# Traefik v2 IngressRoute Configuration for Artifactory Services # Allows internal network (192.168.100.0/24) full access # Restricts external access to health endpoints only apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: arti-api-ingressroute namespace: artifactory spec: entryPoints: - web - websecure routes: # Route for health endpoints (accessible externally) - match: Host(`api.artifactory.local`) && (Path(`/`) || Path(`/health`)) kind: Rule services: - name: arti-api-service port: 8000 middlewares: - name: api-health-headers # Route for all other endpoints (internal network only) - match: Host(`api.artifactory.local`) && !ClientIP(`192.168.100.0/24`) kind: Rule services: - name: arti-api-service port: 8000 middlewares: - name: block-external-management # Route for internal network (full access) - match: Host(`api.artifactory.local`) && ClientIP(`192.168.100.0/24`) kind: Rule services: - name: arti-api-service port: 8000 middlewares: - name: internal-access-headers tls: secretName: artifactory-tls --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: docker-registry-ingressroute namespace: artifactory spec: entryPoints: - web - websecure routes: # Route for health endpoint (accessible externally) - match: Host(`registry.artifactory.local`) && Path(`/v2/`) kind: Rule services: - name: docker-registry-service port: 5000 middlewares: - name: registry-health-headers # Block external access to push/pull operations - match: Host(`registry.artifactory.local`) && (PathPrefix(`/v2/`) && !Path(`/v2/`)) && !ClientIP(`192.168.100.0/24`) kind: Rule services: - name: docker-registry-service port: 5000 middlewares: - name: block-external-registry-ops # Route for internal network (full access) - match: Host(`registry.artifactory.local`) && ClientIP(`192.168.100.0/24`) kind: Rule services: - name: docker-registry-service port: 5000 middlewares: - name: internal-access-headers tls: secretName: artifactory-tls --- # Middleware to add security headers for health endpoints apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: api-health-headers namespace: artifactory spec: headers: customRequestHeaders: X-Access-Type: "external-health" customResponseHeaders: X-Allowed-Endpoints: "health-only" X-Access-Level: "limited" --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: charts-health-headers namespace: artifactory spec: headers: customRequestHeaders: X-Access-Type: "external-health" customResponseHeaders: X-Allowed-Endpoints: "health-only" X-Access-Level: "limited" --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: registry-health-headers namespace: artifactory spec: headers: customRequestHeaders: X-Access-Type: "external-health" customResponseHeaders: X-Allowed-Endpoints: "health-only" X-Access-Level: "limited" --- # Middleware to block external access to management endpoints apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: block-external-management namespace: artifactory spec: errors: status: - "403" service: name: error-service port: 80 query: "/403.html" --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: block-external-charts-api namespace: artifactory spec: errors: status: - "403" service: name: error-service port: 80 query: "/403.html" --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: block-external-registry-ops namespace: artifactory spec: errors: status: - "403" service: name: error-service port: 80 query: "/403.html" --- # Middleware for internal network access apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: internal-access-headers namespace: artifactory spec: headers: customRequestHeaders: X-Access-Type: "internal" customResponseHeaders: X-Access-Level: "full" X-Network: "internal" --- # Middleware for external Chart Museum access (limited) apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: charts-external-access namespace: artifactory spec: headers: customRequestHeaders: X-Access-Type: "external-limited" customResponseHeaders: X-Access-Level: "read-only" X-Blocked-Paths: "/api/*" --- # Error service for displaying 403 pages apiVersion: apps/v1 kind: Deployment metadata: name: error-service namespace: artifactory labels: app: error-service spec: replicas: 1 selector: matchLabels: app: error-service template: metadata: labels: app: error-service spec: containers: - name: nginx image: nginx:alpine ports: - containerPort: 80 volumeMounts: - name: error-pages mountPath: /usr/share/nginx/html resources: requests: memory: "32Mi" cpu: "50m" limits: memory: "64Mi" cpu: "100m" volumes: - name: error-pages configMap: name: error-pages-config --- apiVersion: v1 kind: Service metadata: name: error-service namespace: artifactory labels: app: error-service spec: type: ClusterIP ports: - port: 80 targetPort: 80 protocol: TCP selector: app: error-service --- # ConfigMap with custom error pages apiVersion: v1 kind: ConfigMap metadata: name: error-pages-config namespace: artifactory data: 403.html: | Access Denied - Artifactory
403
Access Denied
This endpoint is restricted to internal network access only.
For Internal Network Users (192.168.100.0/24):
You have full access to all management endpoints.

For External Users:
Only health check endpoints are available:
index.html: | Artifactory Error Service

Artifactory Error Service

This service provides custom error pages for the Artifactory platform.