From 1af9979cc7c4b21ba5b7c806df8b5e5990179a5d Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 2 Jun 2026 17:44:33 +1000 Subject: [PATCH] feat: add auth.unkin.net proxying to Kubernetes Traefik ingress Add static haproxy2 backends for syd1 Kubernetes Traefik ingress (external 198.18.199.0, internal 198.18.200.4) and route auth.unkin.net to the internal backend with Let's Encrypt cert. --- .../au/region/syd1/infra/halb/haproxy2.yaml | 30 +++++++++++++++++++ hieradata/roles/infra/pki/certbot.yaml | 1 + 2 files changed, 31 insertions(+) diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml index 66e37a6..ea957a6 100644 --- a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml +++ b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml @@ -1,4 +1,7 @@ --- +haproxy_server_k8s_syd1_traefik_internal: 'k8s-traefik-internal 198.18.200.4:443 ssl verify none check inter 2s rise 3 fall 2' +haproxy_server_k8s_syd1_traefik_external: 'k8s-traefik-external 198.18.199.0:443 ssl verify none check inter 2s rise 3 fall 2' + profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}" profiles::haproxy::dns::vrrp_cnames: - sonarr.main.unkin.net @@ -16,6 +19,7 @@ profiles::haproxy::dns::vrrp_cnames: - mail.main.unkin.net - autoconfig.main.unkin.net - autodiscover.main.unkin.net + - auth.unkin.net profiles::haproxy::mappings: fe_http: @@ -37,6 +41,7 @@ profiles::haproxy::mappings: - 'mail-webadmin.main.unkin.net be_stalwart_webadmin' - 'autoconfig.main.unkin.net be_stalwart_webadmin' - 'autodiscovery.main.unkin.net be_stalwart_webadmin' + - 'auth.unkin.net be_k8s_kanidm' fe_https: ensure: present mappings: @@ -56,6 +61,7 @@ profiles::haproxy::mappings: - 'mail-webadmin.main.unkin.net be_stalwart_webadmin' - 'autoconfig.main.unkin.net be_stalwart_webadmin' - 'autodiscovery.main.unkin.net be_stalwart_webadmin' + - 'auth.unkin.net be_k8s_kanidm' profiles::haproxy::frontends: fe_http: @@ -80,6 +86,7 @@ profiles::haproxy::frontends: - 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net' - 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net' - 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net' + - 'acl_kanidm req.hdr(host) -i auth.unkin.net' - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' use_backend: - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" @@ -99,6 +106,7 @@ profiles::haproxy::frontends: - 'set-header X-Frame-Options DENY if acl_grafana' - 'set-header X-Frame-Options DENY if acl_ceph_dashboard' - 'set-header X-Frame-Options DENY if acl_stalwart_webadmin' + - 'set-header X-Frame-Options DENY if acl_kanidm' - 'set-header X-Content-Type-Options nosniff' - 'set-header X-XSS-Protection 1;mode=block' @@ -320,6 +328,26 @@ profiles::haproxy::backends: - add-header X-Forwarded-Proto https if { dst_port 9443 } redirect: 'scheme https if !{ ssl_fc }' stick-table: 'type ip size 200k expire 30m' + be_k8s_kanidm: + description: Backend for Kanidm (auth.unkin.net via Kubernetes internal Traefik) + collect_exported: false + options: + balance: roundrobin + option: + - httpchk + - forwardfor + - http-keep-alive + - prefer-last-server + http-check: + - 'connect ssl sni auth.unkin.net' + - 'send meth GET uri /status ver HTTP/1.1 hdr Host auth.unkin.net' + - 'expect status 200' + http-reuse: always + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' + server: "%{lookup('haproxy_server_k8s_syd1_traefik_internal')} sni str(auth.unkin.net)" be_stalwart_imap: description: Backend for Stalwart IMAP (STARTTLS) collect_exported: false @@ -393,6 +421,7 @@ profiles::haproxy::certlist::certificates: - /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem + - /etc/pki/tls/letsencrypt/auth.unkin.net/fullchain_combined.pem - /etc/pki/tls/vault/certificate.pem # additional altnames @@ -422,3 +451,4 @@ certbot::client::domains: - git.unkin.net - grafana.unkin.net - dashboard.ceph.unkin.net + - auth.unkin.net diff --git a/hieradata/roles/infra/pki/certbot.yaml b/hieradata/roles/infra/pki/certbot.yaml index 9891134..51fd58f 100644 --- a/hieradata/roles/infra/pki/certbot.yaml +++ b/hieradata/roles/infra/pki/certbot.yaml @@ -16,3 +16,4 @@ certbot::domains: - git.unkin.net - grafana.unkin.net - dashboard.ceph.unkin.net + - auth.unkin.net -- 2.47.3