bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

Add internal DNS IngressRoutes: telephony, grafana, prometheus, cockpit

Browse Source 
- telephony.iamworkin.lan: cert-manager TLS + IngressRoute to telephony-web:5100
- grafana.iamworkin.lan: proxy to noc1:3000 via headless Service + Endpoints
- prometheus.iamworkin.lan: proxy to noc1:9091 via headless Service + Endpoints
- cockpit.iamworkin.lan: proxy to noc1:9090 with insecureSkipVerify (self-signed)
- All certs issued by step-ca-acme ClusterIssuer
- NetworkPolicy restricts noc-proxy to Traefik ingress + noc1 egress only
This commit is contained in:
Blue Jay
2026-03-11 14:21:26 -05:00
parent b96abb341f
commit 1d8e2e9a1c
2 changed files with 262 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

230
apps/noc-services/noc-services.yaml Normal file
View File

@@ -0,0 +1,230 @@
# NOC Services - Traefik IngressRoutes for noc1 services
# Proxies internal .iamworkin.lan hostnames to noc1 (10.0.56.10) via
# headless Service + manual Endpoints (standard K8s external proxy pattern)
# ArgoCD managed - BlueJay Lab
---
apiVersion: v1
kind: Namespace
metadata:
name: noc-proxy
labels:
app.kubernetes.io/part-of: bluejay-infra
---
# ============================================================
# Grafana - noc1:3000
# ============================================================
apiVersion: v1
kind: Service
metadata:
name: grafana-external
namespace: noc-proxy
spec:
ports:
- port: 3000
targetPort: 3000
name: http
clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
name: grafana-external
namespace: noc-proxy
subsets:
- addresses:
- ip: 10.0.56.10
ports:
- port: 3000
name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: grafana-tls
namespace: noc-proxy
spec:
secretName: grafana-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- grafana.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: grafana
namespace: noc-proxy
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`grafana.iamworkin.lan`)
services:
- name: grafana-external
port: 3000
tls:
secretName: grafana-tls
---
# ============================================================
# Prometheus - noc1:9091
# ============================================================
apiVersion: v1
kind: Service
metadata:
name: prometheus-external
namespace: noc-proxy
spec:
ports:
- port: 9091
targetPort: 9091
name: http
clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
name: prometheus-external
namespace: noc-proxy
subsets:
- addresses:
- ip: 10.0.56.10
ports:
- port: 9091
name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: prometheus-tls
namespace: noc-proxy
spec:
secretName: prometheus-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- prometheus.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: prometheus
namespace: noc-proxy
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`prometheus.iamworkin.lan`)
services:
- name: prometheus-external
port: 9091
tls:
secretName: prometheus-tls
---
# ============================================================
# Cockpit - noc1:9090
# ============================================================
apiVersion: v1
kind: Service
metadata:
name: cockpit-external
namespace: noc-proxy
spec:
ports:
- port: 9090
targetPort: 9090
name: https
clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
name: cockpit-external
namespace: noc-proxy
subsets:
- addresses:
- ip: 10.0.56.10
ports:
- port: 9090
name: https
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cockpit-tls
namespace: noc-proxy
spec:
secretName: cockpit-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- cockpit.iamworkin.lan
---
# Cockpit uses self-signed HTTPS on 9090, so we need a ServersTransport
# to skip backend TLS verification
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: cockpit-transport
namespace: noc-proxy
spec:
insecureSkipVerify: true
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: cockpit
namespace: noc-proxy
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`cockpit.iamworkin.lan`)
services:
- name: cockpit-external
port: 9090
serversTransport: cockpit-transport
tls:
secretName: cockpit-tls
---
# NetworkPolicy: allow Traefik ingress, allow egress to noc1
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: noc-proxy-netpol
namespace: noc-proxy
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik-system
egress:
- to:
- ipBlock:
cidr: 10.0.56.10/32
ports:
- port: 3000
protocol: TCP
- port: 9090
protocol: TCP
- port: 9091
protocol: TCP
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP

32
apps/telephony/telephony.yaml
View File

@@ -277,3 +277,35 @@ spec:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
kubernetes.io/metadata.name: onepassword-system kubernetes.io/metadata.name: onepassword-system
---
# TLS Certificate for internal hostname via cert-manager
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: telephony-internal-tls
namespace: telephony
spec:
secretName: telephony-internal-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- telephony.iamworkin.lan
---
# Traefik IngressRoute — internal LAN access
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: telephony-web-internal
namespace: telephony
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`telephony.iamworkin.lan`)
services:
- name: telephony-web
port: 5100
tls:
secretName: telephony-internal-tls