bluejay-infra/apps/noc-services/noc-services.yaml

# NOC Services - Traefik IngressRoutes for noc1 services
# Proxies internal .iamworkin.lan hostnames to noc1 (10.0.56.10) via
# headless Service + manual Endpoints (standard K8s external proxy pattern)
# ArgoCD managed - BlueJay Lab
---
apiVersion: v1
kind: Namespace
metadata:
  name: noc-proxy
  labels:
    app.kubernetes.io/part-of: bluejay-infra
---
# ============================================================
# BasicAuth - shared across all NOC proxy IngressRoutes
# ============================================================
apiVersion: v1
kind: Secret
metadata:
  name: noc-proxy-auth
  namespace: noc-proxy
type: Opaque
data:
  users: YWRtaW46JDJiJDEwJEZjdlVFNWNpNkxvNi5rZ1k5L3hJV2V5M2tvM3VVY1U5YXJaSlQ4N29ZREtCSi5lNkoucXJD
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: noc-proxy-auth
  namespace: noc-proxy
spec:
  basicAuth:
    secret: noc-proxy-auth
---
# ============================================================
# Grafana - noc1:3000
# ============================================================
apiVersion: v1
kind: Service
metadata:
  name: grafana-external
  namespace: noc-proxy
spec:
  ports:
    - port: 3000
      targetPort: 3000
      name: http
  clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
  name: grafana-external
  namespace: noc-proxy
subsets:
  - addresses:
      - ip: 10.0.56.10
    ports:
      - port: 3000
        name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: grafana-tls
  namespace: noc-proxy
spec:
  secretName: grafana-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - grafana.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: grafana
  namespace: noc-proxy
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`grafana.iamworkin.lan`)
      middlewares:
        - name: noc-proxy-auth
      services:
        - name: grafana-external
          port: 3000
  tls:
    secretName: grafana-tls
---
# ============================================================
# Prometheus - noc1:9091
# ============================================================
apiVersion: v1
kind: Service
metadata:
  name: prometheus-external
  namespace: noc-proxy
spec:
  ports:
    - port: 9091
      targetPort: 9091
      name: http
  clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
  name: prometheus-external
  namespace: noc-proxy
subsets:
  - addresses:
      - ip: 10.0.56.10
    ports:
      - port: 9091
        name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: prometheus-tls
  namespace: noc-proxy
spec:
  secretName: prometheus-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - prometheus.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: prometheus
  namespace: noc-proxy
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`prometheus.iamworkin.lan`)
      middlewares:
        - name: noc-proxy-auth
      services:
        - name: prometheus-external
          port: 9091
  tls:
    secretName: prometheus-tls
---
# ============================================================
# Cockpit - noc1:9090
# ============================================================
apiVersion: v1
kind: Service
metadata:
  name: cockpit-external
  namespace: noc-proxy
spec:
  ports:
    - port: 9090
      targetPort: 9090
      name: https
  clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
  name: cockpit-external
  namespace: noc-proxy
subsets:
  - addresses:
      - ip: 10.0.56.10
    ports:
      - port: 9090
        name: https
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cockpit-tls
  namespace: noc-proxy
spec:
  secretName: cockpit-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - cockpit.iamworkin.lan
---
# Cockpit uses self-signed HTTPS on 9090, so we need a ServersTransport
# to skip backend TLS verification
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: cockpit-transport
  namespace: noc-proxy
spec:
  insecureSkipVerify: true
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: cockpit
  namespace: noc-proxy
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`cockpit.iamworkin.lan`)
      middlewares:
        - name: noc-proxy-auth
      services:
        - name: cockpit-external
          port: 9090
          serversTransport: cockpit-transport
  tls:
    secretName: cockpit-tls
---
# NetworkPolicy: allow Traefik ingress, allow egress to noc1
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: noc-proxy-netpol
  namespace: noc-proxy
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik-system
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.56.10/32
      ports:
        - port: 3000
          protocol: TCP
        - port: 9090
          protocol: TCP
        - port: 9091
          protocol: TCP
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP