From b754d947d5decfa9e83ea3cb60cd7017f8ed355e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 2 Jun 2026 22:50:10 +1000 Subject: [PATCH] feat: add auth.unkin.net proxying to Kubernetes Traefik ingress (#467) Add static haproxy2 backends for syd1 Kubernetes Traefik ingress (external 198.18.199.0, internal 198.18.200.4) and route auth.unkin.net to the internal backend with Let's Encrypt cert. Reviewed-on: https://git.unkin.net/unkin/puppet-prod/pulls/467 --- .../au/region/syd1/infra/halb/haproxy2.yaml | 30 +++++++++++++++++++ hieradata/roles/infra/pki/certbot.yaml | 1 + 2 files changed, 31 insertions(+) diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml index 66e37a6..ea957a6 100644 --- a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml +++ b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml @@ -1,4 +1,7 @@ --- +haproxy_server_k8s_syd1_traefik_internal: 'k8s-traefik-internal 198.18.200.4:443 ssl verify none check inter 2s rise 3 fall 2' +haproxy_server_k8s_syd1_traefik_external: 'k8s-traefik-external 198.18.199.0:443 ssl verify none check inter 2s rise 3 fall 2' + profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}" profiles::haproxy::dns::vrrp_cnames: - sonarr.main.unkin.net @@ -16,6 +19,7 @@ profiles::haproxy::dns::vrrp_cnames: - mail.main.unkin.net - autoconfig.main.unkin.net - autodiscover.main.unkin.net + - auth.unkin.net profiles::haproxy::mappings: fe_http: @@ -37,6 +41,7 @@ profiles::haproxy::mappings: - 'mail-webadmin.main.unkin.net be_stalwart_webadmin' - 'autoconfig.main.unkin.net be_stalwart_webadmin' - 'autodiscovery.main.unkin.net be_stalwart_webadmin' + - 'auth.unkin.net be_k8s_kanidm' fe_https: ensure: present mappings: @@ -56,6 +61,7 @@ profiles::haproxy::mappings: - 'mail-webadmin.main.unkin.net be_stalwart_webadmin' - 'autoconfig.main.unkin.net be_stalwart_webadmin' - 'autodiscovery.main.unkin.net be_stalwart_webadmin' + - 'auth.unkin.net be_k8s_kanidm' profiles::haproxy::frontends: fe_http: @@ -80,6 +86,7 @@ profiles::haproxy::frontends: - 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net' - 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net' - 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net' + - 'acl_kanidm req.hdr(host) -i auth.unkin.net' - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' use_backend: - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" @@ -99,6 +106,7 @@ profiles::haproxy::frontends: - 'set-header X-Frame-Options DENY if acl_grafana' - 'set-header X-Frame-Options DENY if acl_ceph_dashboard' - 'set-header X-Frame-Options DENY if acl_stalwart_webadmin' + - 'set-header X-Frame-Options DENY if acl_kanidm' - 'set-header X-Content-Type-Options nosniff' - 'set-header X-XSS-Protection 1;mode=block' @@ -320,6 +328,26 @@ profiles::haproxy::backends: - add-header X-Forwarded-Proto https if { dst_port 9443 } redirect: 'scheme https if !{ ssl_fc }' stick-table: 'type ip size 200k expire 30m' + be_k8s_kanidm: + description: Backend for Kanidm (auth.unkin.net via Kubernetes internal Traefik) + collect_exported: false + options: + balance: roundrobin + option: + - httpchk + - forwardfor + - http-keep-alive + - prefer-last-server + http-check: + - 'connect ssl sni auth.unkin.net' + - 'send meth GET uri /status ver HTTP/1.1 hdr Host auth.unkin.net' + - 'expect status 200' + http-reuse: always + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' + server: "%{lookup('haproxy_server_k8s_syd1_traefik_internal')} sni str(auth.unkin.net)" be_stalwart_imap: description: Backend for Stalwart IMAP (STARTTLS) collect_exported: false @@ -393,6 +421,7 @@ profiles::haproxy::certlist::certificates: - /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem + - /etc/pki/tls/letsencrypt/auth.unkin.net/fullchain_combined.pem - /etc/pki/tls/vault/certificate.pem # additional altnames @@ -422,3 +451,4 @@ certbot::client::domains: - git.unkin.net - grafana.unkin.net - dashboard.ceph.unkin.net + - auth.unkin.net diff --git a/hieradata/roles/infra/pki/certbot.yaml b/hieradata/roles/infra/pki/certbot.yaml index 9891134..51fd58f 100644 --- a/hieradata/roles/infra/pki/certbot.yaml +++ b/hieradata/roles/infra/pki/certbot.yaml @@ -16,3 +16,4 @@ certbot::domains: - git.unkin.net - grafana.unkin.net - dashboard.ceph.unkin.net + - auth.unkin.net