added middleware whitelist for .internal services

2026-01-17 01:32:44 +01:00
parent 0549661c90
commit ad60c87f62
4 changed files with 48 additions and 0 deletions
--- a/infrastructure/longhorn/values.yaml
+++ b/infrastructure/longhorn/values.yaml
@@ -16,5 +16,6 @@ longhorn:
    host: longhorn.apps.internal.k3s.stabify.de
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
+      traefik.ingress.kubernetes.io/router.middlewares: traefik-system-ipwhitelist-internal@kubernetescrd
    tls: true
    tlsSecret: longhorn-tls
--- a/infrastructure/seaweedfs-app.yaml
+++ b/infrastructure/seaweedfs-app.yaml
@@ -38,6 +38,7 @@ spec:
            className: traefik
            annotations: |
              cert-manager.io/cluster-issuer: letsencrypt-prod
+              traefik.ingress.kubernetes.io/router.middlewares: traefik-system-ipwhitelist-internal@kubernetescrd
            host: filer.seaweedfs.apps.internal.k3s.stabify.de
            tls:
              - secretName: seaweedfs-filer-tls
@@ -53,6 +54,7 @@ spec:
            className: traefik
            annotations: |
              cert-manager.io/cluster-issuer: letsencrypt-prod
+              traefik.ingress.kubernetes.io/router.middlewares: traefik-system-ipwhitelist-internal@kubernetescrd
            host: s3.apps.internal.k3s.stabify.de
            tls:
              - secretName: seaweedfs-s3-tls
--- a/infrastructure/traefik-middleware-app.yaml
+++ b/infrastructure/traefik-middleware-app.yaml
@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik-middleware-ipwhitelist
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"  # Nach Traefik, aber vor Apps
+spec:
+  project: default
+  source:
+    repoURL: https://git.cloud-infra.prod.openmailserver.de/stabify/gitops.git
+    targetRevision: HEAD
+    path: infrastructure
+    directory:
+      recurse: false
+      include: traefik-middleware-ipwhitelist.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: traefik-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
--- a/infrastructure/traefik-middleware-ipwhitelist.yaml
+++ b/infrastructure/traefik-middleware-ipwhitelist.yaml
@@ -0,0 +1,19 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: ipwhitelist-internal
+  namespace: traefik-system
+  labels:
+    app.kubernetes.io/name: traefik
+    app.kubernetes.io/component: middleware
+spec:
+  ipWhiteList:
+    # VPN IP-Range: Anpassen je nach VPN-Konfiguration
+    # Standard: 10.100.0.0/16 (komplettes internes Netzwerk)
+    # Für spezifische VPN-Range: z.B. 10.100.200.0/24
+    sourceRange:
+      - "10.100.0.0/16"
+      - "10.200.0.0/24"   # Internes Netzwerk (VLAN 30, 40, 90, etc.)
+      # Weitere VPN-Ranges hier hinzufügen:
+      # - "10.100.200.0/24"  # Beispiel: Dediziertes VPN-Subnetz
+      # - "192.168.1.0/24"   # Beispiel: Externes VPN-Netzwerk