Skip to content

Commit

Permalink
Merge pull request #1632 from GiganticMinecraft/fix-management-addresses
Browse files Browse the repository at this point in the history 
feat: proxmox-monとzabbix追加、IP修正
  • Loading branch information
@outductor
outductor authored Dec 31, 2023
2 parents ef02e10 + fe6106e commit 4405a32
Show file tree
Hide file tree
Showing 4 changed files with 80 additions and 3 deletions.
8 changes: 7 additions & 1 deletion seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,20 @@ spec:

# オンプレにもともとあった Grafana。
# grafana側でGitHub-SSO認証が掛かっているため、Cloudflare のレイヤではアクセス制御はしていない。
# TODO 新VMに乗り換え(sc-monitoring-01(10.123.0.193:3000) on sc-proxmox-mon-01)
- name: grafana-onp
external-hostname: grafana.onp.admin.seichi.click
internal-authority: "192.168.3.20:3000"

# zabbix
- name: zabbix
external-hostname: zabbix.onp.admin.seichi.click
internal-authority: "10.123.0.193:8080"

# raritan(PDU)
- name: raritan
external-hostname: raritan.onp.admin.seichi.click
internal-authority: "192.168.19.200:80"
internal-authority: "10.123.0.200:80"

# プライベートなminecraft pluginをアップロードするためのMinIO。
# 肝心のオブジェクトストレージは seichi-private-plugin-blackhole-minio.minio:9000 にClusterIPでアクセスすればよい。
Expand Down
8 changes: 7 additions & 1 deletion seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/https-exits.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,15 @@ spec:
# 現時点(2022/04/25)ではproxmoxはHTTPS**しか**サポートしないらしく、
# (https://forum.proxmox.com/threads/disabling-ssl-on-latest-proxmox-ve.42889/post-205902)
# 自己署名証明書で保護されているため、 noTLSVerify で無視する。

# 本番クラスタ向け
- name: proxmox
external-hostname: proxmox.onp.admin.seichi.click
internal-authority: 192.168.1.154:8006
internal-authority: 10.123.0.154:8006
# 監視専用ホスト向け
- name: proxmox-mon
external-hostname: proxmox-mon.onp.admin.seichi.click
internal-authority: 10.123.0.181:8006

# Redmine
- name: redmine
Expand Down
53 changes: 53 additions & 0 deletions terraform/cloudflare_network_admin_services.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,59 @@ resource "cloudflare_access_policy" "onp_admin_proxmox" {
}
}


resource "cloudflare_access_application" "onp_admin_proxmox_mon" {
zone_id = local.cloudflare_zone_id
name = "Proxmox-mon administration"
domain = "proxmox-mon.onp.admin.${local.root_domain}"
type = "self_hosted"
session_duration = "24h"

http_only_cookie_attribute = true
}

resource "cloudflare_access_policy" "onp_admin_proxmox_mon" {
application_id = cloudflare_access_application.onp_admin_proxmox_mon.id
zone_id = local.cloudflare_zone_id
name = "Require to be in a GitHub team to access"
precedence = "1"
decision = "allow"

include {
github {
name = local.github_org_name
teams = [github_team.onp_admin_proxmox_mon.slug]
identity_provider_id = cloudflare_access_identity_provider.github_oauth.id
}
}
}

resource "cloudflare_access_application" "onp_admin_zabbix" {
zone_id = local.cloudflare_zone_id
name = "Zabbix administration"
domain = "zabbix.onp.admin.${local.root_domain}"
type = "self_hosted"
session_duration = "24h"

http_only_cookie_attribute = true
}

resource "cloudflare_access_policy" "onp_admin_zabbix" {
application_id = cloudflare_access_application.onp_admin_zabbix.id
zone_id = local.cloudflare_zone_id
name = "Require to be in a GitHub team to access"
precedence = "1"
decision = "allow"

include {
github {
name = local.github_org_name
teams = [github_team.onp_admin_zabbix.slug]
identity_provider_id = cloudflare_access_identity_provider.github_oauth.id
}
}
}

resource "cloudflare_access_application" "onp_admin_raritan" {
zone_id = local.cloudflare_zone_id
name = "raritan(PDU) administration"
Expand Down
14 changes: 13 additions & 1 deletion terraform/github_teams.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,19 @@ resource "github_team" "onp_admin_grafana_team" {

resource "github_team" "onp_admin_proxmox" {
name = "onp-admin-proxmox"
description = "オンプレミス環境のproxmoxに接続できるTeam"
description = "オンプレミス環境のproxmox(本番クラスタ)に接続できるTeam"
privacy = "closed"
}

resource "github_team" "onp_admin_proxmox_mon" {
name = "onp-admin-proxmox-mon"
description = "オンプレミス環境のproxmox(監視専用ホスト)に接続できるTeam"
privacy = "closed"
}

resource "github_team" "onp_admin_zabbix" {
name = "onp-admin-zabbix"
description = "オンプレミス環境のzabbixに接続できるTeam"
privacy = "closed"
}

Expand Down

0 comments on commit 4405a32

Please sign in to comment.