extraccion de DNS/ revision de ACLs

external/configmaps/configmap.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-router-config
+  namespace: external
+data:
+  router.conf: |
+    server {
+      listen 80 default_server;
+      server_name admin.firewall.c2et.net;
+      location / {
+        proxy_pass https://192.168.0.1;
+        proxy_ssl_verify off;
+      }
+    }
+
+  powervault1.conf: |
+    server {
+      listen 80;
+      server_name admin.powervault1.c2et.net;
+      location / {
+        proxy_pass https://192.168.0.71;
+        proxy_ssl_verify off;
+      }
+    }
+
+  powervault2.conf: |
+    server {
+      listen 80;
+      server_name admin.powervault2.c2et.net;
+      location / {
+        proxy_pass https://192.168.0.74;
+        proxy_ssl_verify off;
+      }
+    }

external/deployments/deployment.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-router-proxy
+  namespace: external
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: router-proxy
+  template:
+    metadata:
+      labels:
+        app: router-proxy
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          volumeMounts:
+            - name: nginx-config
+              mountPath: /etc/nginx/conf.d
+      volumes:
+        - name: nginx-config
+          configMap:
+            name: nginx-router-config

external/ingress/firewall.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: firewall-ingress
+  namespace: external
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.200.0/24,192.168.0.0/24,10.244.0.0/16,192.168.4.0/24"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - admin.firewall.c2et.net
+      secretName: firewall-tls
+  rules:
+    - host: admin.firewall.c2et.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: external-router-svc
+                port:
+                  number: 80

external/ingress/powervault1.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: powervault1-ingress
+  namespace: external
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.200.0/24,192.168.0.0/24,10.244.0.0/16,192.168.4.0/24"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - admin.powervault1.c2et.net
+      secretName: powervault1-tls
+  rules:
+    - host: admin.powervault1.c2et.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: external-router-svc
+                port:
+                  number: 80

external/ingress/powervault2.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: powervault2-ingress
+  namespace: external
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.200.0/24,192.168.0.0/24,10.244.0.0/16,192.168.4.0/24"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - admin.powervault2.c2et.net
+      secretName: powervault2-tls
+  rules:
+    - host: admin.powervault2.c2et.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: external-router-svc
+                port:
+                  number: 80

external/ingress/router.yaml.save

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: router-ingress
+  namespace: external
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - firewall.c2et.net
+      secretName: router-tls
+  rules:
+    - host: firewall.c2et.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: external-router-svc
+                port:
+                  number: 80

external/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - configmaps/configmap.yaml
+  - deployments/deployment.yaml
+  - services/service.yaml
+  - ingress/firewall.yaml
+  - ingress/powervault1.yaml
+  - ingress/powervault2.yaml
+

external/namespace.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external
+

external/readme.md

@@ -0,0 +1,166 @@
+# 🌐 k8s-external-router
+
+Este proyecto despliega un proxy inverso en Kubernetes que permite acceder a dispositivos o servicios externos (fuera del clúster) mediante dominios públicos gestionados con TLS, a través de NGINX y cert-manager.
+
+## 📝 Componentes
+
+* **Deployment**: contenedor `nginx:alpine` que actúa como proxy.
+* **ConfigMap**: define los proxies en archivos `.conf` cargados en `/etc/nginx/conf.d`.
+* **Service**: expone el contenedor internamente en el clúster.
+* **Ingress**: gestiona el acceso externo con certificados TLS (Let’s Encrypt).
+
+## 💠 Estructura del proyecto
+
+```bash
+k8s-external/
+├── configmaps/
+│   └── configmap.yaml           # Configuración de NGINX
+├── deployments/
+│   └── deployment.yaml          # Proxy con hostNetwork
+├── services/
+│   └── service.yaml             # Service interno
+├── ingress/
+│   └── router.yaml              # Ingress TLS público
+```
+
+## 🚀 Despliegue
+
+1. Aplica todos los recursos:
+
+```bash
+kubectl apply -k .
+```
+
+> Asegúrate de que tu clúster ya tenga:
+>
+> * `cert-manager` instalado.
+> * Un `ClusterIssuer` llamado `letsencrypt-prod`.
+> * Un controlador Ingress funcionando (por ejemplo, `nginx`).
+
+2. Reinicia el deployment para recargar cambios del `ConfigMap`:
+
+```bash
+kubectl rollout restart deployment external-router-proxy -n external
+```
+
+---
+
+## ➕ Añadir un nuevo proxy
+
+Para añadir un nuevo dominio que apunte a una IP externa:
+
+### 1. Edita el `ConfigMap`
+
+```yaml
+  switch.conf: |
+    server {
+      listen 80;
+      server_name switch.manabo.org;
+      location / {
+        proxy_pass https://192.168.0.100;
+        proxy_ssl_verify off;
+      }
+    }
+```
+
+> Guarda el archivo como `configmaps/configmap.yaml`.
+
+### 2. Aplica el nuevo `ConfigMap` y reinicia el deployment
+
+```bash
+kubectl apply -f configmaps/configmap.yaml
+kubectl rollout restart deployment external-router-proxy -n external
+```
+
+### 3. Crea un nuevo `Ingress`
+
+Guarda este archivo en `ingress/switch.yaml`:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: switch-ingress
+  namespace: external
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - switch.manabo.org
+      secretName: switch-tls
+  rules:
+    - host: switch.manabo.org
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: external-router-svc
+                port:
+                  number: 80
+```
+
+Y aplícalo:
+
+```bash
+kubectl apply -f ingress/switch.yaml
+```
+
+---
+
+## 🔍 Verificación
+
+* Verifica que el pod proxy esté funcionando:
+
+```bash
+kubectl get pods -n external
+```
+
+* Verifica que el endpoint externo responde desde dentro del contenedor:
+
+```bash
+kubectl exec -n external deploy/external-router-proxy -- curl -k https://192.168.X.X
+```
+
+* Verifica que el dominio esté expuesto correctamente:
+
+```bash
+curl -k https://switch.manabo.org
+```
+
+---
+
+## 🔐 Seguridad
+
+* Los proxys usan certificados TLS automáticos con Let’s Encrypt.
+* La verificación de certificados en el `proxy_pass` está desactivada (`proxy_ssl_verify off`) para permitir certificados autofirmados de los dispositivos.
+
+---
+
+## 🗜 Limpieza
+
+Para eliminar un proxy:
+
+1. Borra la entrada del `ConfigMap`.
+2. Borra el `Ingress` correspondiente:
+
+```bash
+kubectl delete ingress switch-ingress -n external
+```
+
+3. Vuelve a aplicar y reiniciar:
+
+```bash
+kubectl apply -f configmaps/configmap.yaml
+kubectl rollout restart deployment external-router-proxy -n external
+```
+
+---
+
+## ✨ Créditos
+
+Mantenido por [Xavor](https://manabo.org) — Kubernetes DevOps Homelab.

external/services/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-router-svc
+  namespace: external
+spec:
+  selector:
+    app: router-proxy
+  ports:
+    - port: 80
+      targetPort: 80