--- apiVersion: codemowers.cloud/v1beta1 kind: OIDCMiddlewareClient metadata: name: proxmox spec: displayName: Proxmox Virtual Environment (middleware) uri: https://pve.k-space.ee/ allowedGroups: - k-space:floor - k-space:friends --- apiVersion: codemowers.cloud/v1beta1 kind: OIDCClient metadata: name: proxmox spec: displayName: Proxmox Virtual Environment uri: https://pve.k-space.ee/ redirectUris: - https://pve.k-space.ee/ - https://pve.k-space.ee allowedGroups: - k-space:floor - k-space:friends grantTypes: - authorization_code - refresh_token responseTypes: - code availableScopes: - openid - profile --- apiVersion: traefik.io/v1alpha1 kind: ServersTransport metadata: name: proxmox-servers-transport spec: rootCAsSecrets: - pve --- apiVersion: v1 kind: Secret metadata: name: pve data: # This is not actually secret, this is CA certificate of the key # used to sign Proxmox HTTPS endpoint keypairs. # This makes sure Traefik is talking to the real Proxmox machines, # and not arbitrary machines that have hijacked the Proxmox machine IP-s. # To inspect current value: # kubectl get secret -n traefik pve -o=json | jq '.data ."pve.pem"' -r | base64 -d | openssl x509 -text -inform PEM -noout pve.pem: | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ6VENDQTdXZ0F3SUJBZ0lVUGk5SFNhQlp0 ZG5JL01NREFBb05DT3ZpaGJjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RqRWtNQ0lHQTFVRUF3d2JV SEp2ZUcxdmVDQldhWEowZFdGc0lFVnVkbWx5YjI1dFpXNTBNUzB3S3dZRApWUVFMRENSbFptTmpN elF6WXkweU5HSXhMVFJqWXpNdFlqTXhZaTA0Tm1KaE0yVmxOemt6WTJZeEh6QWRCZ05WCkJBb01G bEJXUlNCRGJIVnpkR1Z5SUUxaGJtRm5aWElnUTBFd0hoY05NakF3T0RJek1Ea3pNalEyV2hjTk16 QXcKT0RJeE1Ea3pNalEyV2pCMk1TUXdJZ1lEVlFRRERCdFFjbTk0Ylc5NElGWnBjblIxWVd3Z1JX NTJhWEp2Ym0xbApiblF4TFRBckJnTlZCQXNNSkdWbVkyTXpORE5qTFRJMFlqRXROR05qTXkxaU16 RmlMVGcyWW1FelpXVTNPVE5qClpqRWZNQjBHQTFVRUNnd1dVRlpGSUVOc2RYTjBaWElnVFdGdVlX ZGxjaUJEUVRDQ0FpSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1yTXZq VEJ2ZkdIUEZFbmJhWUh6Qm5TeTJNdnBkV0h3TTIrQU9XRQpnbmpDcjhiYnNWaUxBZnpMdGlNYzM0 bEJIRXp6d3JwbmlQdXAyS2doNmtCc3BKa2c0bXZSY25pQW9XK3F4UDlWCmpXRlJiTU9OYVB1UHZF UWhrS2xBakJCL2hqZkRxS3FKaURZeU5CNjZsZG9RbnFFQ3RyRXEvRFFDZHZYWitJWW4KNmZpelBk enp3UHk4dzhxU1RiMmlpNzZjSkplOWdJYWVjdUlCRk5mK1dUYW0vRndGL2ZXbGU1aHMyNTZsa25w OQpKbTV6Q0R3eFljNCt5dVF1WEM0WEgzclNKc2U1UWI5QmhyVEx0VTdiRHZTbzZMWEZsOTR4YTlR VGQ1L3UvT3h0CmdONVN2aTBnS1RXUUdiK0pvTHJHYVducS9ocmN4THpnVzJSclMxOGJUZFE2MEZz WVdXSUFTRmZuSzdzSDJjQ2oKRWI5Sk8yWjJzNXpzQ3ZBYjlQQkF6ZkdwSFc0dnFibHpHdmZtbFV5 em10NFpEU3V6cGlwRTJ4SUpWVHNBOXJqdwpJd0plU1E0bitpeUF6cUQwMUprbjdRaEtJQ0kzZ21s ZmJ5YzRuTkxEZlZnQTA0VDBmUG5LMDBTSnN2ek1WRjNMCncvbmNheHBhczlhV2ptQ1BBWTEvREJ2 RmU3M05EeGRsazFpd0Y5L1V6OGl2WWlLYlk3K3I4blhGM0V3YjZtQmYKZFdsTUlaYSsyeVEweHl6 MDlqanNKU1dSRlduV25oRVg1SDVISERBYXhkZmZXUkRtVXR3d2ExWlN6VU1MNHNENgo4U2NHclFQ YWVicE5ZWWI3WmdGTm82ZVp3YytlWmpJVW9XMXhYNlhqSWQ2UENvSmw5UDdMUnJUTWF3NjhHU3Nn CjdLd0RBZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FH NWpBZkJnTlYKSFNNRUdEQVdnQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FHNWpBUEJnTlZIUk1C QWY4RUJUQURBUUgvTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk1JTmszTFlHTHZITlpSWURh YVYwaW45bGtzaWIvd0dZQ01vUDhQZE03Ckw0ZktsUjNDNXJ3clhKNjRwWVJrOFByemFWRjJvclNr REI1Z1Jaa1phbVkzbCtSOU9ISkNheXBNSjVTeHZtVlkKZFBYZ1hBYVlGR1V1cjZHU0RsZkxDUmp1 OWdMRnhEbEhZZTVPcm5JbURUcENzK2xXVmcwSDVrUlFNZFJ2eVplTAp1SWs5UEZVcE5GSksyWmtl c0tOWUlPNldwRzBBd0hSZUI0U0MzYzBWNkdrQW84bHUxeGhYMWpUMnFuQXRQTDM4CkkzQkpCNDhY KzkzZGxHcDNBRlp4WmhSSjU1ejdHTm56c1UxaGNTSk1rOUpTN2RhWVhtM3FjTmxZNnY5OCtVK3gK U0RxdUFKU0tIanF5RzRDdjZlL2toamNLMzJpcENuZmYzb2plblpTZlFtN3l3OXpCQjFSc1Z3TU9k aTBCOW44cApDWHpRcHdHTERiNjB1VCtycTJ4eHJici9yT3VtQU5GbXByd1oxbi9yWE45bndxUktW VVBRU1lQdVVKa2xCTktLCnNVL1dTSHBzMGF4dTRUMElFUk0zZHVCWEJ5Yms0TXJXSTBCZ2ptNXZz NFNPNHVGSU96d2RBVkdIQ09lRWhQQzIKMzRiSW9ES09tZDFNcmtjYTQyTWw4bDFtb0hTUFd3djZ4 dVo1U1I0UXhPaXdWa0tJRHdvSmg2M2swTmxwUzZFUwp4N253ekZIc01rNTRFTWNMMjJjRk9YK3Rh Q1JtTDVRVVdDMGQ3bEFCMElXQS9UTkRXU3lQbHlRN1VCcjRIZGoxClh2NU43Yks0SUN5NWRhN25h RWRmRHIzNTBpZkRCQkVuL3RvL3JUczFOVjhyOGpjcG14a2MzNjlSQXp3TmJiRVkKMVE9PQotLS0t LUVORCBDRVJUSUZJQ0FURS0tLS0tCg== --- apiVersion: v1 kind: Service metadata: name: pve1 annotations: traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd spec: type: ExternalName externalName: pve1.proxmox.infra.k-space.ee ports: - name: https port: 8006 protocol: TCP --- apiVersion: v1 kind: Service metadata: name: pve8 annotations: traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd spec: type: ExternalName externalName: pve8.proxmox.infra.k-space.ee ports: - name: https port: 8006 protocol: TCP --- apiVersion: v1 kind: Service metadata: name: pve9 annotations: traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd spec: type: ExternalName externalName: pve9.proxmox.infra.k-space.ee ports: - name: https port: 8006 protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: pve annotations: kubernetes.io/ingress.class: traefik external-dns.alpha.kubernetes.io/target: traefik.k-space.ee traefik.ingress.kubernetes.io/router.entrypoints: websecure # traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd,passmower-proxmox-redirect@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" spec: rules: - host: proxmox.k-space.ee http: paths: - pathType: Prefix path: / backend: service: name: whoami port: number: 80 - host: pve.k-space.ee http: paths: - pathType: Prefix path: "/" backend: service: name: pve1 port: {number: 8006} - pathType: Prefix path: "/" backend: service: name: pve8 port: {number: 8006} - pathType: Prefix path: "/" backend: service: name: pve9 port: {number: 8006} tls: - hosts: - "*.k-space.ee" --- apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: proxmox-redirect spec: redirectRegex: regex: ^https://proxmox.k-space.ee/(.*) replacement: https://pve.k-space.ee/${1} permanent: false --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: proxmox spec: entryPoints: - websecure routes: - match: Host(`proxmox.k-space.ee`) kind: Rule middlewares: - name: proxmox-redirect services: # Dirty workaround, service can't be empty - kind: TraefikService name: api@internal --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: pve-internal annotations: kubernetes.io/ingress.class: traefik external-dns.alpha.kubernetes.io/target: traefik.k-space.ee traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.middlewares: passmower-codemowers-cloud-ip-whitelist@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" spec: rules: - host: pve-internal.k-space.ee http: paths: - pathType: Prefix path: "/" backend: service: name: pve1 port: {number: 8006} - pathType: Prefix path: "/" backend: service: name: pve8 port: {number: 8006} - pathType: Prefix path: "/" backend: service: name: pve9 port: {number: 8006} tls: - hosts: - "*.k-space.ee" --- apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: codemowers-cloud-ip-whitelist spec: ipWhiteList: sourceRange: - 172.20.5.0/24