ingress class

external/external-controller.yaml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-external
+  labels:
+    app.kubernetes.io/name: nginx-external
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: nginx-external
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: nginx-external
+    spec:
+      containers:
+      - name: nginx-ingress
+        image: registry.k8s.io/ingress-nginx/controller:v1.7.0
+        args:
+          - /nginx-ingress-controller
+          - --ingress-class=nginx-external
+          - --configmap=$(POD_NAMESPACE)/nginx-configuration
+          - --publish-status-address=192.168.0.190
+          - --update-status
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        ports:
+          - name: http
+            containerPort: 80
+          - name: https
+            containerPort: 443

external/external-policy.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-ingress-nginx-external
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: nginx-external
+  policyTypes:
+    - Ingress
+  ingress:
+    - {}

external/ingress-class.yaml

@@ -0,0 +1,6 @@
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: nginx-external
+spec:
+  controller: k8s.io/ingress-nginx

external/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: external-ingress
+
+resources:
+  # - proxy
+  - external-controller.yaml
+  - external-policy.yaml
+  - service.yaml
+  - namespace.yaml
+  - ingress-class.yaml

external/namespace.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: ingress-nginx
+  name: external-ingress
   annotations:
     argocd.argoproj.io/sync-wave: "0"

external/proxy/deployment.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-proxy
+  annotations:
+    argocd.argoproj.io/sync-wave: "100"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: external-proxy
+  template:
+    metadata:
+      labels:
+        app: external-proxy
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:stable-alpine
+          volumeMounts:
+            - name: config
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+          ports:
+            - containerPort: 80
+      volumes:
+        - name: config
+          configMap:
+            name: external-proxy-config

external/proxy/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - deployment.yaml
+  - service.yaml
+
+configMapGenerator:
+  - name: external-proxy-config
+    files:
+      - nginx.conf

external/proxy/nginx.conf

@@ -0,0 +1,38 @@
+user  nginx;
+worker_processes  auto;
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  # Basic config
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+  sendfile        on;
+  keepalive_timeout  65;
+
+  # We define two upstreams: external and internal
+  upstream external_ingress {
+    server nginx-external.ingress-nginx.svc.cluster.local:80;
+  }
+
+  # Server block for HTTP (port 80)
+  server {
+    listen 80 default_server;
+    server_name _;
+  }
+
+  server {
+    listen 80;
+    server_name ~^(?<subdomain>.+)\.mrcynic\.site$;
+
+    location / {
+      proxy_pass http://external_ingress;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+    }
+  }
+}

external/proxy/service.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-proxy-service
+spec:
+  type: LoadBalancer
+  selector:
+    app: external-proxy
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+  loadBalancerIP: 192.168.0.201

external/service.yaml

@@ -1,9 +1,9 @@
+
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: nginx-external
-  namespace: ingress-nginx
 spec:
   type: LoadBalancer
   selector:
@@ -15,3 +15,4 @@ spec:
     - name: https
       port: 443
       targetPort: 443
+  loadBalancerIP: 192.168.0.202

ingress-controller.yaml

@@ -1,27 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx-external
-  namespace: ingress-nginx
-  labels:
-    app.kubernetes.io/name: nginx-external
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: nginx-external
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: nginx-external
-    spec:
-      containers:
-        - name: nginx-ingress
-          image: registry.k8s.io/ingress-nginx/controller:v1.7.0
-          args:
-            - /nginx-external
-          ports:
-            - name: http
-              containerPort: 80
-            - name: https
-              containerPort: 443

internal/internal-controller.yaml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-internal
+  labels:
+    app.kubernetes.io/name: nginx-internal
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: nginx-internal
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: nginx-internal
+    spec:
+      containers:
+      - name: nginx-ingress
+        image: registry.k8s.io/ingress-nginx/controller:v1.7.0
+        args:
+          - /nginx-ingress-controller
+          - --ingress-class=nginx-internal
+          - --configmap=$(POD_NAMESPACE)/nginx-configuration
+          - --publish-status-address=192.168.0.190
+          - --update-status
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        ports:
+          - name: http
+            containerPort: 80
+          - name: https
+            containerPort: 443

internal/internal-policy.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: restrict-ingress-nginx-internal
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: nginx-internal
+  policyTypes:
+    - Ingress
+  ingress:
+    - {}
+    # - from:
+    #     - ipBlock:
+    #         cidr: 192.168.0.0/16
+    #   ports:
+    #     - protocol: TCP
+    #       port: 80
+    #     - protocol: TCP
+    #       port: 443

internal/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: internal-ingress
+
+resources:
+  # - proxy
+  - internal-controller.yaml
+  - internal-policy.yaml
+  - service.yaml
+  - namespace.yaml

internal/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: internal-ingress
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"

internal/proxy/deployment.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: internal-proxy
+  annotations:
+    argocd.argoproj.io/sync-wave: "100"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: internal-proxy
+  template:
+    metadata:
+      labels:
+        app: internal-proxy
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:stable-alpine
+          volumeMounts:
+            - name: config
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+          ports:
+            - containerPort: 80
+      volumes:
+        - name: config
+          configMap:
+            name: internal-proxy-config

internal/proxy/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - deployment.yaml
+  - service.yaml
+
+configMapGenerator:
+  - name: internal-proxy-config
+    files:
+      - nginx.conf

internal/proxy/nginx.conf

@@ -0,0 +1,38 @@
+user  nginx;
+worker_processes  auto;
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  # Basic config
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+  sendfile        on;
+  keepalive_timeout  65;
+
+  # We define internal upstreams
+  upstream internal_ingress {
+    server nginx-internal.ingress-nginx.svc.cluster.local:80;
+  }
+
+  server {
+    listen 80 default_server;
+    server_name _;
+  }
+
+  # dev.mrcynic.site - allow only LAN
+  server {
+    listen 80;
+    server_name ~^(?<subdomain>.+)\.dev\.mrcynic\.site$;
+
+    location / {
+      proxy_pass http://internal_ingress;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+    }
+  }
+}

internal/proxy/service.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: internal-proxy-service
+spec:
+  type: LoadBalancer
+  selector:
+    app: internal-proxy
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+  loadBalancerIP: 192.168.0.202

internal/service.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-internal
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/name: nginx-internal
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    - name: https
+      port: 443
+      targetPort: 443
+  loadBalancerIP: 192.168.0.201

kustomization.yaml

@@ -2,9 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - namespace.yaml
-  - ingress-controller.yaml
-  - service.yaml
+  - internal
+  - external
 
 generatorOptions:
   annotations: