easylinux/Maison
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initialisation depot

Browse Source
This commit is contained in:
Serge NOEL
2026-02-10 12:12:11 +01:00
commit c3176e8d79
818 changed files with 52573 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

330
arti-api/traefik-ingressroute.yaml Normal file
View File

@@ -0,0 +1,330 @@
# Traefik v2 IngressRoute Configuration for Artifactory Services
# Allows internal network (192.168.100.0/24) full access
# Restricts external access to health endpoints only
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: arti-api-ingressroute
namespace: artifactory
spec:
entryPoints:
- web
- websecure
routes:
# Route for health endpoints (accessible externally)
- match: Host(`api.artifactory.local`) && (Path(`/`) || Path(`/health`))
kind: Rule
services:
- name: arti-api-service
port: 8000
middlewares:
- name: api-health-headers
# Route for all other endpoints (internal network only)
- match: Host(`api.artifactory.local`) && !ClientIP(`192.168.100.0/24`)
kind: Rule
services:
- name: arti-api-service
port: 8000
middlewares:
- name: block-external-management
# Route for internal network (full access)
- match: Host(`api.artifactory.local`) && ClientIP(`192.168.100.0/24`)
kind: Rule
services:
- name: arti-api-service
port: 8000
middlewares:
- name: internal-access-headers
tls:
secretName: artifactory-tls
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: docker-registry-ingressroute
namespace: artifactory
spec:
entryPoints:
- web
- websecure
routes:
# Route for health endpoint (accessible externally)
- match: Host(`registry.artifactory.local`) && Path(`/v2/`)
kind: Rule
services:
- name: docker-registry-service
port: 5000
middlewares:
- name: registry-health-headers
# Block external access to push/pull operations
- match: Host(`registry.artifactory.local`) && (PathPrefix(`/v2/`) && !Path(`/v2/`)) && !ClientIP(`192.168.100.0/24`)
kind: Rule
services:
- name: docker-registry-service
port: 5000
middlewares:
- name: block-external-registry-ops
# Route for internal network (full access)
- match: Host(`registry.artifactory.local`) && ClientIP(`192.168.100.0/24`)
kind: Rule
services:
- name: docker-registry-service
port: 5000
middlewares:
- name: internal-access-headers
tls:
secretName: artifactory-tls
---
# Middleware to add security headers for health endpoints
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: api-health-headers
namespace: artifactory
spec:
headers:
customRequestHeaders:
X-Access-Type: "external-health"
customResponseHeaders:
X-Allowed-Endpoints: "health-only"
X-Access-Level: "limited"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: charts-health-headers
namespace: artifactory
spec:
headers:
customRequestHeaders:
X-Access-Type: "external-health"
customResponseHeaders:
X-Allowed-Endpoints: "health-only"
X-Access-Level: "limited"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: registry-health-headers
namespace: artifactory
spec:
headers:
customRequestHeaders:
X-Access-Type: "external-health"
customResponseHeaders:
X-Allowed-Endpoints: "health-only"
X-Access-Level: "limited"
---
# Middleware to block external access to management endpoints
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: block-external-management
namespace: artifactory
spec:
errors:
status:
- "403"
service:
name: error-service
port: 80
query: "/403.html"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: block-external-charts-api
namespace: artifactory
spec:
errors:
status:
- "403"
service:
name: error-service
port: 80
query: "/403.html"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: block-external-registry-ops
namespace: artifactory
spec:
errors:
status:
- "403"
service:
name: error-service
port: 80
query: "/403.html"
---
# Middleware for internal network access
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: internal-access-headers
namespace: artifactory
spec:
headers:
customRequestHeaders:
X-Access-Type: "internal"
customResponseHeaders:
X-Access-Level: "full"
X-Network: "internal"
---
# Middleware for external Chart Museum access (limited)
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: charts-external-access
namespace: artifactory
spec:
headers:
customRequestHeaders:
X-Access-Type: "external-limited"
customResponseHeaders:
X-Access-Level: "read-only"
X-Blocked-Paths: "/api/*"
---
# Error service for displaying 403 pages
apiVersion: apps/v1
kind: Deployment
metadata:
name: error-service
namespace: artifactory
labels:
app: error-service
spec:
replicas: 1
selector:
matchLabels:
app: error-service
template:
metadata:
labels:
app: error-service
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: error-pages
mountPath: /usr/share/nginx/html
resources:
requests:
memory: "32Mi"
cpu: "50m"
limits:
memory: "64Mi"
cpu: "100m"
volumes:
- name: error-pages
configMap:
name: error-pages-config
---
apiVersion: v1
kind: Service
metadata:
name: error-service
namespace: artifactory
labels:
app: error-service
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
app: error-service
---
# ConfigMap with custom error pages
apiVersion: v1
kind: ConfigMap
metadata:
name: error-pages-config
namespace: artifactory
data:
403.html: |
<!DOCTYPE html>
<html>
<head>
<title>Access Denied - Artifactory</title>
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
padding: 50px;
background-color: #f8f9fa;
}
.container {
max-width: 600px;
margin: 0 auto;
background: white;
padding: 40px;
border-radius: 8px;
box-shadow: 0 2px 10px rgba(0,0,0,0.1);
}
.error-code {
font-size: 4em;
color: #dc3545;
margin-bottom: 20px;
}
.error-message {
font-size: 1.5em;
color: #333;
margin-bottom: 20px;
}
.error-description {
color: #666;
margin-bottom: 30px;
}
.access-info {
background: #e3f2fd;
padding: 20px;
border-radius: 4px;
border-left: 4px solid #2196f3;
}
</style>
</head>
<body>
<div class="container">
<div class="error-code">403</div>
<div class="error-message">Access Denied</div>
<div class="error-description">
This endpoint is restricted to internal network access only.
</div>
<div class="access-info">
<strong>For Internal Network Users (192.168.100.0/24):</strong><br>
You have full access to all management endpoints.<br><br>
<strong>For External Users:</strong><br>
Only health check endpoints are available:
<ul style="text-align: left; display: inline-block;">
<li>API Health: <code>/health</code></li>
<li>Chart Museum: <code>/health</code></li>
<li>Docker Registry: <code>/v2/</code></li>
</ul>
</div>
</div>
</body>
</html>
index.html: |
<!DOCTYPE html>
<html>
<head>
<title>Artifactory Error Service</title>
</head>
<body>
<h1>Artifactory Error Service</h1>
<p>This service provides custom error pages for the Artifactory platform.</p>
</body>
</html>