f10784ddb6
Sweep through the 30+ stacks that predated the auth = "app" tier and were tagged auth = "none" without a comment explaining why they weren't behind Authentik. Each is now self-documenting at the call site, so the tg-level anti-exposure guard passes and future readers don't have to reverse-engineer the intent. Flipped 6 stacks from "none" to "app" — their backends have their own user auth and the new tier records that more accurately: - navidrome (Subsonic user/password) - ntfy (deny-all default + user.db tokens) - nextcloud (WebDAV/CalDAV/CardDAV app passwords) - vaultwarden (Bitwarden-compatible token auth) - headscale (OIDC + preauth keys for Tailscale nodes) - paperless-ngx (app-layer login + API tokens) Kept "none" with a comment on the rest — they're genuinely public, webhook receivers, native-protocol endpoints, OAuth callbacks, or Anubis-fronted: authentik (×2 + guest outpost), beads-server (dolt), claude-memory (bearer-token MCP), dawarich, ebooks/book-search-api, fire-planner /api, forgejo (git/OCI native clients), frigate (HA integration), immich/frame, insta2spotify /api, instagram-poster (meta fetcher), k8s-portal, matrix (native bearer), monitoring×2 (HA REST scrapes), n8n (webhooks), nvidia, onlyoffice (JWT), owntracks (HTTP Basic), postiz, privatebin (client-side enc), rybbit (analytics tracker), send (E2E file drop), tuya-bridge (API key), vault (own auth + CLI), webhook_handler, woodpecker (forgejo webhooks + OAuth), xray (×3 VPN transports). real-estate-crawler/main.tf:400 already had its comment from a prior edit — not touched here. No live state changes — auth = "app" produces the same middleware chain as auth = "none" (verified earlier this session). This commit is purely documentation + intent-tagging.
143 lines
4 KiB
HCL
143 lines
4 KiB
HCL
|
|
resource "kubernetes_config_map" "redfish-config" {
|
|
metadata {
|
|
name = "redfish-exporter-config"
|
|
namespace = kubernetes_namespace.monitoring.metadata[0].name
|
|
|
|
annotations = {
|
|
"reloader.stakater.com/match" = "true"
|
|
}
|
|
}
|
|
data = {
|
|
"config.yml" = <<-EOF
|
|
address: 0.0.0.0
|
|
port: 9610
|
|
hosts:
|
|
${var.idrac_host}:
|
|
username: ${var.idrac_username}
|
|
password: ${var.idrac_password}
|
|
default:
|
|
username: root
|
|
password: calvin
|
|
metrics:
|
|
all: true
|
|
# system: true
|
|
# sensors: true
|
|
# power: true
|
|
# sel: false # Disable SEL - often slow
|
|
# storage: true # Disable storage - slowest endpoint
|
|
# memory: true
|
|
# network: false # Disable network adapters
|
|
# firmware: false # Don't need this frequently
|
|
EOF
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_deployment" "idrac-redfish" {
|
|
metadata {
|
|
name = "idrac-redfish-exporter"
|
|
namespace = kubernetes_namespace.monitoring.metadata[0].name
|
|
labels = {
|
|
app = "idrac-redfish-exporter"
|
|
tier = var.tier
|
|
}
|
|
annotations = {
|
|
"reloader.stakater.com/search" = "true"
|
|
}
|
|
}
|
|
spec {
|
|
replicas = 1
|
|
selector {
|
|
match_labels = {
|
|
app = "idrac-redfish-exporter"
|
|
}
|
|
}
|
|
template {
|
|
metadata {
|
|
labels = {
|
|
app = "idrac-redfish-exporter"
|
|
}
|
|
}
|
|
spec {
|
|
priority_class_name = "tier-1-cluster"
|
|
container {
|
|
# https://github.com/mrlhansen/idrac_exporter?tab=readme-ov-file
|
|
# Patched v2.4.1 - restored missing idrac_power_supply_input_voltage metric
|
|
# See: https://github.com/mrlhansen/idrac_exporter/issues/176
|
|
image = "viktorbarzin/idrac-redfish-exporter:2.4.1-voltage-fix"
|
|
name = "redfish-exporter"
|
|
port {
|
|
container_port = 9610
|
|
}
|
|
|
|
volume_mount {
|
|
name = "redfish-exporter-config"
|
|
mount_path = "/etc/prometheus/idrac.yml"
|
|
sub_path = "config.yml"
|
|
}
|
|
}
|
|
volume {
|
|
name = "redfish-exporter-config"
|
|
config_map {
|
|
name = "redfish-exporter-config"
|
|
}
|
|
}
|
|
dns_config {
|
|
option {
|
|
name = "ndots"
|
|
value = "2"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
lifecycle {
|
|
# KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
|
|
ignore_changes = [spec[0].template[0].spec[0].dns_config]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_service" "idrac-redfish-exporter" {
|
|
metadata {
|
|
name = "idrac-redfish-exporter"
|
|
namespace = kubernetes_namespace.monitoring.metadata[0].name
|
|
labels = {
|
|
"app" = "idrac-redfish-exporter"
|
|
}
|
|
# annotations = {
|
|
# "prometheus.io/scrape" = "true"
|
|
# "prometheus.io/path" = "/metrics"
|
|
# "prometheus.io/port" = "9090"
|
|
# }
|
|
}
|
|
|
|
spec {
|
|
selector = {
|
|
"app" = "idrac-redfish-exporter"
|
|
}
|
|
port {
|
|
name = "http"
|
|
port = "9090"
|
|
target_port = "9610"
|
|
}
|
|
}
|
|
}
|
|
|
|
module "idrac-redfish-exporter-ingress" {
|
|
source = "../../../../modules/kubernetes/ingress_factory"
|
|
# Auth disabled: HA Sofia + Prometheus scrape this endpoint
|
|
# programmatically (no browser, no SSO cookie). The
|
|
# allow_local_access_only middleware (192.168.0.0/16 + 10.0.0.0/8)
|
|
# already gates external access, so layering Authentik on top only
|
|
# breaks the REST sensor in HA Sofia (it gets a 302 to authentik.viktorbarzin.me
|
|
# and parses HTML instead of metrics).
|
|
# auth = "none": HA Sofia REST sensors poll programmatically without cookies; Authentik OIDC flow incompatible with automation.
|
|
auth = "none"
|
|
namespace = kubernetes_namespace.monitoring.metadata[0].name
|
|
name = "idrac-redfish-exporter"
|
|
root_domain = "viktorbarzin.lan"
|
|
tls_secret_name = var.tls_secret_name
|
|
allow_local_access_only = true
|
|
ssl_redirect = false
|
|
port = 9090
|
|
}
|