From 587dc6795c811414a23b56cdd46dd0f71cb5a86e Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Tue, 30 Jan 2024 02:44:33 +0100
Subject: [PATCH] feat(iot): Add component for restricting network traffic to
 local network

This patch introduces a new component that can be used to restrict all
ingress resources to a predefined set of whitelisted IP addresses. This
reduces the duplication in ingress objects for the same rule sets over
and over again.
---
 apps/k8s01/iot/kustomization.yaml             |  1 +
 apps/k8s01/iot/rainer.yaml                    |  5 ----
 apps/k8s01/iot/shelly-ht-monitor.yaml         |  2 ++
 apps/k8s01/iot/shelly.yaml                    | 30 -------------------
 .../ingress-local-only/ingress.yaml           |  6 ++++
 .../ingress-local-only/kustomization.yaml     | 10 +++++++
 6 files changed, 19 insertions(+), 35 deletions(-)
 create mode 100644 shared/components/ingress-local-only/ingress.yaml
 create mode 100644 shared/components/ingress-local-only/kustomization.yaml

diff --git a/apps/k8s01/iot/kustomization.yaml b/apps/k8s01/iot/kustomization.yaml
index c9f20ea9a..91333f526 100644
--- a/apps/k8s01/iot/kustomization.yaml
+++ b/apps/k8s01/iot/kustomization.yaml
@@ -12,3 +12,4 @@ resources:
 
 components:
  - ../../../shared/components/oauth2-proxy
+ - ../../../shared/components/ingress-local-only
diff --git a/apps/k8s01/iot/rainer.yaml b/apps/k8s01/iot/rainer.yaml
index 0def1e859..576f6e4a0 100644
--- a/apps/k8s01/iot/rainer.yaml
+++ b/apps/k8s01/iot/rainer.yaml
@@ -73,11 +73,6 @@ metadata:
         forecastle.stakater.com/appName: Rainer
         forecastle.stakater.com/icon: https://raw.githubusercontent.com/Hypfer/Valetudo/master/assets/logo/valetudo_logo_small.svg
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:jKiHDoG05AspEOjtaHqDMJSR7JJWWxtIdg==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:u3D0MZQR/yVynTH1cu4KwQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:3G7+SR2q+HdMPliQoNGpSh58WMyV59+S1L/mP8qdF80=,iv:zH6hLjLhtaCL95lxSSGJVMr+QyDHEhvb1FlBU/lbRys=,tag:svh+JpKtlULUll8uvvxCtg==,type:str]
diff --git a/apps/k8s01/iot/shelly-ht-monitor.yaml b/apps/k8s01/iot/shelly-ht-monitor.yaml
index 6b42ae542..5ca770ff3 100644
--- a/apps/k8s01/iot/shelly-ht-monitor.yaml
+++ b/apps/k8s01/iot/shelly-ht-monitor.yaml
@@ -67,6 +67,8 @@ metadata:
     labels:
         app.kubernetes.io/name: shelly-ht-monitor
     annotations:
+        oauth2-proxy.kustomize.si-infra.de/exclude-ingress: "true"
+        ingress-local-only.kustomize.si-infra.de/exclude-ingress: "true"
         nginx.ingress.kubernetes.io/ssl-redirect: "false"
         nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.30.0/24,192.168.100.0/25
 spec:
diff --git a/apps/k8s01/iot/shelly.yaml b/apps/k8s01/iot/shelly.yaml
index ee143c767..ad7c2d1f5 100644
--- a/apps/k8s01/iot/shelly.yaml
+++ b/apps/k8s01/iot/shelly.yaml
@@ -72,11 +72,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Shelly01
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:WLRfTaemCevolULjn9I4egrdYXWoIkax7CRYNBUqfL4=,iv:b1ieQDnKhv/f7vh2VCfE6QeBcUOvN9Muejbfx0fKdL4=,tag:Hb+Tvi29/eL/KsLMUX7FEg==,type:str]
@@ -220,11 +215,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Shelly02
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:UsrvSRvxxOh916pFlCvXu+c1vf3+7uWn/neX7koz7cA=,iv:LwYhAqCc/lTnzyuf0eWK6DGDM+VDpGkHQ8KQJtyylms=,tag:A7uXbSok1RY3wSQrRO8Pjg==,type:str]
@@ -368,11 +358,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Shelly03
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:p/xRNccIALlca8OhT5v0zuGBfmy+756nIe+i45gMt4k=,iv:YGfsPpwpUg09kWGqcumP3A+fXGp8agzJ1QvqHihD1o0=,tag:NRNVo+A1AIrW7bkPT44xPA==,type:str]
@@ -516,11 +501,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Shelly04
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:Sn0wxRvKQ9cr5nyCEyBg5oDuh6CmZuuWqY4SVfchilg=,iv:GbPWSO79oy9zDqCE4HkAVvz9Ka2bU/Kobi2GkQmIBlE=,tag:U8JMFrqoU3dXwbNQCLO4pw==,type:str]
@@ -664,11 +644,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Humidity & Temprature 01
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:dys6Cxmfwb0PVxULV3qUKlsISkcJ6VKh8ea86A==,iv:KywdcfWqytxLZ+YiudSilQbmVXyw0RtwTxh1Y72ePPQ=,tag:aU8iKSzG5CJhVGS0iNEQuw==,type:str]
@@ -812,11 +787,6 @@ metadata:
         forecastle.stakater.com/expose: "true"
         forecastle.stakater.com/appName: Humidity & Temprature 02
         forecastle.stakater.com/group: IoT
-        forecastle.stakater.com/network-restricted: "true"
-        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
-        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
-        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 spec:
     rules:
         - host: ENC[AES256_GCM,data:AFaV2uMokW2I/uqaYlz5VWGEIByXuOMZHxLvJw==,iv:RKMMco7G0yWYQ1DJTljRbCix1bIqPi/MhwOA1K79lIA=,tag:WJaAj26+fn7gY6dAVa5pqQ==,type:str]
diff --git a/shared/components/ingress-local-only/ingress.yaml b/shared/components/ingress-local-only/ingress.yaml
new file mode 100644
index 000000000..239a15fbc
--- /dev/null
+++ b/shared/components/ingress-local-only/ingress.yaml
@@ -0,0 +1,6 @@
+- op: add
+  path: /metadata/annotations/nginx.ingress.kubernetes.io~1whitelist-source-range
+  value: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
+- op: add
+  path: /metadata/annotations/forecastle.stakater.com~1network-restricted
+  value: "true"
\ No newline at end of file
diff --git a/shared/components/ingress-local-only/kustomization.yaml b/shared/components/ingress-local-only/kustomization.yaml
new file mode 100644
index 000000000..ecafbbc77
--- /dev/null
+++ b/shared/components/ingress-local-only/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - path: ingress.yaml
+    target:
+      group: networking.k8s.io
+      version: v1
+      kind: Ingress
+      annotationSelector: "ingress-local-only.kustomize.si-infra.de/exclude-ingress!=true"
\ No newline at end of file
-- 
GitLab