bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity
Files
claude/bluejay-infra-worldbuilder
bluejay-infra/apps/noc-services/noc-services.yaml

319 lines
6.9 KiB
YAML
Raw Permalink Blame History

# NOC Services - Traefik IngressRoutes for noc1 services
# Proxies internal .iamworkin.lan hostnames to noc1 (10.0.56.10) via
# headless Service + manual Endpoints (standard K8s external proxy pattern)
# ArgoCD managed - BlueJay Lab
---
apiVersion: v1
kind: Namespace
metadata:
name: noc-proxy
labels:
app.kubernetes.io/part-of: bluejay-infra
---
# ============================================================
# BasicAuth - shared across all NOC proxy IngressRoutes
# ============================================================
apiVersion: v1
kind: Secret
metadata:
name: noc-proxy-auth
namespace: noc-proxy
type: Opaque
data:
users: YWRtaW46JDJiJDEwJEZjdlVFNWNpNkxvNi5rZ1k5L3hJV2V5M2tvM3VVY1U5YXJaSlQ4N29ZREtCSi5lNkoucXJD
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: noc-proxy-auth
namespace: noc-proxy
spec:
basicAuth:
secret: noc-proxy-auth
---
# ============================================================
# Grafana - noc1:3000
# ============================================================
apiVersion: v1
kind: Service
metadata:
name: grafana-external
namespace: noc-proxy
spec:
ports:
- port: 3000
targetPort: 3000
name: http
clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
name: grafana-external
namespace: noc-proxy
subsets:
- addresses:
- ip: 10.0.56.10
ports:
- port: 3000
name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: grafana-tls
namespace: noc-proxy
spec:
secretName: grafana-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- grafana.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: grafana
namespace: noc-proxy
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`grafana.iamworkin.lan`)
middlewares:
- name: noc-proxy-auth
services:
- name: grafana-external
port: 3000
tls:
secretName: grafana-tls
---
# ============================================================
# Prometheus - noc1:9091
# ============================================================
apiVersion: v1
kind: Service
metadata:
name: prometheus-external
namespace: noc-proxy
spec:
ports:
- port: 9091
targetPort: 9091
name: http
clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
name: prometheus-external
namespace: noc-proxy
subsets:
- addresses:
- ip: 10.0.56.10
ports:
- port: 9091
name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: prometheus-tls
namespace: noc-proxy
spec:
secretName: prometheus-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- prometheus.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: prometheus
namespace: noc-proxy
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`prometheus.iamworkin.lan`)
middlewares:
- name: noc-proxy-auth
services:
- name: prometheus-external
port: 9091
tls:
secretName: prometheus-tls
---
# ============================================================
# Cockpit - noc1:9090
# ============================================================
apiVersion: v1
kind: Service
metadata:
name: cockpit-external
namespace: noc-proxy
spec:
ports:
- port: 9090
targetPort: 9090
name: https
clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
name: cockpit-external
namespace: noc-proxy
subsets:
- addresses:
- ip: 10.0.56.10
ports:
- port: 9090
name: https
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cockpit-tls
namespace: noc-proxy
spec:
secretName: cockpit-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- cockpit.iamworkin.lan
---
# Cockpit uses self-signed HTTPS on 9090, so we need a ServersTransport
# to skip backend TLS verification
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: cockpit-transport
namespace: noc-proxy
spec:
insecureSkipVerify: true
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: cockpit
namespace: noc-proxy
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`cockpit.iamworkin.lan`)
middlewares:
- name: noc-proxy-auth
services:
- name: cockpit-external
port: 9090
serversTransport: cockpit-transport
tls:
secretName: cockpit-tls
---
# ============================================================
# PuppetDB Dashboard - noc1:8080 (HTTP, web UI only)
# Agent-to-PuppetDB mTLS still uses port 8081 directly via Puppet CA
# (NOT via this proxy). See docs/infrastructure/cert-recovery-2026-04-28.md
# ============================================================
apiVersion: v1
kind: Service
metadata:
name: puppetdb-external
namespace: noc-proxy
spec:
ports:
- port: 8080
targetPort: 8080
name: http
clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
name: puppetdb-external
namespace: noc-proxy
subsets:
- addresses:
- ip: 10.0.56.10
ports:
- port: 8080
name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: puppetdb-tls
namespace: noc-proxy
spec:
secretName: puppetdb-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- puppetdb.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: puppetdb
namespace: noc-proxy
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`puppetdb.iamworkin.lan`)
services:
- name: puppetdb-external
port: 8080
tls:
secretName: puppetdb-tls
---
# NetworkPolicy: allow Traefik ingress, allow egress to noc1
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: noc-proxy-netpol
namespace: noc-proxy
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik-system
egress:
- to:
- ipBlock:
cidr: 10.0.56.10/32
ports:
- port: 3000
protocol: TCP
- port: 8080
protocol: TCP
- port: 9090
protocol: TCP
- port: 9091
protocol: TCP
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
Reference in New Issue View Git Blame Copy Permalink