sarex/iac
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add isito resources to brusnika-stage

Browse Source
This commit is contained in:
Kochetkov S 2026-06-03 15:27:05 +03:00
parent 07ff75ca3e
commit 616555abe1
3 changed files with 566 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
clusters/brusnika-stage/infrastructure/kustomization.yaml
View File

@ -1,9 +1,27 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../infrastructure/istio-base
- ../../../infrastructure/istio-pilot
- ../../../infrastructure/istio-gateway
- ../../../infrastructure/istio-config
- ../../../infrastructure/vault
- ./vault-ingress.yaml
patches:
- path: ./patches/istio-gateway.yaml
target:
group: helm.toolkit.fluxcd.io
version: v2
kind: HelmRelease
name: ingressgateway
namespace: istio-system
- path: ./patches/istio-config.yaml
target:
group: helm.toolkit.fluxcd.io
version: v2
kind: HelmRelease
name: istio-config
namespace: default
- path: ./patches/vault.yaml
target:
group: helm.toolkit.fluxcd.io

515
clusters/brusnika-stage/infrastructure/patches/istio-config.yaml Normal file
View File

@ -0,0 +1,515 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: istio-config
namespace: default
spec:
values:
global:
env: brusnika-stage
environments:
brusnika-stage:
namespaces: []
certManager:
clusterIssuers: {}
certificates:
keycloak.camunda.test.sarex.brusnika.tech-tls:
namespace: ingress-nginx
dnsNames:
- keycloak.camunda.test.sarex.brusnika.tech
issuerRef:
name: letsencrypt
kind: ClusterIssuer
camunda-platform-operate-tls:
namespace: ingress-nginx
dnsNames:
- operate.camunda.test.sarex.brusnika.tech
issuerRef:
name: letsencrypt
kind: ClusterIssuer
camunda-platform-tasklist-tls:
namespace: ingress-nginx
dnsNames:
- tasklist.camunda.test.sarex.brusnika.tech
issuerRef:
name: letsencrypt
kind: ClusterIssuer
tls-public-link:
namespace: ingress-nginx
dnsNames:
- document-link.test.sarex.brusnika.tech
issuerRef:
name: letsencrypt
kind: ClusterIssuer
tls-stamp-verification:
namespace: ingress-nginx
dnsNames:
- stamp-verification.test.sarex.brusnika.tech
issuerRef:
name: letsencrypt
kind: ClusterIssuer
gitea-stage-tls:
namespace: ingress-nginx
dnsNames:
- gitea.stage.brusnika.sarex.lonsdaleites.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
another-nginx-secret:
namespace: ingress-nginx
dnsNames:
- test.sarex.brusnika.tech
issuerRef:
name: letsencrypt
kind: ClusterIssuer
nginx-secret:
namespace: ingress-nginx
dnsNames:
- cde.brusnika.lonsdaleites.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
jupyter-cert-secret:
namespace: ingress-nginx
dnsNames:
- jupyter.brusnika.lonsdaleites.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
dashboard-cert-secret:
namespace: ingress-nginx
dnsNames:
- dashboard.brusnika.lonsdaleites.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
minio-console-cert-secret:
namespace: ingress-nginx
dnsNames:
- minio.brusnika.lonsdaleites.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
superset-tls-secret:
namespace: ingress-nginx
dnsNames:
- superset.test.sarex.brusnika.tech
issuerRef:
name: letsencrypt
kind: ClusterIssuer
vault-stage-tls:
namespace: ingress-nginx
dnsNames:
- vault.stage.brusnika.sarex.lonsdaleites.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
istio:
envoyFilters: {}
authorizationPolicies: {}
requestAuthentications: {}
gateways:
camunda-identity:
name: camunda-identity-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- identity.camunda.test.sarex.brusnika.tech
camunda-keycloak:
name: camunda-keycloak-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- keycloak.camunda.test.sarex.brusnika.tech
tls:
credentialName: keycloak.camunda.test.sarex.brusnika.tech-tls
camunda-operate:
name: camunda-operate-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- operate.camunda.test.sarex.brusnika.tech
tls:
credentialName: camunda-platform-operate-tls
camunda-optimize:
name: camunda-optimize-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- optimize.camunda.test.sarex.brusnika.tech
camunda-tasklist:
name: camunda-tasklist-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- tasklist.camunda.test.sarex.brusnika.tech
tls:
credentialName: camunda-platform-tasklist-tls
document-link:
name: document-link-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- document-link.test.sarex.brusnika.tech
tls:
credentialName: tls-public-link
stamp-verification:
name: stamp-verification-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- stamp-verification.test.sarex.brusnika.tech
tls:
credentialName: tls-stamp-verification
gitea:
name: gitea-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- gitea.stage.brusnika.sarex.lonsdaleites.ru
tls:
credentialName: gitea-stage-tls
global-test:
name: global-test-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- test.sarex.brusnika.tech
tls:
credentialName: another-nginx-secret
global-cde:
name: global-cde-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- cde.brusnika.lonsdaleites.ru
tls:
credentialName: nginx-secret
jupyter:
name: jupyter-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- jupyter.brusnika.lonsdaleites.ru
tls:
credentialName: jupyter-cert-secret
dashboard:
name: dashboard-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- dashboard.brusnika.lonsdaleites.ru
tls:
credentialName: dashboard-cert-secret
minio:
name: minio-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- minio.brusnika.lonsdaleites.ru
tls:
credentialName: minio-console-cert-secret
superset:
name: superset-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- superset.test.sarex.brusnika.tech
tls:
credentialName: superset-tls-secret
vault:
name: vault-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- vault.stage.brusnika.sarex.lonsdaleites.ru
tls:
credentialName: vault-stage-tls
virtualServices:
camunda-identity-vs:
namespace: camunda
hosts:
- identity.camunda.test.sarex.brusnika.tech
gateways:
- ingress-nginx/camunda-identity-gw
routes:
- path:
prefix: /
service: camunda-identity.camunda.svc.cluster.local
port: 80
camunda-keycloak-vs:
namespace: camunda
hosts:
- keycloak.camunda.test.sarex.brusnika.tech
gateways:
- ingress-nginx/camunda-keycloak-gw
routes:
- match:
- port: 80
uri:
prefix: /auth/
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /auth/
service: camunda-keycloak.camunda.svc.cluster.local
port: 80
camunda-operate-vs:
namespace: camunda
hosts:
- operate.camunda.test.sarex.brusnika.tech
gateways:
- ingress-nginx/camunda-operate-gw
routes:
- path:
prefix: /
service: camunda-operate.camunda.svc.cluster.local
port: 80
camunda-optimize-vs:
namespace: camunda
hosts:
- optimize.camunda.test.sarex.brusnika.tech
gateways:
- ingress-nginx/camunda-optimize-gw
routes:
- path:
prefix: /
service: camunda-optimize.camunda.svc.cluster.local
port: 80
camunda-tasklist-vs:
namespace: camunda
hosts:
- tasklist.camunda.test.sarex.brusnika.tech
gateways:
- ingress-nginx/camunda-tasklist-gw
routes:
- path:
prefix: /
service: camunda-tasklist.camunda.svc.cluster.local
port: 80
document-link-vs:
namespace: documentations
hosts:
- document-link.test.sarex.brusnika.tech
gateways:
- ingress-nginx/document-link-gw
cors:
allowOrigins:
- regex: ".*"
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: frontend-service-public-link.documentations.svc.cluster.local
port: 80
stamp-verification-vs:
namespace: documentations
hosts:
- stamp-verification.test.sarex.brusnika.tech
gateways:
- ingress-nginx/stamp-verification-gw
cors:
allowOrigins:
- regex: ".*"
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: stamp-verification-frontend-service.documentations.svc.cluster.local
port: 8080
gitea-vs:
namespace: gitea
hosts:
- gitea.stage.brusnika.sarex.lonsdaleites.ru
gateways:
- ingress-nginx/gitea-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: gitea.gitea.svc.cluster.local
port: 3000
global-test-vs:
namespace: global-ingress
hosts:
- test.sarex.brusnika.tech
gateways:
- ingress-nginx/global-test-gw
cors:
allowOrigins:
- exact: https://test.sarex.brusnika.tech
- exact: https://stamp-verification.test.sarex.brusnika.tech
- exact: https://document-link.test.sarex.brusnika.tech
- exact: https://login.brusnika.ru
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: nginx-service.global-ingress.svc.cluster.local
port: 80
global-cde-vs:
namespace: global-ingress
hosts:
- cde.brusnika.lonsdaleites.ru
gateways:
- ingress-nginx/global-cde-gw
cors:
allowOrigins:
- regex: ".*"
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: nginx-service.global-ingress.svc.cluster.local
port: 80
jupyter-vs:
namespace: jupyter
hosts:
- jupyter.brusnika.lonsdaleites.ru
gateways:
- ingress-nginx/jupyter-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: jupyter.jupyter.svc.cluster.local
port: 8888
dashboard-vs:
namespace: kubernetes-dashboard
hosts:
- dashboard.brusnika.lonsdaleites.ru
gateways:
- ingress-nginx/dashboard-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: kubernetes-dashboard-brusnika.kubernetes-dashboard.svc.cluster.local
port: 9090
minio-vs:
namespace: minio
hosts:
- minio.brusnika.lonsdaleites.ru
gateways:
- ingress-nginx/minio-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: minio-svc.minio.svc.cluster.local
port: 9000
superset-vs:
namespace: superset
hosts:
- superset.test.sarex.brusnika.tech
gateways:
- ingress-nginx/superset-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: superset.superset.svc.cluster.local
port: 8088
vault-vs:
namespace: vault
hosts:
- vault.stage.brusnika.sarex.lonsdaleites.ru
gateways:
- ingress-nginx/vault-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: vault-vault-contour.vault.svc.cluster.local
port: 8200

33
clusters/brusnika-stage/infrastructure/patches/istio-gateway.yaml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ingressgateway
namespace: istio-system
spec:
targetNamespace: ingress-nginx
dependsOn:
- name: istio-base
namespace: istio-system
- name: istiod
namespace: istio-system
values:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
service:
type: ClusterIP
externalTrafficPolicy: ""
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443