smatsiievskyi/kube
1
0
Fork 0
forked from k-space/kube
Code Issues Pull Requests Packages Projects Activity
Files
fd58faeccb46b681de69e4a30b0c3852b27ee64c
kube/passmower/proxmox.yaml

278 lines
8.9 KiB
YAML
Raw Blame History

---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: proxmox
spec:
displayName: Proxmox Virtual Environment (middleware)
uri: https://pve.k-space.ee/
allowedGroups:
- k-space:floor
- k-space:friends
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: proxmox
spec:
displayName: Proxmox Virtual Environment
uri: https://pve.k-space.ee/
redirectUris:
- https://pve.k-space.ee/
- https://pve.k-space.ee
allowedGroups:
- k-space:floor
- k-space:friends
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
availableScopes:
- openid
- profile
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: proxmox-servers-transport
spec:
rootCAsSecrets:
- pve
---
apiVersion: v1
kind: Secret
metadata:
name: pve
data:
# This is not actually secret, this is CA certificate of the key
# used to sign Proxmox HTTPS endpoint keypairs.
# This makes sure Traefik is talking to the real Proxmox machines,
# and not arbitrary machines that have hijacked the Proxmox machine IP-s.
# To inspect current value:
# kubectl get secret -n traefik pve -o=json | jq '.data ."pve.pem"' -r | base64 -d | openssl x509 -text -inform PEM -noout
pve.pem: |
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ6VENDQTdXZ0F3SUJBZ0lVUGk5SFNhQlp0
ZG5JL01NREFBb05DT3ZpaGJjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RqRWtNQ0lHQTFVRUF3d2JV
SEp2ZUcxdmVDQldhWEowZFdGc0lFVnVkbWx5YjI1dFpXNTBNUzB3S3dZRApWUVFMRENSbFptTmpN
elF6WXkweU5HSXhMVFJqWXpNdFlqTXhZaTA0Tm1KaE0yVmxOemt6WTJZeEh6QWRCZ05WCkJBb01G
bEJXUlNCRGJIVnpkR1Z5SUUxaGJtRm5aWElnUTBFd0hoY05NakF3T0RJek1Ea3pNalEyV2hjTk16
QXcKT0RJeE1Ea3pNalEyV2pCMk1TUXdJZ1lEVlFRRERCdFFjbTk0Ylc5NElGWnBjblIxWVd3Z1JX
NTJhWEp2Ym0xbApiblF4TFRBckJnTlZCQXNNSkdWbVkyTXpORE5qTFRJMFlqRXROR05qTXkxaU16
RmlMVGcyWW1FelpXVTNPVE5qClpqRWZNQjBHQTFVRUNnd1dVRlpGSUVOc2RYTjBaWElnVFdGdVlX
ZGxjaUJEUVRDQ0FpSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1yTXZq
VEJ2ZkdIUEZFbmJhWUh6Qm5TeTJNdnBkV0h3TTIrQU9XRQpnbmpDcjhiYnNWaUxBZnpMdGlNYzM0
bEJIRXp6d3JwbmlQdXAyS2doNmtCc3BKa2c0bXZSY25pQW9XK3F4UDlWCmpXRlJiTU9OYVB1UHZF
UWhrS2xBakJCL2hqZkRxS3FKaURZeU5CNjZsZG9RbnFFQ3RyRXEvRFFDZHZYWitJWW4KNmZpelBk
enp3UHk4dzhxU1RiMmlpNzZjSkplOWdJYWVjdUlCRk5mK1dUYW0vRndGL2ZXbGU1aHMyNTZsa25w
OQpKbTV6Q0R3eFljNCt5dVF1WEM0WEgzclNKc2U1UWI5QmhyVEx0VTdiRHZTbzZMWEZsOTR4YTlR
VGQ1L3UvT3h0CmdONVN2aTBnS1RXUUdiK0pvTHJHYVducS9ocmN4THpnVzJSclMxOGJUZFE2MEZz
WVdXSUFTRmZuSzdzSDJjQ2oKRWI5Sk8yWjJzNXpzQ3ZBYjlQQkF6ZkdwSFc0dnFibHpHdmZtbFV5
em10NFpEU3V6cGlwRTJ4SUpWVHNBOXJqdwpJd0plU1E0bitpeUF6cUQwMUprbjdRaEtJQ0kzZ21s
ZmJ5YzRuTkxEZlZnQTA0VDBmUG5LMDBTSnN2ek1WRjNMCncvbmNheHBhczlhV2ptQ1BBWTEvREJ2
RmU3M05EeGRsazFpd0Y5L1V6OGl2WWlLYlk3K3I4blhGM0V3YjZtQmYKZFdsTUlaYSsyeVEweHl6
MDlqanNKU1dSRlduV25oRVg1SDVISERBYXhkZmZXUkRtVXR3d2ExWlN6VU1MNHNENgo4U2NHclFQ
YWVicE5ZWWI3WmdGTm82ZVp3YytlWmpJVW9XMXhYNlhqSWQ2UENvSmw5UDdMUnJUTWF3NjhHU3Nn
CjdLd0RBZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FH
NWpBZkJnTlYKSFNNRUdEQVdnQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FHNWpBUEJnTlZIUk1C
QWY4RUJUQURBUUgvTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk1JTmszTFlHTHZITlpSWURh
YVYwaW45bGtzaWIvd0dZQ01vUDhQZE03Ckw0ZktsUjNDNXJ3clhKNjRwWVJrOFByemFWRjJvclNr
REI1Z1Jaa1phbVkzbCtSOU9ISkNheXBNSjVTeHZtVlkKZFBYZ1hBYVlGR1V1cjZHU0RsZkxDUmp1
OWdMRnhEbEhZZTVPcm5JbURUcENzK2xXVmcwSDVrUlFNZFJ2eVplTAp1SWs5UEZVcE5GSksyWmtl
c0tOWUlPNldwRzBBd0hSZUI0U0MzYzBWNkdrQW84bHUxeGhYMWpUMnFuQXRQTDM4CkkzQkpCNDhY
KzkzZGxHcDNBRlp4WmhSSjU1ejdHTm56c1UxaGNTSk1rOUpTN2RhWVhtM3FjTmxZNnY5OCtVK3gK
U0RxdUFKU0tIanF5RzRDdjZlL2toamNLMzJpcENuZmYzb2plblpTZlFtN3l3OXpCQjFSc1Z3TU9k
aTBCOW44cApDWHpRcHdHTERiNjB1VCtycTJ4eHJici9yT3VtQU5GbXByd1oxbi9yWE45bndxUktW
VVBRU1lQdVVKa2xCTktLCnNVL1dTSHBzMGF4dTRUMElFUk0zZHVCWEJ5Yms0TXJXSTBCZ2ptNXZz
NFNPNHVGSU96d2RBVkdIQ09lRWhQQzIKMzRiSW9ES09tZDFNcmtjYTQyTWw4bDFtb0hTUFd3djZ4
dVo1U1I0UXhPaXdWa0tJRHdvSmg2M2swTmxwUzZFUwp4N253ekZIc01rNTRFTWNMMjJjRk9YK3Rh
Q1JtTDVRVVdDMGQ3bEFCMElXQS9UTkRXU3lQbHlRN1VCcjRIZGoxClh2NU43Yks0SUN5NWRhN25h
RWRmRHIzNTBpZkRCQkVuL3RvL3JUczFOVjhyOGpjcG14a2MzNjlSQXp3TmJiRVkKMVE9PQotLS0t
LUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
---
apiVersion: v1
kind: Service
metadata:
name: pve90
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd
spec:
type: ExternalName
externalName: pve90.proxmox.infra.k-space.ee
ports:
- name: https
port: 8006
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: pve91
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd
spec:
type: ExternalName
externalName: pve91.proxmox.infra.k-space.ee
ports:
- name: https
port: 8006
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: pve92
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd
spec:
type: ExternalName
externalName: pve92.proxmox.infra.k-space.ee
ports:
- name: https
port: 8006
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: pve93
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd
spec:
type: ExternalName
externalName: pve93.proxmox.infra.k-space.ee
ports:
- name: https
port: 8006
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pve
annotations:
kubernetes.io/ingress.class: traefik
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.entrypoints: websecure
# traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd,passmower-proxmox-redirect@kubernetescrd
spec:
rules:
- host: proxmox.k-space.ee
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: whoami
port:
number: 80
- host: pve.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: pve90
port: {number: 8006}
- pathType: Prefix
path: "/"
backend:
service:
name: pve91
port: {number: 8006}
- pathType: Prefix
path: "/"
backend:
service:
name: pve92
port: {number: 8006}
- pathType: Prefix
path: "/"
backend:
service:
name: pve93
port: {number: 8006}
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: proxmox-redirect
spec:
redirectRegex:
regex: ^https://proxmox.k-space.ee/(.*)
replacement: https://pve.k-space.ee/${1}
permanent: false
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: proxmox
spec:
entryPoints:
- websecure
routes:
- match: Host(`proxmox.k-space.ee`)
kind: Rule
middlewares:
- name: proxmox-redirect
services: # Dirty workaround, service can't be empty
- kind: TraefikService
name: api@internal
# ---
#TODO: pve-internal was supposed to be for proxmox-csi, but it uses just pve1 only directly. This is unused, proxmox-csi, if not completely removed for ceph, might be able to use the extenral-facing URL directly asw.
# apiVersion: networking.k8s.io/v1
# kind: Ingress
# metadata:
# name: pve-internal
# annotations:
# kubernetes.io/ingress.class: traefik
# external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
# traefik.ingress.kubernetes.io/router.middlewares: passmower-codemowers-cloud-ip-whitelist@kubernetescrd
# spec:
# rules:
# - host: pve-internal.k-space.ee
# http:
# paths:
# - pathType: Prefix
# path: "/"
# backend:
# service:
# name: pve1
# port: {number: 8006}
# - pathType: Prefix
# path: "/"
# backend:
# service:
# name: pve2
# port: {number: 8006}
# - pathType: Prefix
# path: "/"
# backend:
# service:
# name: pve8
# port: {number: 8006}
# - pathType: Prefix
# path: "/"
# backend:
# service:
# name: pve9
# port: {number: 8006}
# tls:
# - hosts:
# - "*.k-space.ee"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: codemowers-cloud-ip-whitelist
spec:
ipWhiteList:
sourceRange:
- 172.20.5.0/24
Reference in New Issue View Git Blame Copy Permalink