Update telephony-web image to v20260324d, resolve merge conflicts

2026-03-24 15:55:52 -05:00
parent 42d2894ed1
commit f3fde15002
14 changed files with 3333 additions and 3420 deletions
--- a/apps/noc-services/noc-services.yaml
+++ b/apps/noc-services/noc-services.yaml
@@ -1,257 +1,257 @@
-# NOC Services - Traefik IngressRoutes for noc1 services
-# Proxies internal .iamworkin.lan hostnames to noc1 (10.0.56.10) via
-# headless Service + manual Endpoints (standard K8s external proxy pattern)
-# ArgoCD managed - BlueJay Lab
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: noc-proxy
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
---
-# ============================================================
-# BasicAuth - shared across all NOC proxy IngressRoutes
-# ============================================================
-apiVersion: v1
-kind: Secret
-metadata:
-  name: noc-proxy-auth
-  namespace: noc-proxy
-type: Opaque
-data:
-  users: YWRtaW46JDJiJDEwJEZjdlVFNWNpNkxvNi5rZ1k5L3hJV2V5M2tvM3VVY1U5YXJaSlQ4N29ZREtCSi5lNkoucXJD
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: noc-proxy-auth
-  namespace: noc-proxy
-spec:
-  basicAuth:
-    secret: noc-proxy-auth
---
-# ============================================================
-# Grafana - noc1:3000
-# ============================================================
-apiVersion: v1
-kind: Service
-metadata:
-  name: grafana-external
-  namespace: noc-proxy
-spec:
-  ports:
-    - port: 3000
-      targetPort: 3000
-      name: http
-  clusterIP: None
---
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: grafana-external
-  namespace: noc-proxy
-subsets:
-  - addresses:
-      - ip: 10.0.56.10
-    ports:
-      - port: 3000
-        name: http
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: grafana-tls
-  namespace: noc-proxy
-spec:
-  secretName: grafana-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - grafana.iamworkin.lan
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: grafana
-  namespace: noc-proxy
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`grafana.iamworkin.lan`)
-      middlewares:
-        - name: noc-proxy-auth
-      services:
-        - name: grafana-external
-          port: 3000
-  tls:
-    secretName: grafana-tls
---
-# ============================================================
-# Prometheus - noc1:9091
-# ============================================================
-apiVersion: v1
-kind: Service
-metadata:
-  name: prometheus-external
-  namespace: noc-proxy
-spec:
-  ports:
-    - port: 9091
-      targetPort: 9091
-      name: http
-  clusterIP: None
---
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: prometheus-external
-  namespace: noc-proxy
-subsets:
-  - addresses:
-      - ip: 10.0.56.10
-    ports:
-      - port: 9091
-        name: http
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: prometheus-tls
-  namespace: noc-proxy
-spec:
-  secretName: prometheus-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - prometheus.iamworkin.lan
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: prometheus
-  namespace: noc-proxy
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`prometheus.iamworkin.lan`)
-      middlewares:
-        - name: noc-proxy-auth
-      services:
-        - name: prometheus-external
-          port: 9091
-  tls:
-    secretName: prometheus-tls
---
-# ============================================================
-# Cockpit - noc1:9090
-# ============================================================
-apiVersion: v1
-kind: Service
-metadata:
-  name: cockpit-external
-  namespace: noc-proxy
-spec:
-  ports:
-    - port: 9090
-      targetPort: 9090
-      name: https
-  clusterIP: None
---
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: cockpit-external
-  namespace: noc-proxy
-subsets:
-  - addresses:
-      - ip: 10.0.56.10
-    ports:
-      - port: 9090
-        name: https
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: cockpit-tls
-  namespace: noc-proxy
-spec:
-  secretName: cockpit-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - cockpit.iamworkin.lan
---
-# Cockpit uses self-signed HTTPS on 9090, so we need a ServersTransport
-# to skip backend TLS verification
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: cockpit-transport
-  namespace: noc-proxy
-spec:
-  insecureSkipVerify: true
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: cockpit
-  namespace: noc-proxy
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`cockpit.iamworkin.lan`)
-      middlewares:
-        - name: noc-proxy-auth
-      services:
-        - name: cockpit-external
-          port: 9090
-          serversTransport: cockpit-transport
-  tls:
-    secretName: cockpit-tls
---
-# NetworkPolicy: allow Traefik ingress, allow egress to noc1
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: noc-proxy-netpol
-  namespace: noc-proxy
-spec:
-  podSelector: {}
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: traefik-system
-  egress:
-    - to:
-        - ipBlock:
-            cidr: 10.0.56.10/32
-      ports:
-        - port: 3000
-          protocol: TCP
-        - port: 9090
-          protocol: TCP
-        - port: 9091
-          protocol: TCP
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
+# NOC Services - Traefik IngressRoutes for noc1 services
+# Proxies internal .iamworkin.lan hostnames to noc1 (10.0.56.10) via
+# headless Service + manual Endpoints (standard K8s external proxy pattern)
+# ArgoCD managed - BlueJay Lab
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: noc-proxy
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# ============================================================
+# BasicAuth - shared across all NOC proxy IngressRoutes
+# ============================================================
+apiVersion: v1
+kind: Secret
+metadata:
+  name: noc-proxy-auth
+  namespace: noc-proxy
+type: Opaque
+data:
+  users: YWRtaW46JDJiJDEwJEZjdlVFNWNpNkxvNi5rZ1k5L3hJV2V5M2tvM3VVY1U5YXJaSlQ4N29ZREtCSi5lNkoucXJD
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: noc-proxy-auth
+  namespace: noc-proxy
+spec:
+  basicAuth:
+    secret: noc-proxy-auth
+---
+# ============================================================
+# Grafana - noc1:3000
+# ============================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana-external
+  namespace: noc-proxy
+spec:
+  ports:
+    - port: 3000
+      targetPort: 3000
+      name: http
+  clusterIP: None
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: grafana-external
+  namespace: noc-proxy
+subsets:
+  - addresses:
+      - ip: 10.0.56.10
+    ports:
+      - port: 3000
+        name: http
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+  namespace: noc-proxy
+spec:
+  secretName: grafana-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - grafana.iamworkin.lan
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana
+  namespace: noc-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`grafana.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
+      services:
+        - name: grafana-external
+          port: 3000
+  tls:
+    secretName: grafana-tls
+---
+# ============================================================
+# Prometheus - noc1:9091
+# ============================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: prometheus-external
+  namespace: noc-proxy
+spec:
+  ports:
+    - port: 9091
+      targetPort: 9091
+      name: http
+  clusterIP: None
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: prometheus-external
+  namespace: noc-proxy
+subsets:
+  - addresses:
+      - ip: 10.0.56.10
+    ports:
+      - port: 9091
+        name: http
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: prometheus-tls
+  namespace: noc-proxy
+spec:
+  secretName: prometheus-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - prometheus.iamworkin.lan
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: prometheus
+  namespace: noc-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`prometheus.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
+      services:
+        - name: prometheus-external
+          port: 9091
+  tls:
+    secretName: prometheus-tls
+---
+# ============================================================
+# Cockpit - noc1:9090
+# ============================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: cockpit-external
+  namespace: noc-proxy
+spec:
+  ports:
+    - port: 9090
+      targetPort: 9090
+      name: https
+  clusterIP: None
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: cockpit-external
+  namespace: noc-proxy
+subsets:
+  - addresses:
+      - ip: 10.0.56.10
+    ports:
+      - port: 9090
+        name: https
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cockpit-tls
+  namespace: noc-proxy
+spec:
+  secretName: cockpit-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - cockpit.iamworkin.lan
+---
+# Cockpit uses self-signed HTTPS on 9090, so we need a ServersTransport
+# to skip backend TLS verification
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: cockpit-transport
+  namespace: noc-proxy
+spec:
+  insecureSkipVerify: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: cockpit
+  namespace: noc-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`cockpit.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
+      services:
+        - name: cockpit-external
+          port: 9090
+          serversTransport: cockpit-transport
+  tls:
+    secretName: cockpit-tls
+---
+# NetworkPolicy: allow Traefik ingress, allow egress to noc1
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: noc-proxy-netpol
+  namespace: noc-proxy
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.0.56.10/32
+      ports:
+        - port: 3000
+          protocol: TCP
+        - port: 9090
+          protocol: TCP
+        - port: 9091
+          protocol: TCP
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP