# NOC Services - Traefik IngressRoutes for noc1 services # Proxies internal .iamworkin.lan hostnames to noc1 (10.0.56.10) via # headless Service + manual Endpoints (standard K8s external proxy pattern) # ArgoCD managed - BlueJay Lab --- apiVersion: v1 kind: Namespace metadata: name: noc-proxy labels: app.kubernetes.io/part-of: bluejay-infra --- # ============================================================ # BasicAuth - shared across all NOC proxy IngressRoutes # ============================================================ apiVersion: v1 kind: Secret metadata: name: noc-proxy-auth namespace: noc-proxy type: Opaque data: users: YWRtaW46JDJiJDEwJEZjdlVFNWNpNkxvNi5rZ1k5L3hJV2V5M2tvM3VVY1U5YXJaSlQ4N29ZREtCSi5lNkoucXJD --- apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: noc-proxy-auth namespace: noc-proxy spec: basicAuth: secret: noc-proxy-auth --- # ============================================================ # Grafana - noc1:3000 # ============================================================ apiVersion: v1 kind: Service metadata: name: grafana-external namespace: noc-proxy spec: ports: - port: 3000 targetPort: 3000 name: http clusterIP: None --- apiVersion: v1 kind: Endpoints metadata: name: grafana-external namespace: noc-proxy subsets: - addresses: - ip: 10.0.56.10 ports: - port: 3000 name: http --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: grafana-tls namespace: noc-proxy spec: secretName: grafana-tls issuerRef: name: step-ca-acme kind: ClusterIssuer dnsNames: - grafana.iamworkin.lan --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: grafana namespace: noc-proxy spec: entryPoints: - websecure routes: - kind: Rule match: Host(`grafana.iamworkin.lan`) middlewares: - name: noc-proxy-auth services: - name: grafana-external port: 3000 tls: secretName: grafana-tls --- # ============================================================ # Prometheus - noc1:9091 # ============================================================ apiVersion: v1 kind: Service metadata: name: prometheus-external namespace: noc-proxy spec: ports: - port: 9091 targetPort: 9091 name: http clusterIP: None --- apiVersion: v1 kind: Endpoints metadata: name: prometheus-external namespace: noc-proxy subsets: - addresses: - ip: 10.0.56.10 ports: - port: 9091 name: http --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: prometheus-tls namespace: noc-proxy spec: secretName: prometheus-tls issuerRef: name: step-ca-acme kind: ClusterIssuer dnsNames: - prometheus.iamworkin.lan --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: prometheus namespace: noc-proxy spec: entryPoints: - websecure routes: - kind: Rule match: Host(`prometheus.iamworkin.lan`) middlewares: - name: noc-proxy-auth services: - name: prometheus-external port: 9091 tls: secretName: prometheus-tls --- # ============================================================ # Cockpit - noc1:9090 # ============================================================ apiVersion: v1 kind: Service metadata: name: cockpit-external namespace: noc-proxy spec: ports: - port: 9090 targetPort: 9090 name: https clusterIP: None --- apiVersion: v1 kind: Endpoints metadata: name: cockpit-external namespace: noc-proxy subsets: - addresses: - ip: 10.0.56.10 ports: - port: 9090 name: https --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cockpit-tls namespace: noc-proxy spec: secretName: cockpit-tls issuerRef: name: step-ca-acme kind: ClusterIssuer dnsNames: - cockpit.iamworkin.lan --- # Cockpit uses self-signed HTTPS on 9090, so we need a ServersTransport # to skip backend TLS verification apiVersion: traefik.io/v1alpha1 kind: ServersTransport metadata: name: cockpit-transport namespace: noc-proxy spec: insecureSkipVerify: true --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: cockpit namespace: noc-proxy spec: entryPoints: - websecure routes: - kind: Rule match: Host(`cockpit.iamworkin.lan`) middlewares: - name: noc-proxy-auth services: - name: cockpit-external port: 9090 serversTransport: cockpit-transport tls: secretName: cockpit-tls --- # ============================================================ # PuppetDB Dashboard - noc1:8080 (HTTP, web UI only) # Agent-to-PuppetDB mTLS still uses port 8081 directly via Puppet CA # (NOT via this proxy). See docs/infrastructure/cert-recovery-2026-04-28.md # ============================================================ apiVersion: v1 kind: Service metadata: name: puppetdb-external namespace: noc-proxy spec: ports: - port: 8080 targetPort: 8080 name: http clusterIP: None --- apiVersion: v1 kind: Endpoints metadata: name: puppetdb-external namespace: noc-proxy subsets: - addresses: - ip: 10.0.56.10 ports: - port: 8080 name: http --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: puppetdb-tls namespace: noc-proxy spec: secretName: puppetdb-tls issuerRef: name: step-ca-acme kind: ClusterIssuer dnsNames: - puppetdb.iamworkin.lan --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: puppetdb namespace: noc-proxy spec: entryPoints: - websecure routes: - kind: Rule match: Host(`puppetdb.iamworkin.lan`) services: - name: puppetdb-external port: 8080 tls: secretName: puppetdb-tls --- # NetworkPolicy: allow Traefik ingress, allow egress to noc1 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: noc-proxy-netpol namespace: noc-proxy spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik-system egress: - to: - ipBlock: cidr: 10.0.56.10/32 ports: - port: 3000 protocol: TCP - port: 8080 protocol: TCP - port: 9090 protocol: TCP - port: 9091 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - port: 53 protocol: UDP - port: 53 protocol: TCP