From 1d8e2e9a1c0cbdad0dcb75329446c18f38e8482a Mon Sep 17 00:00:00 2001 From: Blue Jay Date: Wed, 11 Mar 2026 14:21:26 -0500 Subject: [PATCH] Add internal DNS IngressRoutes: telephony, grafana, prometheus, cockpit - telephony.iamworkin.lan: cert-manager TLS + IngressRoute to telephony-web:5100 - grafana.iamworkin.lan: proxy to noc1:3000 via headless Service + Endpoints - prometheus.iamworkin.lan: proxy to noc1:9091 via headless Service + Endpoints - cockpit.iamworkin.lan: proxy to noc1:9090 with insecureSkipVerify (self-signed) - All certs issued by step-ca-acme ClusterIssuer - NetworkPolicy restricts noc-proxy to Traefik ingress + noc1 egress only --- apps/noc-services/noc-services.yaml | 230 ++++++++++++++++++++++++++++ apps/telephony/telephony.yaml | 32 ++++ 2 files changed, 262 insertions(+) create mode 100644 apps/noc-services/noc-services.yaml diff --git a/apps/noc-services/noc-services.yaml b/apps/noc-services/noc-services.yaml new file mode 100644 index 0000000..62ccdf9 --- /dev/null +++ b/apps/noc-services/noc-services.yaml @@ -0,0 +1,230 @@ +# NOC Services - Traefik IngressRoutes for noc1 services +# Proxies internal .iamworkin.lan hostnames to noc1 (10.0.56.10) via +# headless Service + manual Endpoints (standard K8s external proxy pattern) +# ArgoCD managed - BlueJay Lab +--- +apiVersion: v1 +kind: Namespace +metadata: + name: noc-proxy + labels: + app.kubernetes.io/part-of: bluejay-infra +--- +# ============================================================ +# Grafana - noc1:3000 +# ============================================================ +apiVersion: v1 +kind: Service +metadata: + name: grafana-external + namespace: noc-proxy +spec: + ports: + - port: 3000 + targetPort: 3000 + name: http + clusterIP: None +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: grafana-external + namespace: noc-proxy +subsets: + - addresses: + - ip: 10.0.56.10 + ports: + - port: 3000 + name: http +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: grafana-tls + namespace: noc-proxy +spec: + secretName: grafana-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - grafana.iamworkin.lan +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: grafana + namespace: noc-proxy +spec: + entryPoints: + - websecure + routes: + - kind: Rule + match: Host(`grafana.iamworkin.lan`) + services: + - name: grafana-external + port: 3000 + tls: + secretName: grafana-tls +--- +# ============================================================ +# Prometheus - noc1:9091 +# ============================================================ +apiVersion: v1 +kind: Service +metadata: + name: prometheus-external + namespace: noc-proxy +spec: + ports: + - port: 9091 + targetPort: 9091 + name: http + clusterIP: None +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: prometheus-external + namespace: noc-proxy +subsets: + - addresses: + - ip: 10.0.56.10 + ports: + - port: 9091 + name: http +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: prometheus-tls + namespace: noc-proxy +spec: + secretName: prometheus-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - prometheus.iamworkin.lan +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: prometheus + namespace: noc-proxy +spec: + entryPoints: + - websecure + routes: + - kind: Rule + match: Host(`prometheus.iamworkin.lan`) + services: + - name: prometheus-external + port: 9091 + tls: + secretName: prometheus-tls +--- +# ============================================================ +# Cockpit - noc1:9090 +# ============================================================ +apiVersion: v1 +kind: Service +metadata: + name: cockpit-external + namespace: noc-proxy +spec: + ports: + - port: 9090 + targetPort: 9090 + name: https + clusterIP: None +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: cockpit-external + namespace: noc-proxy +subsets: + - addresses: + - ip: 10.0.56.10 + ports: + - port: 9090 + name: https +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: cockpit-tls + namespace: noc-proxy +spec: + secretName: cockpit-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - cockpit.iamworkin.lan +--- +# Cockpit uses self-signed HTTPS on 9090, so we need a ServersTransport +# to skip backend TLS verification +apiVersion: traefik.io/v1alpha1 +kind: ServersTransport +metadata: + name: cockpit-transport + namespace: noc-proxy +spec: + insecureSkipVerify: true +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cockpit + namespace: noc-proxy +spec: + entryPoints: + - websecure + routes: + - kind: Rule + match: Host(`cockpit.iamworkin.lan`) + services: + - name: cockpit-external + port: 9090 + serversTransport: cockpit-transport + tls: + secretName: cockpit-tls +--- +# NetworkPolicy: allow Traefik ingress, allow egress to noc1 +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: noc-proxy-netpol + namespace: noc-proxy +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik-system + egress: + - to: + - ipBlock: + cidr: 10.0.56.10/32 + ports: + - port: 3000 + protocol: TCP + - port: 9090 + protocol: TCP + - port: 9091 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP diff --git a/apps/telephony/telephony.yaml b/apps/telephony/telephony.yaml index d084cc2..5b234e7 100644 --- a/apps/telephony/telephony.yaml +++ b/apps/telephony/telephony.yaml @@ -277,3 +277,35 @@ spec: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: onepassword-system +--- +# TLS Certificate for internal hostname via cert-manager +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: telephony-internal-tls + namespace: telephony +spec: + secretName: telephony-internal-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - telephony.iamworkin.lan +--- +# Traefik IngressRoute — internal LAN access +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: telephony-web-internal + namespace: telephony +spec: + entryPoints: + - websecure + routes: + - kind: Rule + match: Host(`telephony.iamworkin.lan`) + services: + - name: telephony-web + port: 5100 + tls: + secretName: telephony-internal-tls