From fe6106eacedd18b10b0f25fb4867975058b6ad23 Mon Sep 17 00:00:00 2001 From: unchama <11990197+unchama@users.noreply.github.com> Date: Thu, 28 Dec 2023 03:25:41 +0900 Subject: [PATCH] =?UTF-8?q?feat:=20proxmox-mon=E3=81=A8zabbix=E8=BF=BD?= =?UTF-8?q?=E5=8A=A0=E3=80=81IP=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../cloudflared-tunnel-exits/http-exits.yaml | 8 ++- .../cloudflared-tunnel-exits/https-exits.yaml | 8 ++- .../cloudflare_network_admin_services.tf | 53 +++++++++++++++++++ terraform/github_teams.tf | 14 ++++- 4 files changed, 80 insertions(+), 3 deletions(-) diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml index 8b3225a09..659af2b89 100644 --- a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml +++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml @@ -22,14 +22,20 @@ spec: # オンプレにもともとあった Grafana。 # grafana側でGitHub-SSO認証が掛かっているため、Cloudflare のレイヤではアクセス制御はしていない。 + # TODO 新VMに乗り換え(sc-monitoring-01(10.123.0.193:3000) on sc-proxmox-mon-01) - name: grafana-onp external-hostname: grafana.onp.admin.seichi.click internal-authority: "192.168.3.20:3000" + # zabbix + - name: zabbix + external-hostname: zabbix.onp.admin.seichi.click + internal-authority: "10.123.0.193:8080" + # raritan(PDU) - name: raritan external-hostname: raritan.onp.admin.seichi.click - internal-authority: "192.168.19.200:80" + internal-authority: "10.123.0.200:80" # プライベートなminecraft pluginをアップロードするためのMinIO。 # 肝心のオブジェクトストレージは seichi-private-plugin-blackhole-minio.minio:9000 にClusterIPでアクセスすればよい。 diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/https-exits.yaml b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/https-exits.yaml index dc77ddfbf..c978bb0c4 100644 --- a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/https-exits.yaml +++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/https-exits.yaml @@ -31,9 +31,15 @@ spec: # 現時点(2022/04/25)ではproxmoxはHTTPS**しか**サポートしないらしく、 # (https://forum.proxmox.com/threads/disabling-ssl-on-latest-proxmox-ve.42889/post-205902) # 自己署名証明書で保護されているため、 noTLSVerify で無視する。 + + # 本番クラスタ向け - name: proxmox external-hostname: proxmox.onp.admin.seichi.click - internal-authority: 192.168.1.154:8006 + internal-authority: 10.123.0.154:8006 + # 監視専用ホスト向け + - name: proxmox-mon + external-hostname: proxmox-mon.onp.admin.seichi.click + internal-authority: 10.123.0.181:8006 # Redmine - name: redmine diff --git a/terraform/cloudflare_network_admin_services.tf b/terraform/cloudflare_network_admin_services.tf index 54dd432c0..55b6105fe 100644 --- a/terraform/cloudflare_network_admin_services.tf +++ b/terraform/cloudflare_network_admin_services.tf @@ -66,6 +66,59 @@ resource "cloudflare_access_policy" "onp_admin_proxmox" { } } + +resource "cloudflare_access_application" "onp_admin_proxmox_mon" { + zone_id = local.cloudflare_zone_id + name = "Proxmox-mon administration" + domain = "proxmox-mon.onp.admin.${local.root_domain}" + type = "self_hosted" + session_duration = "24h" + + http_only_cookie_attribute = true +} + +resource "cloudflare_access_policy" "onp_admin_proxmox_mon" { + application_id = cloudflare_access_application.onp_admin_proxmox_mon.id + zone_id = local.cloudflare_zone_id + name = "Require to be in a GitHub team to access" + precedence = "1" + decision = "allow" + + include { + github { + name = local.github_org_name + teams = [github_team.onp_admin_proxmox_mon.slug] + identity_provider_id = cloudflare_access_identity_provider.github_oauth.id + } + } +} + +resource "cloudflare_access_application" "onp_admin_zabbix" { + zone_id = local.cloudflare_zone_id + name = "Zabbix administration" + domain = "zabbix.onp.admin.${local.root_domain}" + type = "self_hosted" + session_duration = "24h" + + http_only_cookie_attribute = true +} + +resource "cloudflare_access_policy" "onp_admin_zabbix" { + application_id = cloudflare_access_application.onp_admin_zabbix.id + zone_id = local.cloudflare_zone_id + name = "Require to be in a GitHub team to access" + precedence = "1" + decision = "allow" + + include { + github { + name = local.github_org_name + teams = [github_team.onp_admin_zabbix.slug] + identity_provider_id = cloudflare_access_identity_provider.github_oauth.id + } + } +} + resource "cloudflare_access_application" "onp_admin_raritan" { zone_id = local.cloudflare_zone_id name = "raritan(PDU) administration" diff --git a/terraform/github_teams.tf b/terraform/github_teams.tf index cae4cac51..f49276da1 100644 --- a/terraform/github_teams.tf +++ b/terraform/github_teams.tf @@ -31,7 +31,19 @@ resource "github_team" "onp_admin_grafana_team" { resource "github_team" "onp_admin_proxmox" { name = "onp-admin-proxmox" - description = "オンプレミス環境のproxmoxに接続できるTeam" + description = "オンプレミス環境のproxmox(本番クラスタ)に接続できるTeam" + privacy = "closed" +} + +resource "github_team" "onp_admin_proxmox_mon" { + name = "onp-admin-proxmox-mon" + description = "オンプレミス環境のproxmox(監視専用ホスト)に接続できるTeam" + privacy = "closed" +} + +resource "github_team" "onp_admin_zabbix" { + name = "onp-admin-zabbix" + description = "オンプレミス環境のzabbixに接続できるTeam" privacy = "closed" }