diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml index 8b3225a09..659af2b89 100644 --- a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml +++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml @@ -22,14 +22,20 @@ spec: # オンプレにもともとあった Grafana。 # grafana側でGitHub-SSO認証が掛かっているため、Cloudflare のレイヤではアクセス制御はしていない。 + # TODO 新VMに乗り換え(sc-monitoring-01(10.123.0.193:3000) on sc-proxmox-mon-01) - name: grafana-onp external-hostname: grafana.onp.admin.seichi.click internal-authority: "192.168.3.20:3000" + # zabbix + - name: zabbix + external-hostname: zabbix.onp.admin.seichi.click + internal-authority: "10.123.0.193:8080" + # raritan(PDU) - name: raritan external-hostname: raritan.onp.admin.seichi.click - internal-authority: "192.168.19.200:80" + internal-authority: "10.123.0.200:80" # プライベートなminecraft pluginをアップロードするためのMinIO。 # 肝心のオブジェクトストレージは seichi-private-plugin-blackhole-minio.minio:9000 にClusterIPでアクセスすればよい。 diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/https-exits.yaml b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/https-exits.yaml index dc77ddfbf..c978bb0c4 100644 --- a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/https-exits.yaml +++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/https-exits.yaml @@ -31,9 +31,15 @@ spec: # 現時点(2022/04/25)ではproxmoxはHTTPS**しか**サポートしないらしく、 # (https://forum.proxmox.com/threads/disabling-ssl-on-latest-proxmox-ve.42889/post-205902) # 自己署名証明書で保護されているため、 noTLSVerify で無視する。 + + # 本番クラスタ向け - name: proxmox external-hostname: proxmox.onp.admin.seichi.click - internal-authority: 192.168.1.154:8006 + internal-authority: 10.123.0.154:8006 + # 監視専用ホスト向け + - name: proxmox-mon + external-hostname: proxmox-mon.onp.admin.seichi.click + internal-authority: 10.123.0.181:8006 # Redmine - name: redmine diff --git a/terraform/cloudflare_network_admin_services.tf b/terraform/cloudflare_network_admin_services.tf index 54dd432c0..55b6105fe 100644 --- a/terraform/cloudflare_network_admin_services.tf +++ b/terraform/cloudflare_network_admin_services.tf @@ -66,6 +66,59 @@ resource "cloudflare_access_policy" "onp_admin_proxmox" { } } + +resource "cloudflare_access_application" "onp_admin_proxmox_mon" { + zone_id = local.cloudflare_zone_id + name = "Proxmox-mon administration" + domain = "proxmox-mon.onp.admin.${local.root_domain}" + type = "self_hosted" + session_duration = "24h" + + http_only_cookie_attribute = true +} + +resource "cloudflare_access_policy" "onp_admin_proxmox_mon" { + application_id = cloudflare_access_application.onp_admin_proxmox_mon.id + zone_id = local.cloudflare_zone_id + name = "Require to be in a GitHub team to access" + precedence = "1" + decision = "allow" + + include { + github { + name = local.github_org_name + teams = [github_team.onp_admin_proxmox_mon.slug] + identity_provider_id = cloudflare_access_identity_provider.github_oauth.id + } + } +} + +resource "cloudflare_access_application" "onp_admin_zabbix" { + zone_id = local.cloudflare_zone_id + name = "Zabbix administration" + domain = "zabbix.onp.admin.${local.root_domain}" + type = "self_hosted" + session_duration = "24h" + + http_only_cookie_attribute = true +} + +resource "cloudflare_access_policy" "onp_admin_zabbix" { + application_id = cloudflare_access_application.onp_admin_zabbix.id + zone_id = local.cloudflare_zone_id + name = "Require to be in a GitHub team to access" + precedence = "1" + decision = "allow" + + include { + github { + name = local.github_org_name + teams = [github_team.onp_admin_zabbix.slug] + identity_provider_id = cloudflare_access_identity_provider.github_oauth.id + } + } +} + resource "cloudflare_access_application" "onp_admin_raritan" { zone_id = local.cloudflare_zone_id name = "raritan(PDU) administration" diff --git a/terraform/github_teams.tf b/terraform/github_teams.tf index cae4cac51..f49276da1 100644 --- a/terraform/github_teams.tf +++ b/terraform/github_teams.tf @@ -31,7 +31,19 @@ resource "github_team" "onp_admin_grafana_team" { resource "github_team" "onp_admin_proxmox" { name = "onp-admin-proxmox" - description = "オンプレミス環境のproxmoxに接続できるTeam" + description = "オンプレミス環境のproxmox(本番クラスタ)に接続できるTeam" + privacy = "closed" +} + +resource "github_team" "onp_admin_proxmox_mon" { + name = "onp-admin-proxmox-mon" + description = "オンプレミス環境のproxmox(監視専用ホスト)に接続できるTeam" + privacy = "closed" +} + +resource "github_team" "onp_admin_zabbix" { + name = "onp-admin-zabbix" + description = "オンプレミス環境のzabbixに接続できるTeam" privacy = "closed" }