194 lines
6.5 KiB
YAML
194 lines
6.5 KiB
YAML
---
|
|
apiVersion: codemowers.io/v1alpha1
|
|
kind: OIDCGWMiddlewareClient
|
|
metadata:
|
|
name: proxmox
|
|
spec:
|
|
displayName: Proxmox Virtual Environment (middleware)
|
|
uri: https://pve.k-space.ee/
|
|
allowedGroups:
|
|
- k-space:floor
|
|
- k-space:friends
|
|
---
|
|
apiVersion: codemowers.io/v1alpha1
|
|
kind: OIDCGWClient
|
|
metadata:
|
|
name: proxmox
|
|
spec:
|
|
displayName: Proxmox Virtual Environment
|
|
uri: https://pve.k-space.ee/
|
|
redirectUris:
|
|
- https://pve.k-space.ee/
|
|
- https://pve.k-space.ee
|
|
allowedGroups:
|
|
- k-space:floor
|
|
- k-space:friends
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
availableScopes:
|
|
- openid
|
|
- profile
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: ServersTransport
|
|
metadata:
|
|
name: proxmox-servers-transport
|
|
spec:
|
|
rootCAsSecrets:
|
|
- pve
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: pve
|
|
data:
|
|
# This is not actually secret, this is CA certificate of the key
|
|
# used to sign Proxmox HTTPS endpoint keypairs.
|
|
# This makes sure Traefik is talking to the real Proxmox machines,
|
|
# and not arbitrary machines that have hijacked the Proxmox machine IP-s.
|
|
# To inspect current value:
|
|
# kubectl get secret -n traefik pve -o=json | jq '.data ."pve.pem"' -r | base64 -d | openssl x509 -text -inform PEM -noout
|
|
pve.pem: |
|
|
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ6VENDQTdXZ0F3SUJBZ0lVUGk5SFNhQlp0
|
|
ZG5JL01NREFBb05DT3ZpaGJjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RqRWtNQ0lHQTFVRUF3d2JV
|
|
SEp2ZUcxdmVDQldhWEowZFdGc0lFVnVkbWx5YjI1dFpXNTBNUzB3S3dZRApWUVFMRENSbFptTmpN
|
|
elF6WXkweU5HSXhMVFJqWXpNdFlqTXhZaTA0Tm1KaE0yVmxOemt6WTJZeEh6QWRCZ05WCkJBb01G
|
|
bEJXUlNCRGJIVnpkR1Z5SUUxaGJtRm5aWElnUTBFd0hoY05NakF3T0RJek1Ea3pNalEyV2hjTk16
|
|
QXcKT0RJeE1Ea3pNalEyV2pCMk1TUXdJZ1lEVlFRRERCdFFjbTk0Ylc5NElGWnBjblIxWVd3Z1JX
|
|
NTJhWEp2Ym0xbApiblF4TFRBckJnTlZCQXNNSkdWbVkyTXpORE5qTFRJMFlqRXROR05qTXkxaU16
|
|
RmlMVGcyWW1FelpXVTNPVE5qClpqRWZNQjBHQTFVRUNnd1dVRlpGSUVOc2RYTjBaWElnVFdGdVlX
|
|
ZGxjaUJEUVRDQ0FpSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1yTXZq
|
|
VEJ2ZkdIUEZFbmJhWUh6Qm5TeTJNdnBkV0h3TTIrQU9XRQpnbmpDcjhiYnNWaUxBZnpMdGlNYzM0
|
|
bEJIRXp6d3JwbmlQdXAyS2doNmtCc3BKa2c0bXZSY25pQW9XK3F4UDlWCmpXRlJiTU9OYVB1UHZF
|
|
UWhrS2xBakJCL2hqZkRxS3FKaURZeU5CNjZsZG9RbnFFQ3RyRXEvRFFDZHZYWitJWW4KNmZpelBk
|
|
enp3UHk4dzhxU1RiMmlpNzZjSkplOWdJYWVjdUlCRk5mK1dUYW0vRndGL2ZXbGU1aHMyNTZsa25w
|
|
OQpKbTV6Q0R3eFljNCt5dVF1WEM0WEgzclNKc2U1UWI5QmhyVEx0VTdiRHZTbzZMWEZsOTR4YTlR
|
|
VGQ1L3UvT3h0CmdONVN2aTBnS1RXUUdiK0pvTHJHYVducS9ocmN4THpnVzJSclMxOGJUZFE2MEZz
|
|
WVdXSUFTRmZuSzdzSDJjQ2oKRWI5Sk8yWjJzNXpzQ3ZBYjlQQkF6ZkdwSFc0dnFibHpHdmZtbFV5
|
|
em10NFpEU3V6cGlwRTJ4SUpWVHNBOXJqdwpJd0plU1E0bitpeUF6cUQwMUprbjdRaEtJQ0kzZ21s
|
|
ZmJ5YzRuTkxEZlZnQTA0VDBmUG5LMDBTSnN2ek1WRjNMCncvbmNheHBhczlhV2ptQ1BBWTEvREJ2
|
|
RmU3M05EeGRsazFpd0Y5L1V6OGl2WWlLYlk3K3I4blhGM0V3YjZtQmYKZFdsTUlaYSsyeVEweHl6
|
|
MDlqanNKU1dSRlduV25oRVg1SDVISERBYXhkZmZXUkRtVXR3d2ExWlN6VU1MNHNENgo4U2NHclFQ
|
|
YWVicE5ZWWI3WmdGTm82ZVp3YytlWmpJVW9XMXhYNlhqSWQ2UENvSmw5UDdMUnJUTWF3NjhHU3Nn
|
|
CjdLd0RBZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FH
|
|
NWpBZkJnTlYKSFNNRUdEQVdnQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FHNWpBUEJnTlZIUk1C
|
|
QWY4RUJUQURBUUgvTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk1JTmszTFlHTHZITlpSWURh
|
|
YVYwaW45bGtzaWIvd0dZQ01vUDhQZE03Ckw0ZktsUjNDNXJ3clhKNjRwWVJrOFByemFWRjJvclNr
|
|
REI1Z1Jaa1phbVkzbCtSOU9ISkNheXBNSjVTeHZtVlkKZFBYZ1hBYVlGR1V1cjZHU0RsZkxDUmp1
|
|
OWdMRnhEbEhZZTVPcm5JbURUcENzK2xXVmcwSDVrUlFNZFJ2eVplTAp1SWs5UEZVcE5GSksyWmtl
|
|
c0tOWUlPNldwRzBBd0hSZUI0U0MzYzBWNkdrQW84bHUxeGhYMWpUMnFuQXRQTDM4CkkzQkpCNDhY
|
|
KzkzZGxHcDNBRlp4WmhSSjU1ejdHTm56c1UxaGNTSk1rOUpTN2RhWVhtM3FjTmxZNnY5OCtVK3gK
|
|
U0RxdUFKU0tIanF5RzRDdjZlL2toamNLMzJpcENuZmYzb2plblpTZlFtN3l3OXpCQjFSc1Z3TU9k
|
|
aTBCOW44cApDWHpRcHdHTERiNjB1VCtycTJ4eHJici9yT3VtQU5GbXByd1oxbi9yWE45bndxUktW
|
|
VVBRU1lQdVVKa2xCTktLCnNVL1dTSHBzMGF4dTRUMElFUk0zZHVCWEJ5Yms0TXJXSTBCZ2ptNXZz
|
|
NFNPNHVGSU96d2RBVkdIQ09lRWhQQzIKMzRiSW9ES09tZDFNcmtjYTQyTWw4bDFtb0hTUFd3djZ4
|
|
dVo1U1I0UXhPaXdWa0tJRHdvSmg2M2swTmxwUzZFUwp4N253ekZIc01rNTRFTWNMMjJjRk9YK3Rh
|
|
Q1JtTDVRVVdDMGQ3bEFCMElXQS9UTkRXU3lQbHlRN1VCcjRIZGoxClh2NU43Yks0SUN5NWRhN25h
|
|
RWRmRHIzNTBpZkRCQkVuL3RvL3JUczFOVjhyOGpjcG14a2MzNjlSQXp3TmJiRVkKMVE9PQotLS0t
|
|
LUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: pve1
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd
|
|
spec:
|
|
type: ExternalName
|
|
externalName: pve1.proxmox.infra.k-space.ee
|
|
ports:
|
|
- name: https
|
|
port: 8006
|
|
protocol: TCP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: pve8
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd
|
|
spec:
|
|
type: ExternalName
|
|
externalName: pve8.proxmox.infra.k-space.ee
|
|
ports:
|
|
- name: https
|
|
port: 8006
|
|
protocol: TCP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: pve9
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd
|
|
spec:
|
|
type: ExternalName
|
|
externalName: pve9.proxmox.infra.k-space.ee
|
|
ports:
|
|
- name: https
|
|
port: 8006
|
|
protocol: TCP
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: pve
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-proxmox@kubernetescrd,oidc-gateway-proxmox-redirect@kubernetescrd
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
spec:
|
|
rules:
|
|
- host: proxmox.k-space.ee
|
|
http:
|
|
paths:
|
|
- pathType: Prefix
|
|
path: /
|
|
backend:
|
|
service:
|
|
name: whoami
|
|
port:
|
|
number: 80
|
|
- host: pve.k-space.ee
|
|
http:
|
|
paths:
|
|
- pathType: Prefix
|
|
path: "/"
|
|
backend:
|
|
service:
|
|
name: pve1
|
|
port:
|
|
number: 8006
|
|
- pathType: Prefix
|
|
path: "/"
|
|
backend:
|
|
service:
|
|
name: pve8
|
|
port:
|
|
number: 8006
|
|
- pathType: Prefix
|
|
path: "/"
|
|
backend:
|
|
service:
|
|
name: pve9
|
|
port:
|
|
number: 8006
|
|
tls:
|
|
- hosts:
|
|
- "*.k-space.ee"
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: proxmox-redirect
|
|
spec:
|
|
redirectRegex:
|
|
regex: ^https://proxmox.k-space.ee/(.*)$
|
|
replacement: https://pve.k-space.ee/$1
|
|
permanent: false
|