Ajout architecture multi-arch

2025-12-04 11:08:55 +01:00
parent 2080559f46
commit d04d1748d3
10 changed files with 785 additions and 4 deletions
--- a/web-gateway/README.md
+++ b/web-gateway/README.md
@@ -295,12 +295,98 @@ The protocol follows a two-phase approach:

 ## Deployment

-See the Helm chart in `chart/rdp-web-gateway/` for Kubernetes deployment.
+### Kubernetes with Helm
+
+#### Option 1: LoadBalancer (Default)

 ```bash
-helm install rdp-web-gateway ./chart/rdp-web-gateway -n rdpbroker
+# Deploy with LoadBalancer service
+helm install rdp-web-gateway ./chart/rdp-web-gateway \
+  --namespace rdpbroker \
+  --create-namespace \
+  --set service.type=LoadBalancer
 ```

+#### Option 2: Traefik IngressRoute with Let's Encrypt
+
+**Recommended for production with automatic HTTPS**
+
+1. **Apply Traefik middlewares** (one time):
+```bash
+kubectl apply -f chart/rdp-web-gateway/examples/traefik-middlewares.yaml -n rdpbroker
+```
+
+2. **Deploy with Traefik IngressRoute**:
+```bash
+# Edit the host in examples/traefik-letsencrypt.yaml
+# Then deploy:
+helm install rdp-web-gateway ./chart/rdp-web-gateway \
+  --namespace rdpbroker \
+  --create-namespace \
+  -f chart/rdp-web-gateway/examples/traefik-letsencrypt.yaml
+```
+
+Or directly with values:
+```bash
+helm install rdp-web-gateway ./chart/rdp-web-gateway \
+  --namespace rdpbroker \
+  --create-namespace \
+  --set service.type=ClusterIP \
+  --set traefik.enabled=true \
+  --set traefik.host=rdp.yourdomain.com \
+  --set traefik.tls.enabled=true \
+  --set traefik.tls.certResolver=letsencrypt
+```
+
+3. **Verify deployment**:
+```bash
+# Check IngressRoute
+kubectl get ingressroute -n rdpbroker
+
+# Check certificate (after a few seconds)
+kubectl get certificate -n rdpbroker
+
+# Access your gateway
+https://rdp.yourdomain.com
+```
+
+#### Option 3: Standard Ingress (nginx, etc.)
+
+```bash
+helm install rdp-web-gateway ./chart/rdp-web-gateway \
+  --namespace rdpbroker \
+  --create-namespace \
+  --set service.type=ClusterIP \
+  --set ingress.enabled=true \
+  --set ingress.className=nginx \
+  --set ingress.hosts[0].host=rdp.example.com \
+  --set ingress.hosts[0].paths[0].path=/ \
+  --set ingress.hosts[0].paths[0].pathType=Prefix
+```
+
+### Important Notes for Traefik
+
+**WebSocket Support**: Traefik automatically handles WebSocket upgrades, no special configuration needed!
+
+**Let's Encrypt Certificate Resolver**: Ensure your Traefik has a certResolver named `letsencrypt` configured. Example:
+
+```yaml
+# Traefik values.yaml or static config
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: admin@yourdomain.com
+      storage: /data/acme.json
+      httpChallenge:
+        entryPoint: web
+```
+
+**Middlewares**: Apply the recommended middlewares for security:
+- `redirect-to-https` - Force HTTPS
+- `security-headers` - Security headers including WebSocket support
+- `rate-limit` - Prevent abuse
+- `compression` - Reduce bandwidth
+
 ## Browser Support

 - Chrome/Edge 90+
@@ -341,9 +427,11 @@ nc -zv rdpbroker 3389

 ### WebSocket connection fails

-Ensure WebSocket upgrade is allowed through any proxies/load balancers.
+Ensure WebSocket upgrade is allowed through proxies/load balancers.

-For nginx:
+**For Traefik**: Already handled automatically! ✅
+
+**For nginx**:
 ```nginx
 location /ws/ {
    proxy_pass http://backend;
@@ -352,6 +440,13 @@ location /ws/ {
    proxy_set_header Connection "upgrade";
 }
 ```
+
+**For Traefik middlewares**: Ensure security-headers middleware includes:
+```yaml
+customResponseHeaders:
+  Connection: "upgrade"
+  Upgrade: "$http_upgrade"
+```
 ### High memory usage

 Adjust resource limits in Kubernetes values.yaml