Ajout architecture multi-arch

web-gateway/chart/rdp-web-gateway/examples/rpi4-k3s.yaml

@@ -0,0 +1,108 @@
+# Raspberry Pi 4 optimized values for K3s cluster
+# Deploy with: helm install rdp-web-gateway ./chart/rdp-web-gateway -f examples/rpi4-k3s.yaml
+
+# Use ClusterIP with Traefik (common on K3s)
+service:
+  type: ClusterIP
+  port: 80
+  targetPort: 8080
+
+# Traefik IngressRoute (K3s includes Traefik by default)
+traefik:
+  enabled: true
+  host: rdp.yourdomain.com
+  entryPoints:
+    - websecure
+  tls:
+    enabled: true
+    certResolver: letsencrypt
+
+# Reduced resources for Raspberry Pi 4
+resources:
+  limits:
+    cpu: 500m       # 0.5 CPU core
+    memory: 512Mi   # 512MB RAM
+  requests:
+    cpu: 100m       # 0.1 CPU core minimum
+    memory: 128Mi   # 128MB RAM minimum
+
+# Conservative autoscaling for RPi cluster
+autoscaling:
+  enabled: true
+  minReplicas: 1       # Start with 1 pod
+  maxReplicas: 3       # Max 3 pods (adjust based on cluster size)
+  targetCPUUtilizationPercentage: 70
+  targetMemoryUtilizationPercentage: 80
+
+# Start with single replica
+replicaCount: 1
+
+# RDP Broker connection (internal ClusterIP)
+config:
+  rdpBroker:
+    host: "rdpbroker"
+    port: 3389
+  server:
+    port: 8080
+
+# Spread pods across nodes if you have multiple RPi
+affinity:
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/name
+                operator: In
+                values:
+                  - rdp-web-gateway
+          topologyKey: kubernetes.io/hostname
+
+# Optimize for ARM64
+podAnnotations:
+  cluster.autoscaler.kubernetes.io/safe-to-evict: "true"
+
+# Security context
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 1001
+  allowPrivilegeEscalation: false
+
+podSecurityContext:
+  fsGroup: 1001
+  runAsNonRoot: true
+  runAsUser: 1001
+
+# Health checks with longer delays for slower RPi startup
+livenessProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 45   # Increased from 30
+  periodSeconds: 15         # Increased from 10
+  timeoutSeconds: 5
+  failureThreshold: 3
+
+readinessProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 15   # Increased from 10
+  periodSeconds: 10         # Increased from 5
+  timeoutSeconds: 3
+  failureThreshold: 3
+
+# Optional: Node selector for ARM64 nodes only
+# nodeSelector:
+#   kubernetes.io/arch: arm64
+
+# Optional: Tolerate RPi-specific taints
+# tolerations:
+#   - key: "node.kubernetes.io/arm64"
+#     operator: "Exists"
+#     effect: "NoSchedule"

web-gateway/chart/rdp-web-gateway/examples/traefik-advanced.yaml

@@ -0,0 +1,71 @@
+# Example: Traefik with multiple middlewares and custom cert
+# Deploy with: helm install rdp-web-gateway ./chart/rdp-web-gateway -f examples/traefik-advanced.yaml
+
+service:
+  type: ClusterIP
+  port: 80
+  targetPort: 8080
+
+traefik:
+  enabled: true
+  host: rdp.yourdomain.com
+  annotations:
+    # Optional annotations
+    kubernetes.io/ingress.class: traefik
+  entryPoints:
+    - web       # HTTP (will redirect to HTTPS)
+    - websecure # HTTPS
+  middlewares:
+    # Redirect HTTP to HTTPS
+    - name: redirect-to-https
+    # Add security headers
+    - name: security-headers
+    # Rate limiting
+    - name: rate-limit
+  tls:
+    enabled: true
+    certResolver: letsencrypt
+    # Specify multiple domains/SANs
+    domains:
+      - main: rdp.yourdomain.com
+        sans:
+          - www.rdp.yourdomain.com
+          - rdp-gateway.yourdomain.com
+
+config:
+  rdpBroker:
+    host: "rdpbroker"
+    port: 3389
+  server:
+    port: 8080
+
+# Production resource limits
+resources:
+  limits:
+    cpu: 2000m
+    memory: 2Gi
+  requests:
+    cpu: 500m
+    memory: 512Mi
+
+# Autoscaling for production
+autoscaling:
+  enabled: true
+  minReplicas: 3
+  maxReplicas: 20
+  targetCPUUtilizationPercentage: 60
+  targetMemoryUtilizationPercentage: 70
+
+# Pod anti-affinity for high availability
+affinity:
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/name
+                operator: In
+                values:
+                  - rdp-web-gateway
+          topologyKey: kubernetes.io/hostname

web-gateway/chart/rdp-web-gateway/examples/traefik-letsencrypt.yaml

@@ -0,0 +1,63 @@
+# Example: Traefik with Let's Encrypt
+# Deploy with: helm install rdp-web-gateway ./chart/rdp-web-gateway -f examples/traefik-letsencrypt.yaml
+
+# Disable LoadBalancer, use IngressRoute instead
+service:
+  type: ClusterIP
+  port: 80
+  targetPort: 8080
+
+# Enable Traefik IngressRoute
+traefik:
+  enabled: true
+  host: rdp.yourdomain.com
+  entryPoints:
+    - websecure  # HTTPS entry point
+  tls:
+    enabled: true
+    certResolver: letsencrypt  # Must match your Traefik certResolver name
+  # Optional: Add middlewares
+  # middlewares:
+  #   - name: redirect-to-https
+  #   - name: rate-limit
+
+# RDP Broker connection (internal ClusterIP)
+config:
+  rdpBroker:
+    host: "rdpbroker"  # Kubernetes service name
+    port: 3389
+  server:
+    port: 8080
+
+# Recommended: Enable network policies for security
+networkPolicy:
+  enabled: true
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Allow traffic from Traefik
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            name: traefik  # Adjust to your Traefik namespace
+      ports:
+      - protocol: TCP
+        port: 8080
+  egress:
+    # Allow traffic to RdpBroker
+    - to:
+      - podSelector:
+          matchLabels:
+            app: rdpbroker
+      ports:
+      - protocol: TCP
+        port: 3389
+    # Allow DNS resolution
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            name: kube-system
+      ports:
+      - protocol: UDP
+        port: 53

web-gateway/chart/rdp-web-gateway/examples/traefik-middlewares.yaml

@@ -0,0 +1,71 @@
+# Recommended Traefik Middlewares for RDP Web Gateway
+# Apply these in your Traefik namespace or the same namespace as web-gateway
+
+---
+# Redirect HTTP to HTTPS
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-to-https
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+
+---
+# Security Headers
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    frameDeny: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 31536000
+    customFrameOptionsValue: "SAMEORIGIN"
+    customResponseHeaders:
+      X-Forwarded-Proto: "https"
+      # Allow WebSocket upgrade
+      Connection: "upgrade"
+      Upgrade: "$http_upgrade"
+
+---
+# Rate Limiting (adjust as needed)
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: rate-limit
+spec:
+  rateLimit:
+    average: 100
+    burst: 50
+    period: 1s
+
+---
+# IP Whitelist (optional - restrict to specific IPs/ranges)
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: ip-whitelist
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 192.168.1.0/24
+      - 10.0.0.0/8
+    # For use behind a proxy/load balancer
+    ipStrategy:
+      depth: 1
+
+---
+# Compression
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: compression
+spec:
+  compress: {}

web-gateway/chart/rdp-web-gateway/templates/ingressroute.yaml

@@ -0,0 +1,44 @@
+{{- if .Values.traefik.enabled -}}
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "rdp-web-gateway.fullname" . }}
+  labels:
+    {{- include "rdp-web-gateway.labels" . | nindent 4 }}
+  {{- with .Values.traefik.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  entryPoints:
+    {{- toYaml .Values.traefik.entryPoints | nindent 4 }}
+  routes:
+  - match: Host(`{{ .Values.traefik.host }}`)
+    kind: Rule
+    services:
+    - name: {{ include "rdp-web-gateway.fullname" . }}
+      port: {{ .Values.service.port }}
+    {{- if .Values.traefik.middlewares }}
+    middlewares:
+      {{- toYaml .Values.traefik.middlewares | nindent 6 }}
+    {{- end }}
+  {{- if .Values.traefik.tls.enabled }}
+  tls:
+    {{- if .Values.traefik.tls.certResolver }}
+    certResolver: {{ .Values.traefik.tls.certResolver }}
+    {{- end }}
+    {{- if .Values.traefik.tls.secretName }}
+    secretName: {{ .Values.traefik.tls.secretName }}
+    {{- end }}
+    {{- if .Values.traefik.tls.domains }}
+    domains:
+      {{- range .Values.traefik.tls.domains }}
+      - main: {{ .main }}
+        {{- if .sans }}
+        sans:
+          {{- toYaml .sans | nindent 10 }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}

web-gateway/chart/rdp-web-gateway/values.yaml

@@ -51,6 +51,32 @@ ingress:
   #    hosts:
   #      - rdp.example.com
 
+# Traefik IngressRoute configuration (alternative to standard Ingress)
+traefik:
+  enabled: false
+  annotations: {}
+  # Host for the IngressRoute
+  host: rdp.example.com
+  # Traefik entryPoints
+  entryPoints:
+    - websecure
+  # Optional middlewares
+  middlewares: []
+    # - name: redirect-to-https
+    # - name: rate-limit
+  # TLS configuration
+  tls:
+    enabled: true
+    # Use Let's Encrypt cert resolver
+    certResolver: letsencrypt
+    # Or use existing secret
+    secretName: ""
+    # Optional: Specify domains
+    domains: []
+      # - main: rdp.example.com
+      #   sans:
+      #     - www.rdp.example.com
+
 resources:
   limits:
     cpu: 1000m