoints.websecure-front.http.tls=true - --entrypoints.websecure-front.http.tls=true
- --entrypoints.websecure-front.transport.respondingTimeouts.readTimeout=300 - --entrypoints.websecure-front.transport.respondingTimeouts.readTimeout=300
- --entrypoints.websecure-front.transport.respondingTimeouts.idleTimeout=0 - --entrypoints.websecure-front.transport.respondingTimeouts.idleTimeout=0
@ -59,7 +59,7 @@ spec:
- --metrics.prometheus=true - --metrics.prometheus=true
- --metrics.prometheus.entrypoint=metrics - --metrics.prometheus.entrypoint=metrics
- --providers.kubernetescrd - --providers.kubernetescrd
# - --providers.kubernetescrd.labelSelector=local=true - --providers.kubernetescrd.labelSelector=local=true
- --providers.kubernetescrd.allowExternalNameServices=true - --providers.kubernetescrd.allowExternalNameServices=true
- --accesslog=false - --accesslog=false

2
infrastructure/03-traefik/base/kustomization.yaml
View File

@ -9,6 +9,6 @@ resources:
- deployment.yaml - deployment.yaml
- networking - networking
- security - security
- mid-default-headers.yaml - middlewares
- namespace.yaml - namespace.yaml
- pvc.yaml - pvc.yaml

21
infrastructure/03-traefik/base/mid-authentik.yaml
View File

@ -1,21 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: authentik-middleware
namespace: traefik
spec:
forwardAuth:
address: https://auth.steffenillium.de/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

37
infrastructure/03-traefik/base/mid-no-auth.yaml
View File

@ -1,37 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: no-auth
namespace: traefik
spec:
mid_error:
errors:
status:
- "400-599"
service: "srv_web@docker"
query: "https://steffenillium.de"
mid_compress:
compress: {}
mid_rate_limit:
rateLimit:
average: 50
burst: 200
mid_auth:
forwardAuth:
address: "http://oauth:4181"
trustForwardHeader: true
authResponseHeaders:
- "X-Forwarded-User"
noauth:
chain:
middlewares:
- mid_rate_limit
- mid_compress
- crowdsec
# - mid_error

21
infrastructure/03-traefik/base/middlewares/authentik.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: authentik-middleware
namespace: traefik
spec:
forwardAuth:
address: https://auth.steffenillium.de/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

7
infrastructure/03-traefik/base/middlewares/compress.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: compress
namespace: traefik
spec:
compress: {}

1
infrastructure/03-traefik/base/mid-default-headers.yaml → infrastructure/03-traefik/base/middlewares/default-headers.yaml
View File

@ -3,7 +3,6 @@ kind: Middleware
metadata: metadata:
name: default-headers name: default-headers
namespace: traefik namespace: traefik
spec: spec:
headers: headers:
browserXssFilter: true browserXssFilter: true

13
infrastructure/03-traefik/base/middlewares/error.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: error
namespace: traefik
spec:
errors:
status:
- "400-599"
service:
name: website
port: 80
query: "https://steffenillium.de/404.html"

14
infrastructure/03-traefik/base/middlewares/no-auth-chain.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: no-auth-chain
namespace: traefik
spec:
chain:
middlewares:
- rate_limit
- compress
- error
- xfwd_exclude
- default-headers

9
infrastructure/03-traefik/base/middlewares/rate-limit.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rate_limit
namespace: traefik
spec:
rateLimit:
average: 50
burst: 200

11
infrastructure/03-traefik/base/middlewares/xfwd_exclude.yaml Normal file
View File

@ -0,0 +1,11 @@
# Exclude from `X-Forwarded-For`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: xfwd_exclude
spec:
ipWhiteList:
ipStrategy:
excludedIPs:
- 127.0.0.1/32
- 10.0.0.0/8