sarex/iac
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add brusnika prod istio ingress config

Browse Source
This commit is contained in:
Kochetkov S 2026-06-04 13:26:16 +03:00
parent af4335cd9b
commit cdde226e40
3 changed files with 691 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
clusters/brusnika-prod/infrastructure/kustomization.yaml
View File

@ -1,9 +1,27 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ../../../infrastructure/istio-base
- ../../../infrastructure/istio-pilot
- ../../../infrastructure/istio-gateway
- ../../../infrastructure/istio-config
- ../../../infrastructure/vault - ../../../infrastructure/vault
- ./vault-ingress.yaml - ./vault-ingress.yaml
patches: patches:
- path: ./patches/istio-gateway.yaml
target:
group: helm.toolkit.fluxcd.io
version: v2
kind: HelmRelease
name: ingressgateway
namespace: istio-system
- path: ./patches/istio-config.yaml
target:
group: helm.toolkit.fluxcd.io
version: v2
kind: HelmRelease
name: istio-config
namespace: default
- path: ./patches/vault.yaml - path: ./patches/vault.yaml
target: target:
group: helm.toolkit.fluxcd.io group: helm.toolkit.fluxcd.io

611
clusters/brusnika-prod/infrastructure/patches/istio-config.yaml Normal file
View File

@ -0,0 +1,611 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: istio-config
namespace: default
spec:
values:
global:
env: brusnika-prod
environments:
brusnika-prod:
namespaces: []
certManager:
clusterIssuers: {}
certificates:
argocd-secret-name:
namespace: ingress-nginx
dnsNames:
- argocd.brusnika.onprem.sarex.io
issuerRef:
name: letsencrypt
kind: ClusterIssuer
camunda-identity-tls:
namespace: ingress-nginx
dnsNames:
- identity.camunda.cde.brusnika.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
keycloak.camunda.cde.brusnika.ru-tls:
namespace: ingress-nginx
dnsNames:
- keycloak.camunda.cde.brusnika.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
camunda-platform-operate-tls:
namespace: ingress-nginx
dnsNames:
- operate.camunda.cde.brusnika.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
camunda-optimize-tls:
namespace: ingress-nginx
dnsNames:
- optimize.camunda.cde.brusnika.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
camunda-platform-tasklist-tls:
namespace: ingress-nginx
dnsNames:
- tasklist.camunda.cde.brusnika.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
yet-another-nginx-secret-name:
namespace: ingress-nginx
dnsNames:
- document-link.cde.brusnika.ru
- cde.brusnika.ru
- rabbitmq.cde.brusnika.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
tls-secret-for-qr:
namespace: ingress-nginx
dnsNames:
- stamp-verification.cde.brusnika.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
gitea-prod-tls:
namespace: ingress-nginx
dnsNames:
- gitea.prod.brusnika.sarex.lonsdaleites.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
jupyter-cert-secret:
namespace: ingress-nginx
dnsNames:
- jupyter.brusnika.onprem.sarex.io
issuerRef:
name: letsencrypt
kind: ClusterIssuer
dashboard-secret-name:
namespace: ingress-nginx
dnsNames:
- dashboard.brusnika.onprem.sarex.io
issuerRef:
name: letsencrypt
kind: ClusterIssuer
brusnika-secret-name:
namespace: ingress-nginx
dnsNames:
- minio.brusnika.onprem.sarex.io
issuerRef:
name: letsencrypt
kind: ClusterIssuer
projects-secret-name:
namespace: ingress-nginx
dnsNames:
- sso.brusnika.onprem.sarex.io
issuerRef:
name: letsencrypt
kind: ClusterIssuer
superset-tls-secret:
namespace: ingress-nginx
dnsNames:
- superset.cde.brusnika.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
vault-prod-tls:
namespace: ingress-nginx
dnsNames:
- vault.prod.brusnika.sarex.lonsdaleites.ru
issuerRef:
name: letsencrypt
kind: ClusterIssuer
istio:
envoyFilters: {}
authorizationPolicies: {}
requestAuthentications: {}
gateways:
argocd:
name: argocd-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- argocd.brusnika.onprem.sarex.io
tls:
credentialName: argocd-secret-name
camunda-identity:
name: camunda-identity-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- identity.camunda.cde.brusnika.ru
tls:
credentialName: camunda-identity-tls
camunda-keycloak:
name: camunda-keycloak-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- keycloak.camunda.cde.brusnika.ru
tls:
credentialName: keycloak.camunda.cde.brusnika.ru-tls
camunda-operate:
name: camunda-operate-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- operate.camunda.cde.brusnika.ru
tls:
credentialName: camunda-platform-operate-tls
camunda-optimize:
name: camunda-optimize-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- optimize.camunda.cde.brusnika.ru
tls:
credentialName: camunda-optimize-tls
camunda-tasklist:
name: camunda-tasklist-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- tasklist.camunda.cde.brusnika.ru
tls:
credentialName: camunda-platform-tasklist-tls
document-link:
name: document-link-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- document-link.cde.brusnika.ru
tls:
credentialName: yet-another-nginx-secret-name
stamp-verification:
name: stamp-verification-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- stamp-verification.cde.brusnika.ru
tls:
credentialName: tls-secret-for-qr
gitea:
name: gitea-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- gitea.prod.brusnika.sarex.lonsdaleites.ru
tls:
credentialName: gitea-prod-tls
global-cde:
name: global-cde-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- cde.brusnika.ru
tls:
credentialName: yet-another-nginx-secret-name
jupyter:
name: jupyter-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- jupyter.brusnika.onprem.sarex.io
tls:
credentialName: jupyter-cert-secret
dashboard:
name: dashboard-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- dashboard.brusnika.onprem.sarex.io
tls:
credentialName: dashboard-secret-name
minio:
name: minio-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- minio.brusnika.onprem.sarex.io
tls:
credentialName: brusnika-secret-name
sso-check:
name: sso-check-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- sso.brusnika.onprem.sarex.io
tls:
credentialName: projects-secret-name
superset:
name: superset-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- superset.cde.brusnika.ru
tls:
credentialName: superset-tls-secret
vault:
name: vault-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- vault.prod.brusnika.sarex.lonsdaleites.ru
tls:
credentialName: vault-prod-tls
rabbitmq:
name: rabbitmq-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- rabbitmq.cde.brusnika.ru
tls:
credentialName: yet-another-nginx-secret-name
virtualServices:
argocd-vs:
namespace: argocd
hosts:
- argocd.brusnika.onprem.sarex.io
gateways:
- ingress-nginx/argocd-gw
cors:
allowOrigins:
- regex: ".*"
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: argocd-server.argocd.svc.cluster.local
port: 80
camunda-identity-vs:
namespace: camunda
hosts:
- identity.camunda.cde.brusnika.ru
gateways:
- ingress-nginx/camunda-identity-gw
routes:
- path:
prefix: /
service: camunda-identity.camunda.svc.cluster.local
port: 80
camunda-keycloak-vs:
namespace: camunda
hosts:
- keycloak.camunda.cde.brusnika.ru
gateways:
- ingress-nginx/camunda-keycloak-gw
routes:
- match:
- port: 80
uri:
prefix: /auth/
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /auth/
service: camunda-keycloak.camunda.svc.cluster.local
port: 80
camunda-operate-vs:
namespace: camunda
hosts:
- operate.camunda.cde.brusnika.ru
gateways:
- ingress-nginx/camunda-operate-gw
routes:
- path:
prefix: /
service: camunda-operate.camunda.svc.cluster.local
port: 80
camunda-optimize-vs:
namespace: camunda
hosts:
- optimize.camunda.cde.brusnika.ru
gateways:
- ingress-nginx/camunda-optimize-gw
routes:
- path:
prefix: /
service: camunda-optimize.camunda.svc.cluster.local
port: 80
camunda-tasklist-vs:
namespace: camunda
hosts:
- tasklist.camunda.cde.brusnika.ru
gateways:
- ingress-nginx/camunda-tasklist-gw
routes:
- path:
prefix: /
service: camunda-tasklist.camunda.svc.cluster.local
port: 80
document-link-vs:
namespace: documentations
hosts:
- document-link.cde.brusnika.ru
gateways:
- ingress-nginx/document-link-gw
cors:
allowOrigins:
- regex: ".*"
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: frontend-service-public-link.documentations.svc.cluster.local
port: 80
stamp-verification-vs:
namespace: documentations
hosts:
- stamp-verification.cde.brusnika.ru
gateways:
- ingress-nginx/stamp-verification-gw
cors:
allowOrigins:
- regex: ".*"
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: stamp-verification-frontend-service.documentations.svc.cluster.local
port: 8080
gitea-vs:
namespace: gitea
hosts:
- gitea.prod.brusnika.sarex.lonsdaleites.ru
gateways:
- ingress-nginx/gitea-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: gitea.gitea.svc.cluster.local
port: 3000
global-cde-vs:
namespace: global-ingress
hosts:
- cde.brusnika.ru
gateways:
- ingress-nginx/global-cde-gw
cors:
allowOrigins:
- exact: https://cde.brusnika.ru
- exact: https://stamp-verification.cde.brusnika.ru
- exact: https://document-link.cde.brusnika.ru
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /integration/
service: yet-another-nginx-service.global-ingress.svc.cluster.local
port: 80
- path:
prefix: /
service: nginx-service.global-ingress.svc.cluster.local
port: 80
jupyter-vs:
namespace: jupyter
hosts:
- jupyter.brusnika.onprem.sarex.io
gateways:
- ingress-nginx/jupyter-gw
cors:
allowOrigins:
- regex: ".*"
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: jupyter.jupyter.svc.cluster.local
port: 8888
dashboard-vs:
namespace: kubernetes-dashboard
hosts:
- dashboard.brusnika.onprem.sarex.io
gateways:
- ingress-nginx/dashboard-gw
cors:
allowOrigins:
- regex: ".*"
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
port: 80
minio-vs:
namespace: minio
hosts:
- minio.brusnika.onprem.sarex.io
gateways:
- ingress-nginx/minio-gw
cors:
allowOrigins:
- regex: ".*"
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: minio-console-service.minio.svc.cluster.local
port: 80
sso-check-vs:
namespace: sso-check
hosts:
- sso.brusnika.onprem.sarex.io
gateways:
- ingress-nginx/sso-check-gw
cors:
allowOrigins:
- regex: ".*"
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: gatekeeper-service.sso-check.svc.cluster.local
port: 80
superset-vs:
namespace: superset
hosts:
- superset.cde.brusnika.ru
gateways:
- ingress-nginx/superset-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: superset.superset.svc.cluster.local
port: 8088
vault-vs:
namespace: vault
hosts:
- vault.prod.brusnika.sarex.lonsdaleites.ru
gateways:
- ingress-nginx/vault-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: vault-vault-contour.vault.svc.cluster.local
port: 8200
rabbitmq-vs:
namespace: workflow
hosts:
- rabbitmq.cde.brusnika.ru
gateways:
- ingress-nginx/rabbitmq-gw
cors:
allowOrigins:
- exact: https://cde.brusnika.ru
- exact: https://stamp-verification.cde.brusnika.ru
- exact: https://document-link.cde.brusnika.ru
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: rabbitmq-service.workflow.svc.cluster.local
port: 15672

62
clusters/brusnika-prod/infrastructure/patches/istio-gateway.yaml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ingressgateway
namespace: istio-system
spec:
targetNamespace: ingress-nginx
postRenderers:
- kustomize:
patches:
- target:
version: v1
kind: Deployment
name: istio-ingressgateway
namespace: ingress-nginx
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-ingressgateway
namespace: ingress-nginx
spec:
template:
spec:
affinity: null
dependsOn:
- name: istio-base
namespace: istio-system
- name: istiod
namespace: istio-system
values:
_internal_defaults_do_not_set:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
replicaCount: 2
affinity: null
tolerations: []
hostPorts: []
podAnnotations:
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: /stats/prometheus
inject.istio.io/templates: gateway
sidecar.istio.io/inject: "true"
service:
type: ClusterIP
externalTrafficPolicy: ""
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443