From ac0d92654a6377a82ab0741448ce297ade7045f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= Date: Sun, 12 Apr 2026 13:02:57 +0000 Subject: [PATCH] public egress and internal one --- deploy/infra/ingress-web-public.yaml | 72 +++++++++++++++++++ .../infra/{ingress.yaml => ingress-web.yaml} | 29 +++++--- deploy/infra/kustomization.yaml | 3 +- deploy/infra/middlewares.yaml | 23 ++++++ 4 files changed, 116 insertions(+), 11 deletions(-) create mode 100644 deploy/infra/ingress-web-public.yaml rename deploy/infra/{ingress.yaml => ingress-web.yaml} (59%) diff --git a/deploy/infra/ingress-web-public.yaml b/deploy/infra/ingress-web-public.yaml new file mode 100644 index 0000000..06f2d83 --- /dev/null +++ b/deploy/infra/ingress-web-public.yaml @@ -0,0 +1,72 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: nextcloud-web-public + annotations: + kubernetes.io/ingress.class: traefik-public +spec: + entryPoints: + - websecure + tls: + secretName: cloud-limbosolutions-com-tls + domains: + - main: cloud.limbosolutions.com + + routes: + + # AUTHENTIK OUTPOST + - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + namespace: id-limbosolutions-com + port: 9000 + + + # PUBLIC SHARES (NO SSO) + - match: Host(`cloud.limbosolutions.com`) && + (PathPrefix(`/s/`) || + PathPrefix(`/index.php/s/`) || + PathPrefix(`/public.php/`) || + PathPrefix(`/remote.php/dav/public-files/`)) + kind: Rule + services: + - name: nextcloud + port: 8080 + middlewares: + - name: rate-limit + - name: nextcloud-security-headers + + # Sync clients + mobile app (no SSO) + - match: Host(`cloud.limbosolutions.com`) && + (PathPrefix(`/remote.php/dav`) || + PathPrefix(`/remote.php/webdav`) || + PathPrefix(`/remote.php/caldav`) || + PathPrefix(`/remote.php/carddav`) || + PathPrefix(`/ocs/v1.php`) || + PathPrefix(`/ocs/v2.php`) || + PathPrefix(`/status.php`) || + PathPrefix(`/index.php/login/v2`) || + PathPrefix(`/index.php/login/v2/poll`)) + kind: Rule + services: + - name: nextcloud + port: 8080 + middlewares: + - name: webdav-strip-auth + - name: rate-limit + + # 3) EVERYTHING ELSE (SSO REQUIRED) + - match: Host(`cloud.limbosolutions.com`) + kind: Rule + services: + - name: nextcloud + port: 8080 + middlewares: + - name: authentik-forward-auth + - name: nextcloud-security-headers + - name: rate-limit + + + + diff --git a/deploy/infra/ingress.yaml b/deploy/infra/ingress-web.yaml similarity index 59% rename from deploy/infra/ingress.yaml rename to deploy/infra/ingress-web.yaml index 0395124..83a3065 100644 --- a/deploy/infra/ingress.yaml +++ b/deploy/infra/ingress-web.yaml @@ -1,14 +1,13 @@ apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: - name: cloud-limbosolutions-com + name: nextcloud-web annotations: cert-manager.io/cluster-issuer: letsencrypt-prod kubernetes.io/ingress.class: traefik spec: entryPoints: - websecure - - public-https tls: secretName: cloud-limbosolutions-com-tls domains: @@ -25,8 +24,12 @@ spec: port: 9000 - # 1) PUBLIC SHARES (NO SSO) - - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/s/`) || PathPrefix(`/index.php/s/`) || PathPrefix(`/public.php/`) || PathPrefix(`/remote.php/dav/public-files/`)) + # PUBLIC SHARES (NO SSO) + - match: Host(`cloud.limbosolutions.com`) && + (PathPrefix(`/s/`) || + PathPrefix(`/index.php/s/`) || + PathPrefix(`/public.php/`) || + PathPrefix(`/remote.php/dav/public-files/`)) kind: Rule services: - name: nextcloud @@ -35,8 +38,17 @@ spec: - name: rate-limit - name: nextcloud-security-headers - # 2) WEBDAV / SYNC CLIENTS (NO SSO) - - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/remote.php/dav`) || PathPrefix(`/remote.php/webdav`) || PathPrefix(`/remote.php/caldav`) || PathPrefix(`/remote.php/carddav`)) + # Sync clients + mobile app (no SSO) + - match: Host(`cloud.limbosolutions.com`) && + (PathPrefix(`/remote.php/dav`) || + PathPrefix(`/remote.php/webdav`) || + PathPrefix(`/remote.php/caldav`) || + PathPrefix(`/remote.php/carddav`) || + PathPrefix(`/ocs/v1.php`) || + PathPrefix(`/ocs/v2.php`) || + PathPrefix(`/status.php`) || + PathPrefix(`/index.php/login/v2`) || + PathPrefix(`/index.php/login/v2/poll`)) kind: Rule services: - name: nextcloud @@ -52,12 +64,9 @@ spec: - name: nextcloud port: 8080 middlewares: - # middleware managed by icarus - - name: authentik-forward-auth - namespace: traefik-common + #- name: authentik-forward-auth - name: nextcloud-security-headers - name: rate-limit - diff --git a/deploy/infra/kustomization.yaml b/deploy/infra/kustomization.yaml index 4eea909..7af5b15 100644 --- a/deploy/infra/kustomization.yaml +++ b/deploy/infra/kustomization.yaml @@ -4,7 +4,8 @@ resources: - namespace.yaml - cd-serviceaccount.yaml - middlewares.yaml - - ingress.yaml + - ingress-web.yaml + - ingress-web-public.yaml - storage-limbosolutions-com/pv.yaml - ./onlyoffice/ingress.yaml - ./onlyoffice/middlewares.yaml diff --git a/deploy/infra/middlewares.yaml b/deploy/infra/middlewares.yaml index d23b73a..6b7dce9 100644 --- a/deploy/infra/middlewares.yaml +++ b/deploy/infra/middlewares.yaml @@ -40,4 +40,27 @@ spec: X-Frame-Options: "DENY" X-XSS-Protection: "1; mode=block" +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: authentik-forward-auth +spec: + forwardAuth: + address: "http://ak-outpost-authentik-embedded-outpost.id-limbosolutions-com.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik" + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version +--- \ No newline at end of file