From 838dba50221552fb35e3531731d5273fdb08a3ae Mon Sep 17 00:00:00 2001 From: Steffen Illium <steffen.illium@gmail.com> Date: Fri, 5 Apr 2024 22:17:41 +0200 Subject: [PATCH] ingress route seperations and authentik preperation --- apps/adguard/base/adguard-ingress.yaml | 24 ++++++++++++++++--- apps/gitea/base/gitea-ingress.yaml | 1 + .../base/kube-dashboard-ui-ingress.yaml | 3 ++- apps/newcloud/base/nextcloud-ingress.yaml | 1 + apps/paperless/base/webserver-ingress.yaml | 23 +++++++++++++++++- .../networking/smb-ingress-tcp-139.yaml | 1 + .../networking/smb-ingress-tcp-445.yaml | 1 + .../networking/smb-ingress-udp-137.yaml | 1 + .../networking/smb-ingress-udp-138.yaml | 1 + .../vaultwarden/base/vaultwarden-ingress.yaml | 1 + infrastructure/0-argo-cd-ui-ingress.yaml | 1 + .../03-traefik/base/deployment-traefik.yaml | 1 + .../patches/traefik-deployment-patch.yaml | 13 ++++++---- .../traefik-ingress-dashboard-local.yaml | 2 +- .../shared/foreign/fritz/fritz-ingress.yaml | 23 ++++++++++++++++-- .../home-assistant-ingress.yaml | 1 + .../shared/foreign/kustomization.yaml | 1 + .../shared/traefik-middleware-authentik.yaml | 21 ++++++++++++++++ .../04-longhorn/base/longhorn-ui-ingress.yaml | 2 +- infrastructure/05-authentik/base/values.yaml | 2 +- 20 files changed, 109 insertions(+), 15 deletions(-) create mode 100644 infrastructure/03-traefik/shared/traefik-middleware-authentik.yaml diff --git a/apps/adguard/base/adguard-ingress.yaml b/apps/adguard/base/adguard-ingress.yaml index 586edc8..42ee848 100644 --- a/apps/adguard/base/adguard-ingress.yaml +++ b/apps/adguard/base/adguard-ingress.yaml @@ -4,7 +4,7 @@ metadata: name: adguard-ui namespace: adguard labels: - expose: "true" + local: "true" spec: entryPoints: - web @@ -15,7 +15,25 @@ spec: services: - name: adguard-service port: 80 - +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: adguard-ui-front + namespace: adguard + labels: + expose: "true" +spec: + entryPoints: + - websecure + routes: + - match: Host(`adguard.steffenillium.de`) + kind: Rule + middlewares: + - name: authentik-middleware + services: + - name: adguard-service + port: 80 --- apiVersion: traefik.io/v1alpha1 @@ -24,7 +42,7 @@ metadata: name: adguard-ui-init namespace: adguard labels: - expose: "true" + local: "true" spec: entryPoints: - web diff --git a/apps/gitea/base/gitea-ingress.yaml b/apps/gitea/base/gitea-ingress.yaml index a929d25..39845c7 100644 --- a/apps/gitea/base/gitea-ingress.yaml +++ b/apps/gitea/base/gitea-ingress.yaml @@ -5,6 +5,7 @@ metadata: namespace: gitea labels: expose: "true" + local: "true" spec: entryPoints: - web diff --git a/apps/kube-dashboard/base/kube-dashboard-ui-ingress.yaml b/apps/kube-dashboard/base/kube-dashboard-ui-ingress.yaml index 934afe8..08959fc 100644 --- a/apps/kube-dashboard/base/kube-dashboard-ui-ingress.yaml +++ b/apps/kube-dashboard/base/kube-dashboard-ui-ingress.yaml @@ -3,7 +3,8 @@ kind: IngressRoute metadata: name: kubernetes-dashboard labels: - expose: "true" + expose: "false" + local: "true" spec: entryPoints: - web diff --git a/apps/newcloud/base/nextcloud-ingress.yaml b/apps/newcloud/base/nextcloud-ingress.yaml index d40eced..e318406 100644 --- a/apps/newcloud/base/nextcloud-ingress.yaml +++ b/apps/newcloud/base/nextcloud-ingress.yaml @@ -5,6 +5,7 @@ metadata: namespace: nextcloud labels: expose: "true" + local: "true" spec: entryPoints: - web diff --git a/apps/paperless/base/webserver-ingress.yaml b/apps/paperless/base/webserver-ingress.yaml index c76f7d5..def7f6e 100644 --- a/apps/paperless/base/webserver-ingress.yaml +++ b/apps/paperless/base/webserver-ingress.yaml @@ -4,7 +4,7 @@ metadata: name: paperless-ingress namespace: paperless labels: - expose: "true" + local: "true" spec: entryPoints: - web @@ -15,3 +15,24 @@ spec: services: - name: paperless-service port: 8000 +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: paperless-ingress-front + namespace: paperless + labels: + expose: "true" +spec: + entryPoints: + - web + - websecure + routes: + - match: Host(`documents.steffenillium.de`) + kind: Rule + middlewares: + - name: authentik-middleware + namespace: authentik + services: + - name: paperless-service + port: 8000 \ No newline at end of file diff --git a/apps/paperless/networking/smb-ingress-tcp-139.yaml b/apps/paperless/networking/smb-ingress-tcp-139.yaml index 0888673..4422699 100644 --- a/apps/paperless/networking/smb-ingress-tcp-139.yaml +++ b/apps/paperless/networking/smb-ingress-tcp-139.yaml @@ -4,6 +4,7 @@ metadata: name: smb-ingress-tcp139 labels: expose: "false" + local: "true" namespace: paperless spec: entryPoints: diff --git a/apps/paperless/networking/smb-ingress-tcp-445.yaml b/apps/paperless/networking/smb-ingress-tcp-445.yaml index c281209..9382ee3 100644 --- a/apps/paperless/networking/smb-ingress-tcp-445.yaml +++ b/apps/paperless/networking/smb-ingress-tcp-445.yaml @@ -4,6 +4,7 @@ metadata: name: smb-ingress-tcp445 labels: expose: "false" + local: "true" namespace: paperless spec: entryPoints: diff --git a/apps/paperless/networking/smb-ingress-udp-137.yaml b/apps/paperless/networking/smb-ingress-udp-137.yaml index 7b134e2..24e7b5a 100644 --- a/apps/paperless/networking/smb-ingress-udp-137.yaml +++ b/apps/paperless/networking/smb-ingress-udp-137.yaml @@ -4,6 +4,7 @@ metadata: name: smb-ingress-udp137 labels: expose: "false" + local: "true" namespace: paperless spec: entryPoints: diff --git a/apps/paperless/networking/smb-ingress-udp-138.yaml b/apps/paperless/networking/smb-ingress-udp-138.yaml index 54d2a44..ffa4a02 100644 --- a/apps/paperless/networking/smb-ingress-udp-138.yaml +++ b/apps/paperless/networking/smb-ingress-udp-138.yaml @@ -4,6 +4,7 @@ metadata: name: smb-ingress-udp138 labels: expose: "false" + local: "true" namespace: paperless spec: entryPoints: diff --git a/apps/vaultwarden/base/vaultwarden-ingress.yaml b/apps/vaultwarden/base/vaultwarden-ingress.yaml index 36f25d7..ebac9ef 100644 --- a/apps/vaultwarden/base/vaultwarden-ingress.yaml +++ b/apps/vaultwarden/base/vaultwarden-ingress.yaml @@ -5,6 +5,7 @@ metadata: namespace: vaultwarden labels: expose: "true" + local: "true" spec: entryPoints: - web diff --git a/infrastructure/0-argo-cd-ui-ingress.yaml b/infrastructure/0-argo-cd-ui-ingress.yaml index 5b3d01d..ac1dedd 100644 --- a/infrastructure/0-argo-cd-ui-ingress.yaml +++ b/infrastructure/0-argo-cd-ui-ingress.yaml @@ -5,6 +5,7 @@ metadata: namespace: argocd labels: expose: "false" + local: "true" spec: entryPoints: - web diff --git a/infrastructure/03-traefik/base/deployment-traefik.yaml b/infrastructure/03-traefik/base/deployment-traefik.yaml index 579d939..8d9cc1e 100644 --- a/infrastructure/03-traefik/base/deployment-traefik.yaml +++ b/infrastructure/03-traefik/base/deployment-traefik.yaml @@ -39,6 +39,7 @@ spec: - --metrics.prometheus=true - --metrics.prometheus.entrypoint=metrics - --providers.kubernetescrd + - --providers.kubernetescrd.labelSelector=local=true - --providers.kubernetescrd.allowExternalNameServices=true - --entrypoints.websecure.http.middlewares=traefik-default-headers - --entrypoints.websecure.http.tls=true diff --git a/infrastructure/03-traefik/overlay-external/patches/traefik-deployment-patch.yaml b/infrastructure/03-traefik/overlay-external/patches/traefik-deployment-patch.yaml index 01a6b50..fa03ab4 100644 --- a/infrastructure/03-traefik/overlay-external/patches/traefik-deployment-patch.yaml +++ b/infrastructure/03-traefik/overlay-external/patches/traefik-deployment-patch.yaml @@ -10,7 +10,6 @@ spec: containers: - name: traefik args: - - --providers.kubernetescrd.labelSelector=expose=true - --serversTransport.insecureSkipVerify=false # Shared - --global.sendanonymoususage=false @@ -19,20 +18,24 @@ spec: - --entrypoints.metrics.address=:9100/tcp - --entrypoints.traefik.address=:9000/tcp - --entrypoints.web.address=:8000/tcp + - --entrypoints.web.http.redirections.entryPoint.to=websecure + - --entrypoints.web.http.redirections.entryPoint.scheme=https - --entrypoints.websecure.address=:8443/tcp + - --entrypoints.websecure.http.middlewares=traefik-default-headers + - --entrypoints.websecure.http.tls=true + - --entrypoints.websecure.http.tls.certResolver=default - --api.dashboard=true - --ping=true - --metrics.prometheus=true - --metrics.prometheus.entrypoint=metrics - --providers.kubernetescrd + - --providers.kubernetescrd.labelSelector=expose=true - --providers.kubernetescrd.allowExternalNameServices=true - - --entrypoints.websecure.http.middlewares=traefik-default-headers - - --entrypoints.websecure.http.tls=true - - --entrypoints.websecure.http.tls.certResolver=default + - --providers.kubernetescrd.allowCrossNamespace=false + - --log.level=WARN - --accesslog=true - --accesslog.fields.defaultmode=keep - --accesslog.fields.headers.defaultmode=drop - - --log.level=INFO diff --git a/infrastructure/03-traefik/overlay-internal/traefik-ingress-dashboard-local.yaml b/infrastructure/03-traefik/overlay-internal/traefik-ingress-dashboard-local.yaml index e1e5e75..8b17087 100644 --- a/infrastructure/03-traefik/overlay-internal/traefik-ingress-dashboard-local.yaml +++ b/infrastructure/03-traefik/overlay-internal/traefik-ingress-dashboard-local.yaml @@ -2,7 +2,7 @@ apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: labels: - expose: "false" + local: "true" name: traefik-dashboard namespace: traefik spec: diff --git a/infrastructure/03-traefik/shared/foreign/fritz/fritz-ingress.yaml b/infrastructure/03-traefik/shared/foreign/fritz/fritz-ingress.yaml index 34a0a38..f61668f 100644 --- a/infrastructure/03-traefik/shared/foreign/fritz/fritz-ingress.yaml +++ b/infrastructure/03-traefik/shared/foreign/fritz/fritz-ingress.yaml @@ -4,7 +4,7 @@ metadata: name: fritz-ingress namespace: traefik labels: - expose: "false" + local: "true" spec: entryPoints: - web @@ -15,4 +15,23 @@ spec: services: - name: fritz-service port: http - +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: fritz-ingress-front + namespace: traefik + labels: + expose: "true" +spec: + entryPoints: + - web + - websecure + routes: + - match: Host(`fritz.steffenillium.de`) + kind: Rule + middlewares: + - authentik-middleware + services: + - name: fritz-service + port: http diff --git a/infrastructure/03-traefik/shared/foreign/home-assistant/home-assistant-ingress.yaml b/infrastructure/03-traefik/shared/foreign/home-assistant/home-assistant-ingress.yaml index a749784..f2b37a0 100644 --- a/infrastructure/03-traefik/shared/foreign/home-assistant/home-assistant-ingress.yaml +++ b/infrastructure/03-traefik/shared/foreign/home-assistant/home-assistant-ingress.yaml @@ -5,6 +5,7 @@ metadata: namespace: traefik labels: expose: "true" + local: "true" spec: entryPoints: - web diff --git a/infrastructure/03-traefik/shared/foreign/kustomization.yaml b/infrastructure/03-traefik/shared/foreign/kustomization.yaml index 41f9588..6daa82b 100644 --- a/infrastructure/03-traefik/shared/foreign/kustomization.yaml +++ b/infrastructure/03-traefik/shared/foreign/kustomization.yaml @@ -1,2 +1,3 @@ resources: - home-assistant + - fritz diff --git a/infrastructure/03-traefik/shared/traefik-middleware-authentik.yaml b/infrastructure/03-traefik/shared/traefik-middleware-authentik.yaml new file mode 100644 index 0000000..bdc5864 --- /dev/null +++ b/infrastructure/03-traefik/shared/traefik-middleware-authentik.yaml @@ -0,0 +1,21 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: authentik-middleware + namespace: traefik +spec: + forwardAuth: + address: https://auth.steffenillium.de/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/infrastructure/04-longhorn/base/longhorn-ui-ingress.yaml b/infrastructure/04-longhorn/base/longhorn-ui-ingress.yaml index d268682..55ab366 100644 --- a/infrastructure/04-longhorn/base/longhorn-ui-ingress.yaml +++ b/infrastructure/04-longhorn/base/longhorn-ui-ingress.yaml @@ -3,7 +3,7 @@ kind: IngressRoute metadata: name: longhorn-frontend labels: - expose: "false" + local: "true" spec: entryPoints: - web diff --git a/infrastructure/05-authentik/base/values.yaml b/infrastructure/05-authentik/base/values.yaml index a7cc9ae..e3a84a9 100644 --- a/infrastructure/05-authentik/base/values.yaml +++ b/infrastructure/05-authentik/base/values.yaml @@ -34,7 +34,7 @@ server: ingressClassName: traefik enabled: true hosts: - - authentik.steffenillium.de + - auth.steffenillium.de postgresql: enabled: true