mirror of
https://github.com/auricom/home-cluster.git
synced 2025-09-17 18:24:14 +02:00
100 lines
3.3 KiB
YAML
100 lines
3.3 KiB
YAML
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: ingress-auth-annotations
|
|
annotations:
|
|
policies.kyverno.io/title: Ingress Auth Annotations
|
|
policies.kyverno.io/subject: Ingress
|
|
policies.kyverno.io/description: >-
|
|
This policy creates auth annotations on ingresses. When
|
|
the `auth.home.arpa/enabled` annotation is `true` it
|
|
applies the nginx auth annotations for use with Authelia.
|
|
spec:
|
|
mutateExistingOnPolicyUpdate: true
|
|
generateExistingOnPolicyUpdate: true
|
|
rules:
|
|
- name: auth
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds: ["Ingress"]
|
|
annotations:
|
|
auth.home.arpa/enabled: "true"
|
|
mutate:
|
|
patchStrategicMerge:
|
|
metadata:
|
|
annotations:
|
|
+(nginx.ingress.kubernetes.io/auth-method): GET
|
|
+(nginx.ingress.kubernetes.io/auth-url): |-
|
|
http://authelia.default.svc.cluster.local.:8888/api/verify
|
|
+(nginx.ingress.kubernetes.io/auth-signin): |-
|
|
https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method
|
|
+(nginx.ingress.kubernetes.io/auth-response-headers): |-
|
|
Remote-User,Remote-Name,Remote-Groups,Remote-Email
|
|
+(nginx.ingress.kubernetes.io/auth-snippet): |
|
|
proxy_set_header X-Forwarded-Method $request_method;
|
|
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: ingress-external-dns-annotations
|
|
annotations:
|
|
policies.kyverno.io/title: Ingress External-DNS Annotations
|
|
policies.kyverno.io/subject: Ingress
|
|
policies.kyverno.io/description: >-
|
|
This policy creates external-dns annotations on ingresses.
|
|
When the `external-dns.home.arpa/enabled` annotation is `true`
|
|
it applies the external-dns annotations for use with external
|
|
application access.
|
|
spec:
|
|
mutateExistingOnPolicyUpdate: true
|
|
generateExistingOnPolicyUpdate: true
|
|
rules:
|
|
- name: external-dns
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds: ["Ingress"]
|
|
annotations:
|
|
external-dns.home.arpa/enabled: "true"
|
|
mutate:
|
|
patchStrategicMerge:
|
|
metadata:
|
|
annotations:
|
|
+(external-dns.alpha.kubernetes.io/target): |-
|
|
services.${SECRET_DOMAIN}.
|
|
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: ingress-whitelist-annotations
|
|
annotations:
|
|
policies.kyverno.io/title: Ingress Whitelist Annotations
|
|
policies.kyverno.io/subject: Ingress
|
|
policies.kyverno.io/description: >-
|
|
This policy creates annotations on ingresses. When
|
|
the `external-dns.home.arpa/enabled` annotation is not
|
|
set it applies the nginx annotations for use with only
|
|
internal application access.
|
|
spec:
|
|
mutateExistingOnPolicyUpdate: true
|
|
generateExistingOnPolicyUpdate: true
|
|
rules:
|
|
- name: whitelist
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds: ["Ingress"]
|
|
exclude:
|
|
any:
|
|
- resources:
|
|
annotations:
|
|
external-dns.home.arpa/enabled: "true"
|
|
mutate:
|
|
patchStrategicMerge:
|
|
metadata:
|
|
annotations:
|
|
+(nginx.ingress.kubernetes.io/whitelist-source-range): |-
|
|
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|