331 lines
8.1 KiB
YAML
331 lines
8.1 KiB
YAML
# Traefik v2 IngressRoute Configuration for Artifactory Services
|
|
# Allows internal network (192.168.100.0/24) full access
|
|
# Restricts external access to health endpoints only
|
|
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: arti-api-ingressroute
|
|
namespace: artifactory
|
|
spec:
|
|
entryPoints:
|
|
- web
|
|
- websecure
|
|
routes:
|
|
# Route for health endpoints (accessible externally)
|
|
- match: Host(`api.artifactory.local`) && (Path(`/`) || Path(`/health`))
|
|
kind: Rule
|
|
services:
|
|
- name: arti-api-service
|
|
port: 8000
|
|
middlewares:
|
|
- name: api-health-headers
|
|
|
|
# Route for all other endpoints (internal network only)
|
|
- match: Host(`api.artifactory.local`) && !ClientIP(`192.168.100.0/24`)
|
|
kind: Rule
|
|
services:
|
|
- name: arti-api-service
|
|
port: 8000
|
|
middlewares:
|
|
- name: block-external-management
|
|
|
|
# Route for internal network (full access)
|
|
- match: Host(`api.artifactory.local`) && ClientIP(`192.168.100.0/24`)
|
|
kind: Rule
|
|
services:
|
|
- name: arti-api-service
|
|
port: 8000
|
|
middlewares:
|
|
- name: internal-access-headers
|
|
|
|
tls:
|
|
secretName: artifactory-tls
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: docker-registry-ingressroute
|
|
namespace: artifactory
|
|
spec:
|
|
entryPoints:
|
|
- web
|
|
- websecure
|
|
routes:
|
|
# Route for health endpoint (accessible externally)
|
|
- match: Host(`registry.artifactory.local`) && Path(`/v2/`)
|
|
kind: Rule
|
|
services:
|
|
- name: docker-registry-service
|
|
port: 5000
|
|
middlewares:
|
|
- name: registry-health-headers
|
|
|
|
# Block external access to push/pull operations
|
|
- match: Host(`registry.artifactory.local`) && (PathPrefix(`/v2/`) && !Path(`/v2/`)) && !ClientIP(`192.168.100.0/24`)
|
|
kind: Rule
|
|
services:
|
|
- name: docker-registry-service
|
|
port: 5000
|
|
middlewares:
|
|
- name: block-external-registry-ops
|
|
|
|
# Route for internal network (full access)
|
|
- match: Host(`registry.artifactory.local`) && ClientIP(`192.168.100.0/24`)
|
|
kind: Rule
|
|
services:
|
|
- name: docker-registry-service
|
|
port: 5000
|
|
middlewares:
|
|
- name: internal-access-headers
|
|
|
|
tls:
|
|
secretName: artifactory-tls
|
|
---
|
|
# Middleware to add security headers for health endpoints
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: api-health-headers
|
|
namespace: artifactory
|
|
spec:
|
|
headers:
|
|
customRequestHeaders:
|
|
X-Access-Type: "external-health"
|
|
customResponseHeaders:
|
|
X-Allowed-Endpoints: "health-only"
|
|
X-Access-Level: "limited"
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: charts-health-headers
|
|
namespace: artifactory
|
|
spec:
|
|
headers:
|
|
customRequestHeaders:
|
|
X-Access-Type: "external-health"
|
|
customResponseHeaders:
|
|
X-Allowed-Endpoints: "health-only"
|
|
X-Access-Level: "limited"
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: registry-health-headers
|
|
namespace: artifactory
|
|
spec:
|
|
headers:
|
|
customRequestHeaders:
|
|
X-Access-Type: "external-health"
|
|
customResponseHeaders:
|
|
X-Allowed-Endpoints: "health-only"
|
|
X-Access-Level: "limited"
|
|
---
|
|
# Middleware to block external access to management endpoints
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: block-external-management
|
|
namespace: artifactory
|
|
spec:
|
|
errors:
|
|
status:
|
|
- "403"
|
|
service:
|
|
name: error-service
|
|
port: 80
|
|
query: "/403.html"
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: block-external-charts-api
|
|
namespace: artifactory
|
|
spec:
|
|
errors:
|
|
status:
|
|
- "403"
|
|
service:
|
|
name: error-service
|
|
port: 80
|
|
query: "/403.html"
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: block-external-registry-ops
|
|
namespace: artifactory
|
|
spec:
|
|
errors:
|
|
status:
|
|
- "403"
|
|
service:
|
|
name: error-service
|
|
port: 80
|
|
query: "/403.html"
|
|
---
|
|
# Middleware for internal network access
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: internal-access-headers
|
|
namespace: artifactory
|
|
spec:
|
|
headers:
|
|
customRequestHeaders:
|
|
X-Access-Type: "internal"
|
|
customResponseHeaders:
|
|
X-Access-Level: "full"
|
|
X-Network: "internal"
|
|
---
|
|
# Middleware for external Chart Museum access (limited)
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: charts-external-access
|
|
namespace: artifactory
|
|
spec:
|
|
headers:
|
|
customRequestHeaders:
|
|
X-Access-Type: "external-limited"
|
|
customResponseHeaders:
|
|
X-Access-Level: "read-only"
|
|
X-Blocked-Paths: "/api/*"
|
|
---
|
|
# Error service for displaying 403 pages
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: error-service
|
|
namespace: artifactory
|
|
labels:
|
|
app: error-service
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: error-service
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: error-service
|
|
spec:
|
|
containers:
|
|
- name: nginx
|
|
image: nginx:alpine
|
|
ports:
|
|
- containerPort: 80
|
|
volumeMounts:
|
|
- name: error-pages
|
|
mountPath: /usr/share/nginx/html
|
|
resources:
|
|
requests:
|
|
memory: "32Mi"
|
|
cpu: "50m"
|
|
limits:
|
|
memory: "64Mi"
|
|
cpu: "100m"
|
|
volumes:
|
|
- name: error-pages
|
|
configMap:
|
|
name: error-pages-config
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: error-service
|
|
namespace: artifactory
|
|
labels:
|
|
app: error-service
|
|
spec:
|
|
type: ClusterIP
|
|
ports:
|
|
- port: 80
|
|
targetPort: 80
|
|
protocol: TCP
|
|
selector:
|
|
app: error-service
|
|
---
|
|
# ConfigMap with custom error pages
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: error-pages-config
|
|
namespace: artifactory
|
|
data:
|
|
403.html: |
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>Access Denied - Artifactory</title>
|
|
<style>
|
|
body {
|
|
font-family: Arial, sans-serif;
|
|
text-align: center;
|
|
padding: 50px;
|
|
background-color: #f8f9fa;
|
|
}
|
|
.container {
|
|
max-width: 600px;
|
|
margin: 0 auto;
|
|
background: white;
|
|
padding: 40px;
|
|
border-radius: 8px;
|
|
box-shadow: 0 2px 10px rgba(0,0,0,0.1);
|
|
}
|
|
.error-code {
|
|
font-size: 4em;
|
|
color: #dc3545;
|
|
margin-bottom: 20px;
|
|
}
|
|
.error-message {
|
|
font-size: 1.5em;
|
|
color: #333;
|
|
margin-bottom: 20px;
|
|
}
|
|
.error-description {
|
|
color: #666;
|
|
margin-bottom: 30px;
|
|
}
|
|
.access-info {
|
|
background: #e3f2fd;
|
|
padding: 20px;
|
|
border-radius: 4px;
|
|
border-left: 4px solid #2196f3;
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div class="container">
|
|
<div class="error-code">403</div>
|
|
<div class="error-message">Access Denied</div>
|
|
<div class="error-description">
|
|
This endpoint is restricted to internal network access only.
|
|
</div>
|
|
<div class="access-info">
|
|
<strong>For Internal Network Users (192.168.100.0/24):</strong><br>
|
|
You have full access to all management endpoints.<br><br>
|
|
<strong>For External Users:</strong><br>
|
|
Only health check endpoints are available:
|
|
<ul style="text-align: left; display: inline-block;">
|
|
<li>API Health: <code>/health</code></li>
|
|
<li>Chart Museum: <code>/health</code></li>
|
|
<li>Docker Registry: <code>/v2/</code></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
index.html: |
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>Artifactory Error Service</title>
|
|
</head>
|
|
<body>
|
|
<h1>Artifactory Error Service</h1>
|
|
<p>This service provides custom error pages for the Artifactory platform.</p>
|
|
</body>
|
|
</html>
|