stabify/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added middleware whitelist for .internal services

Browse Source
This commit is contained in:
Nick Adam
2026-01-17 01:32:44 +01:00
parent 0549661c90
commit ad60c87f62
4 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
infrastructure/longhorn/values.yaml
View File

@@ -16,5 +16,6 @@ longhorn:
host: longhorn.apps.internal.k3s.stabify.de host: longhorn.apps.internal.k3s.stabify.de
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: traefik-system-ipwhitelist-internal@kubernetescrd
tls: true tls: true
tlsSecret: longhorn-tls tlsSecret: longhorn-tls

2
infrastructure/seaweedfs-app.yaml
View File

@@ -38,6 +38,7 @@ spec:
className: traefik className: traefik
annotations: | annotations: |
cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: traefik-system-ipwhitelist-internal@kubernetescrd
host: filer.seaweedfs.apps.internal.k3s.stabify.de host: filer.seaweedfs.apps.internal.k3s.stabify.de
tls: tls:
- secretName: seaweedfs-filer-tls - secretName: seaweedfs-filer-tls
@@ -53,6 +54,7 @@ spec:
className: traefik className: traefik
annotations: | annotations: |
cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: traefik-system-ipwhitelist-internal@kubernetescrd
host: s3.apps.internal.k3s.stabify.de host: s3.apps.internal.k3s.stabify.de
tls: tls:
- secretName: seaweedfs-s3-tls - secretName: seaweedfs-s3-tls

26
infrastructure/traefik-middleware-app.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: traefik-middleware-ipwhitelist
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "0" # Nach Traefik, aber vor Apps
spec:
project: default
source:
repoURL: https://git.cloud-infra.prod.openmailserver.de/stabify/gitops.git
targetRevision: HEAD
path: infrastructure
directory:
recurse: false
include: traefik-middleware-ipwhitelist.yaml
destination:
server: https://kubernetes.default.svc
namespace: traefik-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

19
infrastructure/traefik-middleware-ipwhitelist.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: ipwhitelist-internal
namespace: traefik-system
labels:
app.kubernetes.io/name: traefik
app.kubernetes.io/component: middleware
spec:
ipWhiteList:
# VPN IP-Range: Anpassen je nach VPN-Konfiguration
# Standard: 10.100.0.0/16 (komplettes internes Netzwerk)
# Für spezifische VPN-Range: z.B. 10.100.200.0/24
sourceRange:
- "10.100.0.0/16"
- "10.200.0.0/24" # Internes Netzwerk (VLAN 30, 40, 90, etc.)
# Weitere VPN-Ranges hier hinzufügen:
# - "10.100.200.0/24" # Beispiel: Dediziertes VPN-Subnetz
# - "192.168.1.0/24" # Beispiel: Externes VPN-Netzwerk