feat: Add internal redirects

2025-02-11 12:08:45 -08:00 · 2025-02-11 12:08:45 -08:00 · d76acef206
commit d76acef206
parent b2e579f88e
18 changed files with 131 additions and 29 deletions
--- a/k8s/apps/common/kustomization.yaml
+++ b/k8s/apps/common/kustomization.yaml
@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - bitnami-repository.yaml
  - middlewares
--- a/k8s/apps/ingressroutes/external/README.md
+++ b/k8s/apps/ingressroutes/external/README.md
@ -0,0 +1,19 @@
 # IngressRoutes
 These manifests define extra ingress routes, most notably routes that are
 proxied external to the cluster.
 To facilitate easier declaration, the manifests are generated by a
 simple templating script with YAML configuration through Jinja templating.
 We decided on the templating solution over Helm because FluxCD, our GitOps tool,
 requires a Helm repository to apply a Helm chart. We don't have a Helm
 repository and it seems overkill to create even a simple Helm repository just
 for a single chart. Additionally, creating a Helm repository creates another
 point of failure and adds complexity in the GitOps pipeline.
 ## Templating script
 By default, `templater/main.py` sources the config from `templater/values.yaml`
 and emits the templated manifests into `build/`.
 Run `templater/main.py -h` for a full list of arguments.
--- a/k8s/apps/external-reverse-proxies/generated/jellyfin-mnke.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/jellyfin-mnke.yaml
--- a/k8s/apps/external-reverse-proxies/generated/jellyfin-tonydu.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/jellyfin-tonydu.yaml
@ -26,6 +26,8 @@ spec:
  routes:
    - match: Host(`media.tonydu.me`)
      kind: Rule
      middlewares:
        - name: redirect-tonydu-me-mnke-org
      services:
        - kind: Service
          name: jellyfin-tonydu-external
--- a/k8s/apps/external-reverse-proxies/generated/kustomization.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/kustomization.yaml
@ -4,5 +4,5 @@ kind: Kustomization
 resources:
  - jellyfin-mnke.yaml
  - jellyfin-tonydu.yaml
-  - seerr-tonydu.yaml
+  - seerr-mnke.yaml
-  - seerr-mnke.yaml
+  - seerr-tonydu.yaml
--- a/k8s/apps/external-reverse-proxies/generated/seerr-mnke.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/seerr-mnke.yaml
--- a/k8s/apps/external-reverse-proxies/generated/seerr-tonydu.yaml
+++ b/k8s/apps/external-reverse-proxies/generated/seerr-tonydu.yaml
@ -26,6 +26,8 @@ spec:
  routes:
    - match: Host(`seerr.tonydu.me`)
      kind: Rule
      middlewares:
        - name: redirect-tonydu-me-mnke-org
      services:
        - kind: Service
          name: seerr-tonydu-external
--- a/k8s/apps/external-reverse-proxies/kustomization.yaml
+++ b/k8s/apps/external-reverse-proxies/kustomization.yaml
@ -2,5 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - generated
+  - build
  # - middlewares
--- a/k8s/apps/external-reverse-proxies/codegen/generator.py
+++ b/k8s/apps/external-reverse-proxies/codegen/generator.py
@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 from argparse import ArgumentParser
 from sys import stderr
-from jinja2 import Template
+from jinja2 import Environment, FileSystemLoader, Template
 from os import path
 from yaml import safe_load
@ -10,12 +11,6 @@ def load_config(config_path):
    file.close()
    return config
 def load_proxy_template(template_path):
    file = open(template_path, 'r')
    template = Template(file.read())
    file.close()
    return template
 def write_file(filename, content, dry_run):
    if dry_run:
        print(f'### Would generate {filename} ###', file=stderr)
@ -39,7 +34,8 @@ def main(args):
    template_path = args.template
    output_path = args.output
-    template = load_proxy_template(template_path)
+    env = Environment(loader=FileSystemLoader(template_path))
    template = env.get_template('proxy.yaml')
    config = load_config(config_path)
@ -61,22 +57,20 @@ def main(args):
    write_file(kustomization_filename, kustomization_content, dry_run)
 if __name__ == '__main__':
-    default_config_path = path.join(path.dirname(__file__), 'config', 'config.yaml')
+    default_config_path = path.join(path.dirname(__file__), 'values.yaml')
-    default_template_path = path.join(path.dirname(__file__), 'templates', 'proxy.yaml.j2')
+    default_template_path = path.join(path.dirname(__file__), 'templates')
-    default_output_path = path.normpath(path.join(path.dirname(__file__), '..', 'generated'))
+    default_output_path = path.normpath(path.join(path.dirname(__file__), '..', 'build'))
    parser = ArgumentParser(
            prog='External Reverse Proxy Generator',
            description='Generate reverse proxy manifests',
            )
    parser.add_argument(
            '-n',
            '--dry-run',
            action='store_true',
            help='Print generated manifests instead of writing them to disk'
            )
    parser.add_argument(
            '-k',
            '--skip-kustomize',
            action='store_true',
            help='Skip generation of kustomization.yaml file'
--- a/k8s/apps/external-reverse-proxies/codegen/templates/proxy.yaml.j2
+++ b/k8s/apps/external-reverse-proxies/codegen/templates/proxy.yaml.j2
@ -27,6 +27,15 @@ spec:
  {%- for listen_host in listen_hosts %}
    - match: Host(`{{ listen_host }}`)
      kind: Rule
      {%- if middlewares is defined %}
      middlewares:
        {%- for middleware in middlewares %}
        - name: {{ middleware.name }}
          {%- if middleware.namespace is defined %}
          namespace: {{ middleware.namespace }}
          {%- endif %}
        {%- endfor %}
      {%- endif %}
      services:
        - kind: Service
          name: {{ service_name }}-external
--- a/k8s/apps/external-reverse-proxies/codegen/config/config.yaml
+++ b/k8s/apps/external-reverse-proxies/codegen/config/config.yaml
@ -2,6 +2,11 @@ x-jellyfin: &jellyfin
  upstream_host: jellyfin.home.mnke.org
  upstream_port: 8096
 x-seerr: &seerr
  upstream_host: seerr.jumper.mnke.org
  upstream_port: 443
  pass_host_header: false
 proxies:
  - <<: *jellyfin
    service_name: jellyfin-mnke
@ -15,17 +20,18 @@ proxies:
    service_name: jellyfin-tonydu
    tls_secret_name: wildcard-tonydu-me-tls
    listen_host: media.tonydu.me
    middlewares:
      - name: redirect-tonydu-me-mnke-org
-  - service_name: seerr-tonydu
+  - <<: *seerr
-    tls_secret_name: wildcard-tonydu-me-tls
+    service_name: seerr-mnke
    listen_host: seerr.tonydu.me
    upstream_host: seerr.jumper.mnke.org
    upstream_port: 443
    pass_host_header: false
  - service_name: seerr-mnke
    tls_secret_name: wildcard-mnke-org-tls
    listen_host: seerr.mnke.org
-    upstream_host: seerr.jumper.mnke.org
+
-    upstream_port: 443
+  - <<: *seerr
-    pass_host_header: false
+    service_name: seerr-tonydu
    tls_secret_name: wildcard-tonydu-me-tls
    listen_host: seerr.tonydu.me
    middlewares:
      - name: redirect-tonydu-me-mnke-org
--- a/k8s/apps/ingressroutes/internal/blog-tonydu.yaml
+++ b/k8s/apps/ingressroutes/internal/blog-tonydu.yaml
@ -0,0 +1,21 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: blog-tonydu
  namespace: default
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`blog.tonydu.me`)
      kind: Rule
      middlewares:
        - name: redirect-tonydu-me-mnke-org
      services:
        - kind: Service
          name: ghost
          port: http
          passHostHeader: False
  tls:
    secretName: wildcard-tonydu-me-tls
--- a/k8s/apps/ingressroutes/internal/kustomization.yaml
+++ b/k8s/apps/ingressroutes/internal/kustomization.yaml
@ -0,0 +1,5 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - blog-tonydu.yaml
--- a/k8s/apps/ingressroutes/kustomization.yaml
+++ b/k8s/apps/ingressroutes/kustomization.yaml
@ -0,0 +1,7 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - middlewares
  - internal
  - external
--- a/k8s/apps/ingressroutes/middlewares/authentik.yaml
+++ b/k8s/apps/ingressroutes/middlewares/authentik.yaml
@ -0,0 +1,21 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
    name: authentik
 spec:
    forwardAuth:
        address: https://authentik.mnke.org/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
            - X-authentik-username
            - X-authentik-groups
            - X-authentik-entitlements
            - X-authentik-email
            - X-authentik-name
            - X-authentik-uid
            - X-authentik-jwt
            - X-authentik-meta-jwks
            - X-authentik-meta-outpost
            - X-authentik-meta-provider
            - X-authentik-meta-app
            - X-authentik-meta-version
--- a/k8s/apps/ingressroutes/middlewares/kustomization.yaml
+++ b/k8s/apps/ingressroutes/middlewares/kustomization.yaml
@ -0,0 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - authentik.yaml
  - redirect-tonydu-me-mnke-org.yaml
--- a/k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml
+++ b/k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml
@ -0,0 +1,10 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: redirect-tonydu-me-mnke-org
 spec:
  redirectRegex:
    permanent: false
    regex: ^https?://([a-zA-Z0-9]+)\.tonydu\.me(/)?
    replacement: https://${1}.mnke.org${2}
--- a/k8s/apps/kustomization.yaml
+++ b/k8s/apps/kustomization.yaml
@ -5,4 +5,4 @@ resources:
  - common
  - uptime-kuma
  - ghost
-  - external-reverse-proxies
+  - ingressroutes