feat: Add internal redirects

2025-02-11 12:08:45 -08:00 · 2025-02-11 12:08:45 -08:00 · d76acef206
commit d76acef206
parent b2e579f88e
18 changed files with 131 additions and 29 deletions
--- a/k8s/apps/common/kustomization.yaml
+++ b/k8s/apps/common/kustomization.yaml
@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - bitnami-repository.yaml
+  - middlewares
--- a/k8s/apps/ingressroutes/external/README.md
+++ b/k8s/apps/ingressroutes/external/README.md
@ -0,0 +1,19 @@
+# IngressRoutes
+
+These manifests define extra ingress routes, most notably routes that are
+proxied external to the cluster.
+To facilitate easier declaration, the manifests are generated by a
+simple templating script with YAML configuration through Jinja templating.
+
+We decided on the templating solution over Helm because FluxCD, our GitOps tool,
+requires a Helm repository to apply a Helm chart. We don't have a Helm
+repository and it seems overkill to create even a simple Helm repository just
+for a single chart. Additionally, creating a Helm repository creates another
+point of failure and adds complexity in the GitOps pipeline.
+
+## Templating script
+
+By default, `templater/main.py` sources the config from `templater/values.yaml`
+and emits the templated manifests into `build/`.
+
+Run `templater/main.py -h` for a full list of arguments.
--- a/k8s/apps/external-reverse-proxies/generated/jellyfin-mnke.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/jellyfin-mnke.yaml
--- a/k8s/apps/external-reverse-proxies/generated/jellyfin-tonydu.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/jellyfin-tonydu.yaml
@ -26,6 +26,8 @@ spec:
  routes:
    - match: Host(`media.tonydu.me`)
      kind: Rule
+      middlewares:
+        - name: redirect-tonydu-me-mnke-org
      services:
        - kind: Service
          name: jellyfin-tonydu-external
--- a/k8s/apps/external-reverse-proxies/generated/kustomization.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/kustomization.yaml
@ -4,5 +4,5 @@ kind: Kustomization
 resources:
  - jellyfin-mnke.yaml
  - jellyfin-tonydu.yaml
-  - seerr-tonydu.yaml
-  - seerr-mnke.yaml
+  - seerr-mnke.yaml
+  - seerr-tonydu.yaml
--- a/k8s/apps/external-reverse-proxies/generated/seerr-mnke.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/seerr-mnke.yaml
--- a/k8s/apps/external-reverse-proxies/generated/seerr-tonydu.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/seerr-tonydu.yaml
@ -26,6 +26,8 @@ spec:
  routes:
    - match: Host(`seerr.tonydu.me`)
      kind: Rule
+      middlewares:
+        - name: redirect-tonydu-me-mnke-org
      services:
        - kind: Service
          name: seerr-tonydu-external
--- a/k8s/apps/external-reverse-proxies/kustomization.yaml
+++ b/k8s/apps/external-reverse-proxies/kustomization.yaml
@ -2,5 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - generated
-  # - middlewares
+  - build
--- a/k8s/apps/external-reverse-proxies/codegen/generator.py
+++ b/k8s/apps/external-reverse-proxies/codegen/generator.py
@ -1,6 +1,7 @@
+#!/usr/bin/env python3
 from argparse import ArgumentParser
 from sys import stderr
-from jinja2 import Template
+from jinja2 import Environment, FileSystemLoader, Template
 from os import path
 from yaml import safe_load

@ -10,12 +11,6 @@ def load_config(config_path):
    file.close()
    return config

-def load_proxy_template(template_path):
-    file = open(template_path, 'r')
-    template = Template(file.read())
-    file.close()
-    return template
-
 def write_file(filename, content, dry_run):
    if dry_run:
        print(f'### Would generate {filename} ###', file=stderr)
@ -39,7 +34,8 @@ def main(args):
    template_path = args.template
    output_path = args.output

-    template = load_proxy_template(template_path)
+    env = Environment(loader=FileSystemLoader(template_path))
+    template = env.get_template('proxy.yaml')

    config = load_config(config_path)

@ -61,22 +57,20 @@ def main(args):
    write_file(kustomization_filename, kustomization_content, dry_run)

 if __name__ == '__main__':
-    default_config_path = path.join(path.dirname(__file__), 'config', 'config.yaml')
-    default_template_path = path.join(path.dirname(__file__), 'templates', 'proxy.yaml.j2')
-    default_output_path = path.normpath(path.join(path.dirname(__file__), '..', 'generated'))
+    default_config_path = path.join(path.dirname(__file__), 'values.yaml')
+    default_template_path = path.join(path.dirname(__file__), 'templates')
+    default_output_path = path.normpath(path.join(path.dirname(__file__), '..', 'build'))

    parser = ArgumentParser(
            prog='External Reverse Proxy Generator',
            description='Generate reverse proxy manifests',
            )
    parser.add_argument(
-            '-n',
            '--dry-run',
            action='store_true',
            help='Print generated manifests instead of writing them to disk'
            )
    parser.add_argument(
-            '-k',
            '--skip-kustomize',
            action='store_true',
            help='Skip generation of kustomization.yaml file'
--- a/k8s/apps/external-reverse-proxies/codegen/templates/proxy.yaml.j2
+++ b/k8s/apps/external-reverse-proxies/codegen/templates/proxy.yaml.j2
@ -27,6 +27,15 @@ spec:
  {%- for listen_host in listen_hosts %}
    - match: Host(`{{ listen_host }}`)
      kind: Rule
+      {%- if middlewares is defined %}
+      middlewares:
+        {%- for middleware in middlewares %}
+        - name: {{ middleware.name }}
+          {%- if middleware.namespace is defined %}
+          namespace: {{ middleware.namespace }}
+          {%- endif %}
+        {%- endfor %}
+      {%- endif %}
      services:
        - kind: Service
          name: {{ service_name }}-external
--- a/k8s/apps/external-reverse-proxies/codegen/config/config.yaml
+++ b/k8s/apps/external-reverse-proxies/codegen/config/config.yaml
@ -2,6 +2,11 @@ x-jellyfin: &jellyfin
  upstream_host: jellyfin.home.mnke.org
  upstream_port: 8096

+x-seerr: &seerr
+  upstream_host: seerr.jumper.mnke.org
+  upstream_port: 443
+  pass_host_header: false
+
 proxies:
  - <<: *jellyfin
    service_name: jellyfin-mnke
@ -15,17 +20,18 @@ proxies:
    service_name: jellyfin-tonydu
    tls_secret_name: wildcard-tonydu-me-tls
    listen_host: media.tonydu.me
+    middlewares:
+      - name: redirect-tonydu-me-mnke-org

-  - service_name: seerr-tonydu
-    tls_secret_name: wildcard-tonydu-me-tls
-    listen_host: seerr.tonydu.me
-    upstream_host: seerr.jumper.mnke.org
-    upstream_port: 443
-    pass_host_header: false
-
-  - service_name: seerr-mnke
+  - <<: *seerr
+    service_name: seerr-mnke
    tls_secret_name: wildcard-mnke-org-tls
    listen_host: seerr.mnke.org
-    upstream_host: seerr.jumper.mnke.org
-    upstream_port: 443
-    pass_host_header: false
+
+  - <<: *seerr
+    service_name: seerr-tonydu
+    tls_secret_name: wildcard-tonydu-me-tls
+    listen_host: seerr.tonydu.me
+    middlewares:
+      - name: redirect-tonydu-me-mnke-org
+
--- a/k8s/apps/ingressroutes/internal/blog-tonydu.yaml
+++ b/k8s/apps/ingressroutes/internal/blog-tonydu.yaml
@ -0,0 +1,21 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blog-tonydu
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`blog.tonydu.me`)
+      kind: Rule
+      middlewares:
+        - name: redirect-tonydu-me-mnke-org
+      services:
+        - kind: Service
+          name: ghost
+          port: http
+          passHostHeader: False
+  tls:
+    secretName: wildcard-tonydu-me-tls
--- a/k8s/apps/ingressroutes/internal/kustomization.yaml
+++ b/k8s/apps/ingressroutes/internal/kustomization.yaml
@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - blog-tonydu.yaml
--- a/k8s/apps/ingressroutes/kustomization.yaml
+++ b/k8s/apps/ingressroutes/kustomization.yaml
@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - middlewares
+  - internal
+  - external
--- a/k8s/apps/ingressroutes/middlewares/authentik.yaml
+++ b/k8s/apps/ingressroutes/middlewares/authentik.yaml
@ -0,0 +1,21 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+    name: authentik
+spec:
+    forwardAuth:
+        address: https://authentik.mnke.org/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+            - X-authentik-username
+            - X-authentik-groups
+            - X-authentik-entitlements
+            - X-authentik-email
+            - X-authentik-name
+            - X-authentik-uid
+            - X-authentik-jwt
+            - X-authentik-meta-jwks
+            - X-authentik-meta-outpost
+            - X-authentik-meta-provider
+            - X-authentik-meta-app
+            - X-authentik-meta-version
--- a/k8s/apps/ingressroutes/middlewares/kustomization.yaml
+++ b/k8s/apps/ingressroutes/middlewares/kustomization.yaml
@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - authentik.yaml
+  - redirect-tonydu-me-mnke-org.yaml
--- a/k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml
+++ b/k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml
@ -0,0 +1,10 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-tonydu-me-mnke-org
+spec:
+  redirectRegex:
+    permanent: false
+    regex: ^https?://([a-zA-Z0-9]+)\.tonydu\.me(/)?
+    replacement: https://${1}.mnke.org${2}
--- a/k8s/apps/kustomization.yaml
+++ b/k8s/apps/kustomization.yaml
@ -5,4 +5,4 @@ resources:
  - common
  - uptime-kuma
  - ghost
-  - external-reverse-proxies
+  - ingressroutes