From 838dba50221552fb35e3531731d5273fdb08a3ae Mon Sep 17 00:00:00 2001
From: Steffen Illium <steffen.illium@gmail.com>
Date: Fri, 5 Apr 2024 22:17:41 +0200
Subject: [PATCH] ingress route seperations and authentik preperation

---
 apps/adguard/base/adguard-ingress.yaml        | 24 ++++++++++++++++---
 apps/gitea/base/gitea-ingress.yaml            |  1 +
 .../base/kube-dashboard-ui-ingress.yaml       |  3 ++-
 apps/newcloud/base/nextcloud-ingress.yaml     |  1 +
 apps/paperless/base/webserver-ingress.yaml    | 23 +++++++++++++++++-
 .../networking/smb-ingress-tcp-139.yaml       |  1 +
 .../networking/smb-ingress-tcp-445.yaml       |  1 +
 .../networking/smb-ingress-udp-137.yaml       |  1 +
 .../networking/smb-ingress-udp-138.yaml       |  1 +
 .../vaultwarden/base/vaultwarden-ingress.yaml |  1 +
 infrastructure/0-argo-cd-ui-ingress.yaml      |  1 +
 .../03-traefik/base/deployment-traefik.yaml   |  1 +
 .../patches/traefik-deployment-patch.yaml     | 13 ++++++----
 .../traefik-ingress-dashboard-local.yaml      |  2 +-
 .../shared/foreign/fritz/fritz-ingress.yaml   | 23 ++++++++++++++++--
 .../home-assistant-ingress.yaml               |  1 +
 .../shared/foreign/kustomization.yaml         |  1 +
 .../shared/traefik-middleware-authentik.yaml  | 21 ++++++++++++++++
 .../04-longhorn/base/longhorn-ui-ingress.yaml |  2 +-
 infrastructure/05-authentik/base/values.yaml  |  2 +-
 20 files changed, 109 insertions(+), 15 deletions(-)
 create mode 100644 infrastructure/03-traefik/shared/traefik-middleware-authentik.yaml

diff --git a/apps/adguard/base/adguard-ingress.yaml b/apps/adguard/base/adguard-ingress.yaml
index 586edc8..42ee848 100644
--- a/apps/adguard/base/adguard-ingress.yaml
+++ b/apps/adguard/base/adguard-ingress.yaml
@@ -4,7 +4,7 @@ metadata:
   name: adguard-ui
   namespace: adguard
   labels:
-    expose: "true"
+    local: "true"
 spec:
   entryPoints:
     - web
@@ -15,7 +15,25 @@ spec:
     services:
     - name: adguard-service
       port: 80
-
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: adguard-ui-front
+  namespace: adguard
+  labels:
+    expose: "true"
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`adguard.steffenillium.de`)
+    kind: Rule
+    middlewares:
+      - name: authentik-middleware 
+    services:
+    - name: adguard-service
+      port: 80
 ---
 
 apiVersion: traefik.io/v1alpha1
@@ -24,7 +42,7 @@ metadata:
   name: adguard-ui-init
   namespace: adguard
   labels:
-    expose: "true"
+    local: "true"
 spec:
   entryPoints:
     - web
diff --git a/apps/gitea/base/gitea-ingress.yaml b/apps/gitea/base/gitea-ingress.yaml
index a929d25..39845c7 100644
--- a/apps/gitea/base/gitea-ingress.yaml
+++ b/apps/gitea/base/gitea-ingress.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: gitea
   labels:
     expose: "true"
+    local: "true"
 spec:
   entryPoints:
     - web
diff --git a/apps/kube-dashboard/base/kube-dashboard-ui-ingress.yaml b/apps/kube-dashboard/base/kube-dashboard-ui-ingress.yaml
index 934afe8..08959fc 100644
--- a/apps/kube-dashboard/base/kube-dashboard-ui-ingress.yaml
+++ b/apps/kube-dashboard/base/kube-dashboard-ui-ingress.yaml
@@ -3,7 +3,8 @@ kind: IngressRoute
 metadata:
   name: kubernetes-dashboard
   labels:
-    expose: "true"
+    expose: "false"
+    local: "true"
 spec:
   entryPoints:
     - web
diff --git a/apps/newcloud/base/nextcloud-ingress.yaml b/apps/newcloud/base/nextcloud-ingress.yaml
index d40eced..e318406 100644
--- a/apps/newcloud/base/nextcloud-ingress.yaml
+++ b/apps/newcloud/base/nextcloud-ingress.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: nextcloud
   labels:
     expose: "true"
+    local: "true"
 spec:
   entryPoints:
     - web
diff --git a/apps/paperless/base/webserver-ingress.yaml b/apps/paperless/base/webserver-ingress.yaml
index c76f7d5..def7f6e 100644
--- a/apps/paperless/base/webserver-ingress.yaml
+++ b/apps/paperless/base/webserver-ingress.yaml
@@ -4,7 +4,7 @@ metadata:
   name: paperless-ingress
   namespace: paperless
   labels:
-    expose: "true"
+    local: "true"
 spec:
   entryPoints:
     - web
@@ -15,3 +15,24 @@ spec:
     services:
     - name: paperless-service
       port: 8000
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: paperless-ingress-front
+  namespace: paperless
+  labels:
+    expose: "true"
+spec:
+  entryPoints:
+    - web
+    - websecure
+  routes:
+  - match: Host(`documents.steffenillium.de`)
+    kind: Rule
+    middlewares:
+      - name: authentik-middleware
+        namespace: authentik
+    services:
+    - name: paperless-service
+      port: 8000
\ No newline at end of file
diff --git a/apps/paperless/networking/smb-ingress-tcp-139.yaml b/apps/paperless/networking/smb-ingress-tcp-139.yaml
index 0888673..4422699 100644
--- a/apps/paperless/networking/smb-ingress-tcp-139.yaml
+++ b/apps/paperless/networking/smb-ingress-tcp-139.yaml
@@ -4,6 +4,7 @@ metadata:
   name: smb-ingress-tcp139
   labels:
     expose: "false"
+    local: "true"
   namespace: paperless
 spec:
   entryPoints:
diff --git a/apps/paperless/networking/smb-ingress-tcp-445.yaml b/apps/paperless/networking/smb-ingress-tcp-445.yaml
index c281209..9382ee3 100644
--- a/apps/paperless/networking/smb-ingress-tcp-445.yaml
+++ b/apps/paperless/networking/smb-ingress-tcp-445.yaml
@@ -4,6 +4,7 @@ metadata:
   name: smb-ingress-tcp445
   labels:
     expose: "false"
+    local: "true"
   namespace: paperless
 spec:
   entryPoints:
diff --git a/apps/paperless/networking/smb-ingress-udp-137.yaml b/apps/paperless/networking/smb-ingress-udp-137.yaml
index 7b134e2..24e7b5a 100644
--- a/apps/paperless/networking/smb-ingress-udp-137.yaml
+++ b/apps/paperless/networking/smb-ingress-udp-137.yaml
@@ -4,6 +4,7 @@ metadata:
   name: smb-ingress-udp137
   labels:
     expose: "false"
+    local: "true"
   namespace: paperless
 spec:
   entryPoints:
diff --git a/apps/paperless/networking/smb-ingress-udp-138.yaml b/apps/paperless/networking/smb-ingress-udp-138.yaml
index 54d2a44..ffa4a02 100644
--- a/apps/paperless/networking/smb-ingress-udp-138.yaml
+++ b/apps/paperless/networking/smb-ingress-udp-138.yaml
@@ -4,6 +4,7 @@ metadata:
   name: smb-ingress-udp138
   labels:
     expose: "false"
+    local: "true"
   namespace: paperless
 spec:
   entryPoints:
diff --git a/apps/vaultwarden/base/vaultwarden-ingress.yaml b/apps/vaultwarden/base/vaultwarden-ingress.yaml
index 36f25d7..ebac9ef 100644
--- a/apps/vaultwarden/base/vaultwarden-ingress.yaml
+++ b/apps/vaultwarden/base/vaultwarden-ingress.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: vaultwarden
   labels:
     expose: "true"
+    local: "true"
 spec:
   entryPoints:
     - web
diff --git a/infrastructure/0-argo-cd-ui-ingress.yaml b/infrastructure/0-argo-cd-ui-ingress.yaml
index 5b3d01d..ac1dedd 100644
--- a/infrastructure/0-argo-cd-ui-ingress.yaml
+++ b/infrastructure/0-argo-cd-ui-ingress.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: argocd
   labels:
     expose: "false"
+    local: "true"
 spec:
   entryPoints:
     - web
diff --git a/infrastructure/03-traefik/base/deployment-traefik.yaml b/infrastructure/03-traefik/base/deployment-traefik.yaml
index 579d939..8d9cc1e 100644
--- a/infrastructure/03-traefik/base/deployment-traefik.yaml
+++ b/infrastructure/03-traefik/base/deployment-traefik.yaml
@@ -39,6 +39,7 @@ spec:
         - --metrics.prometheus=true
         - --metrics.prometheus.entrypoint=metrics
         - --providers.kubernetescrd
+        - --providers.kubernetescrd.labelSelector=local=true
         - --providers.kubernetescrd.allowExternalNameServices=true
         - --entrypoints.websecure.http.middlewares=traefik-default-headers
         - --entrypoints.websecure.http.tls=true
diff --git a/infrastructure/03-traefik/overlay-external/patches/traefik-deployment-patch.yaml b/infrastructure/03-traefik/overlay-external/patches/traefik-deployment-patch.yaml
index 01a6b50..fa03ab4 100644
--- a/infrastructure/03-traefik/overlay-external/patches/traefik-deployment-patch.yaml
+++ b/infrastructure/03-traefik/overlay-external/patches/traefik-deployment-patch.yaml
@@ -10,7 +10,6 @@ spec:
       containers:
         - name: traefik
           args:
-            - --providers.kubernetescrd.labelSelector=expose=true
             - --serversTransport.insecureSkipVerify=false
             # Shared
             - --global.sendanonymoususage=false
@@ -19,20 +18,24 @@ spec:
             - --entrypoints.metrics.address=:9100/tcp
             - --entrypoints.traefik.address=:9000/tcp
             - --entrypoints.web.address=:8000/tcp
+            - --entrypoints.web.http.redirections.entryPoint.to=websecure
+            - --entrypoints.web.http.redirections.entryPoint.scheme=https
             - --entrypoints.websecure.address=:8443/tcp
+            - --entrypoints.websecure.http.middlewares=traefik-default-headers
+            - --entrypoints.websecure.http.tls=true
+            - --entrypoints.websecure.http.tls.certResolver=default
             - --api.dashboard=true
             - --ping=true
             - --metrics.prometheus=true
             - --metrics.prometheus.entrypoint=metrics
             - --providers.kubernetescrd
+            - --providers.kubernetescrd.labelSelector=expose=true
             - --providers.kubernetescrd.allowExternalNameServices=true
-            - --entrypoints.websecure.http.middlewares=traefik-default-headers
-            - --entrypoints.websecure.http.tls=true
-            - --entrypoints.websecure.http.tls.certResolver=default
+            - --providers.kubernetescrd.allowCrossNamespace=false
+
             - --log.level=WARN
             - --accesslog=true
             - --accesslog.fields.defaultmode=keep
             - --accesslog.fields.headers.defaultmode=drop
-            - --log.level=INFO
 
 
diff --git a/infrastructure/03-traefik/overlay-internal/traefik-ingress-dashboard-local.yaml b/infrastructure/03-traefik/overlay-internal/traefik-ingress-dashboard-local.yaml
index e1e5e75..8b17087 100644
--- a/infrastructure/03-traefik/overlay-internal/traefik-ingress-dashboard-local.yaml
+++ b/infrastructure/03-traefik/overlay-internal/traefik-ingress-dashboard-local.yaml
@@ -2,7 +2,7 @@ apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   labels:
-    expose: "false"
+    local: "true"
   name: traefik-dashboard
   namespace: traefik
 spec:
diff --git a/infrastructure/03-traefik/shared/foreign/fritz/fritz-ingress.yaml b/infrastructure/03-traefik/shared/foreign/fritz/fritz-ingress.yaml
index 34a0a38..f61668f 100644
--- a/infrastructure/03-traefik/shared/foreign/fritz/fritz-ingress.yaml
+++ b/infrastructure/03-traefik/shared/foreign/fritz/fritz-ingress.yaml
@@ -4,7 +4,7 @@ metadata:
   name: fritz-ingress
   namespace: traefik
   labels:
-    expose: "false"
+    local: "true"
 spec:
   entryPoints:
     - web
@@ -15,4 +15,23 @@ spec:
     services:
     - name: fritz-service
       port: http
-
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: fritz-ingress-front
+  namespace: traefik
+  labels:
+    expose: "true"
+spec:
+  entryPoints:
+    - web
+    - websecure
+  routes:
+  - match: Host(`fritz.steffenillium.de`)
+    kind: Rule
+    middlewares:
+    - authentik-middleware
+    services:
+    - name: fritz-service
+      port: http
diff --git a/infrastructure/03-traefik/shared/foreign/home-assistant/home-assistant-ingress.yaml b/infrastructure/03-traefik/shared/foreign/home-assistant/home-assistant-ingress.yaml
index a749784..f2b37a0 100644
--- a/infrastructure/03-traefik/shared/foreign/home-assistant/home-assistant-ingress.yaml
+++ b/infrastructure/03-traefik/shared/foreign/home-assistant/home-assistant-ingress.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: traefik
   labels:
     expose: "true"
+    local: "true"
 spec:
   entryPoints:
     - web
diff --git a/infrastructure/03-traefik/shared/foreign/kustomization.yaml b/infrastructure/03-traefik/shared/foreign/kustomization.yaml
index 41f9588..6daa82b 100644
--- a/infrastructure/03-traefik/shared/foreign/kustomization.yaml
+++ b/infrastructure/03-traefik/shared/foreign/kustomization.yaml
@@ -1,2 +1,3 @@
 resources:
   - home-assistant
+  - fritz
diff --git a/infrastructure/03-traefik/shared/traefik-middleware-authentik.yaml b/infrastructure/03-traefik/shared/traefik-middleware-authentik.yaml
new file mode 100644
index 0000000..bdc5864
--- /dev/null
+++ b/infrastructure/03-traefik/shared/traefik-middleware-authentik.yaml
@@ -0,0 +1,21 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authentik-middleware
+  namespace: traefik
+spec:
+  forwardAuth:
+    address: https://auth.steffenillium.de/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+            - X-authentik-username
+            - X-authentik-groups
+            - X-authentik-email
+            - X-authentik-name
+            - X-authentik-uid
+            - X-authentik-jwt
+            - X-authentik-meta-jwks
+            - X-authentik-meta-outpost
+            - X-authentik-meta-provider
+            - X-authentik-meta-app
+            - X-authentik-meta-version
diff --git a/infrastructure/04-longhorn/base/longhorn-ui-ingress.yaml b/infrastructure/04-longhorn/base/longhorn-ui-ingress.yaml
index d268682..55ab366 100644
--- a/infrastructure/04-longhorn/base/longhorn-ui-ingress.yaml
+++ b/infrastructure/04-longhorn/base/longhorn-ui-ingress.yaml
@@ -3,7 +3,7 @@ kind: IngressRoute
 metadata:
   name: longhorn-frontend
   labels:
-    expose: "false"
+    local: "true"
 spec:
   entryPoints:
     - web
diff --git a/infrastructure/05-authentik/base/values.yaml b/infrastructure/05-authentik/base/values.yaml
index a7cc9ae..e3a84a9 100644
--- a/infrastructure/05-authentik/base/values.yaml
+++ b/infrastructure/05-authentik/base/values.yaml
@@ -34,7 +34,7 @@ server:
         ingressClassName: traefik
         enabled: true
         hosts:
-            - authentik.steffenillium.de
+            - auth.steffenillium.de
 
 postgresql:
     enabled: true