diff --git a/Makefile b/Makefile index 8b83ea4..ef005b0 100644 --- a/Makefile +++ b/Makefile @@ -58,7 +58,7 @@ DOCKER_RUN := docker run --rm -it \ addon-harbor addon-gitea addon-owncloud addon-nextcloud \ addon-csi-s3 addon-csi-ceph addon-csi-glusterfs addon-vaultwarden \ addon-smtp-relay addon-vault addon-external-secrets \ - addon-jenkins addon-netbird addon-mediaserver addon-hysteria2-server addon-splitgw addon-ext-proxy \ + addon-jenkins addon-netbird addon-mediaserver addon-hysteria2-server addon-splitgw addon-ingress-proxypass \ add-node remove-node \ add-etcd-node remove-etcd-node \ etcd-backup etcd-restore etcd-list-snapshots \ @@ -420,9 +420,9 @@ addon-splitgw: _check_env _check_image ## Установить Split Gateway — @printf "$(CYAN)Устанавливаю Split Gateway (sing-box + Hysteria2)...$(NC)\n" $(DOCKER_RUN) addon splitgw $(ARGS) -addon-ext-proxy: _check_env _check_image ## Проксировать внешние сервисы через ingress-nginx (ARGS="-e ext_proxy_vip=192.168.1.x") +addon-ingress-proxypass: _check_env _check_image ## Проксировать внешние сервисы через ingress-nginx (ARGS="-e ingress_proxypass_vip=192.168.1.x") @printf "$(CYAN)Устанавливаю External Services Ingress Proxy...$(NC)\n" - $(DOCKER_RUN) addon ext-proxy $(ARGS) + $(DOCKER_RUN) addon ingress-proxypass $(ARGS) # Generic цель — любой аддон из addons//playbook.yml addon-%: _check_env _check_image diff --git a/README.md b/README.md index 729b7d5..71237c9 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ HA-режим (embedded etcd): при отказе **любой одной** н | **Файловые хранилища** | nextcloud, owncloud | | **Медиасервер** | mediaserver — Plex, Sonarr, Radarr, Lidarr, Bazarr, Prowlarr + Hysteria2, Overseerr, Transmission, Samba | | **VPN / Прокси** | splitgw — прозрачный split-tunnel gateway (sing-box + Hysteria2 TPROXY, YouTube → прокси) | -| **Ingress Proxy** | ext-proxy — проксировать внешние сервисы (IP:PORT) через ingress-nginx по домену | +| **Ingress Proxy** | ingress-proxypass — проксировать внешние сервисы (IP:PORT) через ingress-nginx по домену | Все аддоны включаются флагами в `group_vars/all/addons.yml`. Установка: `make addon-`. diff --git a/addons/ext-proxy/role/templates/values.yaml.j2 b/addons/ext-proxy/role/templates/values.yaml.j2 deleted file mode 100644 index fa84245..0000000 --- a/addons/ext-proxy/role/templates/values.yaml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# Generated by Ansible — do not edit manually. -# Configure via: group_vars/all/addons.yml → ext_proxy_* variables. -# Note: auth.username/password are resolved to htpasswd hashes before this file is written. - -defaults: -{{ (ext_proxy_defaults | combine({'auth': _ext_proxy_def_auth_final})) | to_yaml | indent(2, True) }} - -proxies: -{{ _ext_proxy_proxies_final | to_yaml | indent(2, True) }} diff --git a/addons/ext-proxy/README.md b/addons/ingress-proxypass/README.md similarity index 87% rename from addons/ext-proxy/README.md rename to addons/ingress-proxypass/README.md index 84a2303..d03ebe5 100644 --- a/addons/ext-proxy/README.md +++ b/addons/ingress-proxypass/README.md @@ -24,9 +24,9 @@ ```yaml # group_vars/all/addons.yml -addon_ext_proxy: true +addon_ingress_proxypass: true -ext_proxy_proxies: +ingress_proxypass_proxies: - name: plex hosts: [plex.home.ru] ips: [192.168.1.50] @@ -41,9 +41,9 @@ ext_proxy_proxies: **2. Разверни:** ```bash -make addon-ext-proxy +make addon-ingress-proxypass # с явным VIP в сводке: -make addon-ext-proxy ARGS="-e ext_proxy_vip=192.168.1.100" +make addon-ingress-proxypass ARGS="-e ingress_proxypass_vip=192.168.1.100" ``` **3. Направь DNS на kube-vip:** @@ -92,10 +92,10 @@ router.home.ru IN A 192.168.1.100 ### Глобальные значения по умолчанию ```yaml -ext_proxy_namespace: "ext-proxy" # Kubernetes namespace -ext_proxy_release_name: "ext-proxy" # имя Helm release +ingress_proxypass_namespace: "ingress-proxypass" # Kubernetes namespace +ingress_proxypass_release_name: "ingress-proxypass" # имя Helm release -ext_proxy_defaults: +ingress_proxypass_defaults: ingressClass: nginx # класс Ingress (должен совпадать с именем в ingress-nginx) tls: @@ -128,7 +128,7 @@ ext_proxy_defaults: ### Поля определения прокси ```yaml -ext_proxy_proxies: +ingress_proxypass_proxies: - name: myservice # (обязательно) уникальное имя → имя ресурса в K8s hosts: # (обязательно) список хостов - myservice.home.ru @@ -169,12 +169,12 @@ ext_proxy_proxies: Если есть wildcard-сертификат, управляемый cert-manager и хранящийся в Secret: ```yaml -ext_proxy_defaults: +ingress_proxypass_defaults: tls: enabled: true - secretName: wildcard-tls # должен существовать в ext_proxy_namespace + secretName: wildcard-tls # должен существовать в ingress_proxypass_namespace -ext_proxy_proxies: +ingress_proxypass_proxies: - name: plex hosts: [plex.home.ru] ips: [192.168.1.50] @@ -184,7 +184,7 @@ ext_proxy_proxies: Переопределить TLS для конкретного прокси: ```yaml -ext_proxy_proxies: +ingress_proxypass_proxies: - name: router hosts: [router.home.ru] ips: [192.168.1.1] @@ -196,7 +196,7 @@ ext_proxy_proxies: ### TLS — автоматический выпуск через cert-manager ```yaml -ext_proxy_defaults: +ingress_proxypass_defaults: tls: enabled: true certManager: @@ -216,16 +216,16 @@ cert-manager автоматически выпустит сертификат д ```yaml # group_vars/all/addons.yml -ext_proxy_defaults: +ingress_proxypass_defaults: auth: enabled: true username: admin - password: "{{ vault_ext_proxy_password }}" # пароль из vault + password: "{{ vault_ingress_proxypass_password }}" # пароль из vault ``` ```yaml # group_vars/all/vault.yml -vault_ext_proxy_password: "мойсекретныйпароль" +vault_ingress_proxypass_password: "мойсекретныйпароль" ``` Ansible автоматически вызовет `openssl passwd -apr1` и запишет хэш в Kubernetes Secret. Пароль в открытом виде **не попадает** в Helm values, логи или конфиги. @@ -233,7 +233,7 @@ Ansible автоматически вызовет `openssl passwd -apr1` и за Выборочно для конкретного прокси (остальные без auth): ```yaml -ext_proxy_proxies: +ingress_proxypass_proxies: - name: router hosts: [router.home.ru] ips: [192.168.1.1] @@ -349,10 +349,10 @@ K8s создаёт два адреса в объекте `Endpoints`. kube-proxy ## Как добавить новый внешний сервис -1. Добавь запись в `ext_proxy_proxies` в файле `group_vars/all/addons.yml`: +1. Добавь запись в `ingress_proxypass_proxies` в файле `group_vars/all/addons.yml`: ```yaml -ext_proxy_proxies: +ingress_proxypass_proxies: # ... существующие записи ... - name: homeassistant hosts: [ha.home.ru] @@ -364,7 +364,7 @@ ext_proxy_proxies: 2. Запусти аддон повторно: ```bash -make addon-ext-proxy +make addon-ingress-proxypass ``` Helm upgrade идемпотентен — существующие ресурсы обновляются, новые добавляются. @@ -416,7 +416,7 @@ kubectl -n ingress-nginx get svc ingress-nginx-controller ### 1. Убедись что ресурсы созданы ```bash -kubectl -n ext-proxy get all,ingress,endpoints +kubectl -n ingress-proxypass get all,ingress,endpoints # Ожидаемый вывод: # NAME TYPE CLUSTER-IP ... @@ -431,7 +431,7 @@ kubectl -n ext-proxy get all,ingress,endpoints ### 2. Проверь Endpoints заполнены ```bash -kubectl -n ext-proxy describe endpoints plex +kubectl -n ingress-proxypass describe endpoints plex # Должно показать "Addresses: 192.168.1.50" и "Ports: http 32400/TCP" ``` @@ -439,7 +439,7 @@ kubectl -n ext-proxy describe endpoints plex ```bash kubectl run curl --rm -it --image=curlimages/curl -- \ - curl -v http://plex.ext-proxy.svc.cluster.local:32400 + curl -v http://plex.ingress-proxypass.svc.cluster.local:32400 ``` ### 4. Проверь внешний доступ @@ -454,7 +454,7 @@ curl http://plex.home.ru/ ### 5. Убедись что ingress-nginx применил правила ```bash -kubectl -n ext-proxy describe ingress plex +kubectl -n ingress-proxypass describe ingress plex # Должно показать Rules → host → plex.home.ru → plex:32400 # Проверь что конфиг nginx обновился: @@ -470,7 +470,7 @@ kubectl -n ingress-nginx exec -it \ При такой конфигурации: ```yaml -ext_proxy_proxies: +ingress_proxypass_proxies: - name: plex hosts: - plex.home.ru @@ -489,7 +489,7 @@ apiVersion: v1 kind: Service metadata: name: plex - namespace: ext-proxy + namespace: ingress-proxypass spec: type: ClusterIP ports: @@ -505,7 +505,7 @@ apiVersion: v1 kind: Endpoints metadata: name: plex - namespace: ext-proxy + namespace: ingress-proxypass subsets: - addresses: - ip: "192.168.1.50" @@ -521,7 +521,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: plex - namespace: ext-proxy + namespace: ingress-proxypass annotations: nginx.ingress.kubernetes.io/proxy-connect-timeout: "60" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" @@ -547,12 +547,12 @@ spec: ## Helm Chart — самостоятельное использование без Ansible -Чарт находится в `addons/ext-proxy/role/chart/`. Развернуть напрямую: +Чарт находится в `addons/ingress-proxypass/role/chart/`. Развернуть напрямую: ```bash # Из корня проекта: -helm upgrade --install ext-proxy addons/ext-proxy/role/chart \ - --namespace ext-proxy \ +helm upgrade --install ingress-proxypass addons/ingress-proxypass/role/chart \ + --namespace ingress-proxypass \ --create-namespace \ --values my-values.yaml ``` @@ -560,7 +560,7 @@ helm upgrade --install ext-proxy addons/ext-proxy/role/chart \ Сгенерировать манифесты без деплоя (для проверки): ```bash -helm template ext-proxy addons/ext-proxy/role/chart \ +helm template ingress-proxypass addons/ingress-proxypass/role/chart \ --values my-values.yaml ``` @@ -574,7 +574,7 @@ helm template ext-proxy addons/ext-proxy/role/chart \ ```bash # 1. Проверь Endpoints заполнены: -kubectl -n ext-proxy get endpoints plex +kubectl -n ingress-proxypass get endpoints plex # "Addresses" не должен быть пустым. Если "" — Endpoints отсутствует или некорректен. # 2. Проверь доступность внешнего IP с ноды кластера: @@ -590,10 +590,10 @@ curl -v http://192.168.1.50:32400 ```bash # Проверь наличие endpoints: -kubectl -n ext-proxy describe endpoints plex +kubectl -n ingress-proxypass describe endpoints plex # Убедись что у service есть ClusterIP: -kubectl -n ext-proxy get svc plex +kubectl -n ingress-proxypass get svc plex # Проверь логи ingress-nginx: kubectl -n ingress-nginx logs -l app.kubernetes.io/name=ingress-nginx --tail=100 @@ -608,11 +608,11 @@ kubectl -n ingress-nginx logs -l app.kubernetes.io/name=ingress-nginx --tail=100 curl -v -H "Host: plex.home.ru" http://192.168.1.100/ # 2. Посмотри описание Ingress: -kubectl -n ext-proxy describe ingress plex +kubectl -n ingress-proxypass describe ingress plex # Раздел "Rules" — хост и путь должны совпадать точно. # 3. Проверь класс Ingress: -kubectl -n ext-proxy get ingress plex -o jsonpath='{.spec.ingressClassName}' +kubectl -n ingress-proxypass get ingress plex -o jsonpath='{.spec.ingressClassName}' # Должен совпадать с классом ingress-nginx (обычно "nginx") ``` @@ -633,11 +633,11 @@ curl -H "Host: plex.home.ru" http:/// ```bash # Проверь наличие TLS Secret в нужном namespace: -kubectl -n ext-proxy get secret wildcard-tls +kubectl -n ingress-proxypass get secret wildcard-tls # Проверь что cert-manager выпустил сертификат: -kubectl -n ext-proxy get certificate -kubectl -n ext-proxy describe certificate plex +kubectl -n ingress-proxypass get certificate +kubectl -n ingress-proxypass describe certificate plex # Логи cert-manager: kubectl -n cert-manager logs -l app=cert-manager --tail=50 @@ -650,18 +650,18 @@ kubectl -n cert-manager logs -l app=cert-manager --tail=50 curl -u admin:мойпароль http://plex.home.ru/ # Убедись что в Secret есть ключ "auth": -kubectl -n ext-proxy get secret plex-auth -o jsonpath='{.data.auth}' | base64 -d +kubectl -n ingress-proxypass get secret plex-auth -o jsonpath='{.data.auth}' | base64 -d # Должно вывести: admin:$apr1$... # Проверь аннотации в Ingress: -kubectl -n ext-proxy get ingress plex -o yaml | grep auth +kubectl -n ingress-proxypass get ingress plex -o yaml | grep auth ``` ### Обрывы WebSocket-соединения ```bash # Проверь аннотацию proxy-http-version: -kubectl -n ext-proxy get ingress plex -o yaml | grep proxy-http +kubectl -n ingress-proxypass get ingress plex -o yaml | grep proxy-http # Для сервисов где нужен длинный таймаут (стриминг): # Добавь в annotations: @@ -688,14 +688,14 @@ kubectl -n ingress-nginx exec \ ## Удаление ```bash -helm -n ext-proxy uninstall ext-proxy -kubectl delete namespace ext-proxy +helm -n ingress-proxypass uninstall ingress-proxypass +kubectl delete namespace ingress-proxypass ``` Удалить только один прокси без полного сноса релиза: -1. Убери запись из `ext_proxy_proxies` в `group_vars/all/addons.yml` -2. Запусти `make addon-ext-proxy` — Helm upgrade удалит убранные ресурсы +1. Убери запись из `ingress_proxypass_proxies` в `group_vars/all/addons.yml` +2. Запусти `make addon-ingress-proxypass` — Helm upgrade удалит убранные ресурсы --- @@ -710,16 +710,16 @@ kubectl delete namespace ext-proxy ### Команды Makefile ```bash -make addon-ext-proxy # развернуть / обновить -make addon-ext-proxy ARGS="-e ext_proxy_vip=..." # с явным VIP в сводке +make addon-ingress-proxypass # развернуть / обновить +make addon-ingress-proxypass ARGS="-e ingress_proxypass_vip=..." # с явным VIP в сводке ``` ### Переменные Ansible | Переменная | По умолчанию | Описание | |---|---|---| -| `ext_proxy_namespace` | `ext-proxy` | Kubernetes namespace | -| `ext_proxy_release_name` | `ext-proxy` | Имя Helm release | -| `ext_proxy_proxies` | `[]` | Список определений внешних сервисов | -| `ext_proxy_defaults.*` | см. defaults | Глобальные значения по умолчанию | -| `ext_proxy_vip` | `""` | kube-vip VIP — отображается в сводке после установки | +| `ingress_proxypass_namespace` | `ingress-proxypass` | Kubernetes namespace | +| `ingress_proxypass_release_name` | `ingress-proxypass` | Имя Helm release | +| `ingress_proxypass_proxies` | `[]` | Список определений внешних сервисов | +| `ingress_proxypass_defaults.*` | см. defaults | Глобальные значения по умолчанию | +| `ingress_proxypass_vip` | `""` | kube-vip VIP — отображается в сводке после установки | diff --git a/addons/ext-proxy/playbook.yml b/addons/ingress-proxypass/playbook.yml similarity index 100% rename from addons/ext-proxy/playbook.yml rename to addons/ingress-proxypass/playbook.yml diff --git a/addons/ext-proxy/role/chart/Chart.yaml b/addons/ingress-proxypass/role/chart/Chart.yaml similarity index 95% rename from addons/ext-proxy/role/chart/Chart.yaml rename to addons/ingress-proxypass/role/chart/Chart.yaml index 53a939c..092a3ae 100644 --- a/addons/ext-proxy/role/chart/Chart.yaml +++ b/addons/ingress-proxypass/role/chart/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: ext-proxy +name: ingress-proxypass description: | Proxies external services (outside Kubernetes) through ingress-nginx. Creates Service + Endpoints + Ingress for each configured host. diff --git a/addons/ext-proxy/role/chart/templates/NOTES.txt b/addons/ingress-proxypass/role/chart/templates/NOTES.txt similarity index 96% rename from addons/ext-proxy/role/chart/templates/NOTES.txt rename to addons/ingress-proxypass/role/chart/templates/NOTES.txt index 69a6040..b493020 100644 --- a/addons/ext-proxy/role/chart/templates/NOTES.txt +++ b/addons/ingress-proxypass/role/chart/templates/NOTES.txt @@ -8,7 +8,7 @@ Release : {{ .Release.Name }} Proxied services: {{- range .Values.proxies }} {{- $proxy := . }} -{{- $proxyName := include "ext-proxy.resourceName" $proxy.name }} +{{- $proxyName := include "ingress-proxypass.resourceName" $proxy.name }} {{- $tlsEnabled := $proxy.tls | default dict | dig "enabled" ($.Values.defaults.tls.enabled | default false) }} {{- $schema := "http" }} {{- if $tlsEnabled }}{{ $schema = "https" }}{{ end }} diff --git a/addons/ext-proxy/role/chart/templates/_helpers.tpl b/addons/ingress-proxypass/role/chart/templates/_helpers.tpl similarity index 69% rename from addons/ext-proxy/role/chart/templates/_helpers.tpl rename to addons/ingress-proxypass/role/chart/templates/_helpers.tpl index bc6d234..3465511 100644 --- a/addons/ext-proxy/role/chart/templates/_helpers.tpl +++ b/addons/ingress-proxypass/role/chart/templates/_helpers.tpl @@ -1,24 +1,24 @@ {{/* Normalize a proxy name to be safe as a Kubernetes resource name. Lowercases, replaces underscores and dots with hyphens, trims to 63 chars. -Usage: {{ include "ext-proxy.resourceName" "my_service.name" }} +Usage: {{ include "ingress-proxypass.resourceName" "my_service.name" }} */}} -{{- define "ext-proxy.resourceName" -}} +{{- define "ingress-proxypass.resourceName" -}} {{- . | lower | replace "_" "-" | replace "." "-" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Chart label string: name-version (used in helm.sh/chart label). */}} -{{- define "ext-proxy.chart" -}} +{{- define "ingress-proxypass.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels applied to all resources. */}} -{{- define "ext-proxy.labels" -}} -helm.sh/chart: {{ include "ext-proxy.chart" . }} +{{- define "ingress-proxypass.labels" -}} +helm.sh/chart: {{ include "ingress-proxypass.chart" . }} app.kubernetes.io/name: {{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} @@ -26,9 +26,9 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Resolve a per-proxy boolean setting with fallback to global default. -Usage: {{ include "ext-proxy.boolSetting" (dict "proxy" $proxy "defaults" $d "key" "websocket" "fallback" true) }} +Usage: {{ include "ingress-proxypass.boolSetting" (dict "proxy" $proxy "defaults" $d "key" "websocket" "fallback" true) }} */}} -{{- define "ext-proxy.boolSetting" -}} +{{- define "ingress-proxypass.boolSetting" -}} {{- $proxyVal := index .proxy .key }} {{- $defaultVal := index .defaults .key }} {{- if ne $proxyVal nil }}{{ $proxyVal }} @@ -39,9 +39,9 @@ Usage: {{ include "ext-proxy.boolSetting" (dict "proxy" $proxy "defaults" $d "ke {{/* Resolve a per-proxy string setting with fallback to global default. -Usage: {{ include "ext-proxy.strSetting" (dict "proxy" $proxy "defaults" $d "key" "path" "fallback" "/") }} +Usage: {{ include "ingress-proxypass.strSetting" (dict "proxy" $proxy "defaults" $d "key" "path" "fallback" "/") }} */}} -{{- define "ext-proxy.strSetting" -}} +{{- define "ingress-proxypass.strSetting" -}} {{- $proxyVal := index .proxy .key }} {{- $defaultVal := index .defaults .key }} {{- if and $proxyVal (ne $proxyVal "") }}{{ $proxyVal }} diff --git a/addons/ext-proxy/role/chart/templates/endpoints.yaml b/addons/ingress-proxypass/role/chart/templates/endpoints.yaml similarity index 87% rename from addons/ext-proxy/role/chart/templates/endpoints.yaml rename to addons/ingress-proxypass/role/chart/templates/endpoints.yaml index 6440b39..274716c 100644 --- a/addons/ext-proxy/role/chart/templates/endpoints.yaml +++ b/addons/ingress-proxypass/role/chart/templates/endpoints.yaml @@ -11,7 +11,7 @@ Traffic path: */}} {{- range .Values.proxies }} {{- $proxy := . }} -{{- $proxyName := include "ext-proxy.resourceName" $proxy.name }} +{{- $proxyName := include "ingress-proxypass.resourceName" $proxy.name }} {{- $ips := $proxy.ips | default (list $proxy.ip) }} --- apiVersion: v1 @@ -20,7 +20,7 @@ metadata: name: {{ $proxyName }} namespace: {{ $.Release.Namespace }} labels: - {{- include "ext-proxy.labels" $ | nindent 4 }} + {{- include "ingress-proxypass.labels" $ | nindent 4 }} app.kubernetes.io/component: {{ $proxyName }} subsets: - addresses: diff --git a/addons/ext-proxy/role/chart/templates/ingress.yaml b/addons/ingress-proxypass/role/chart/templates/ingress.yaml similarity index 97% rename from addons/ext-proxy/role/chart/templates/ingress.yaml rename to addons/ingress-proxypass/role/chart/templates/ingress.yaml index f103ca4..c7cbf6c 100644 --- a/addons/ext-proxy/role/chart/templates/ingress.yaml +++ b/addons/ingress-proxypass/role/chart/templates/ingress.yaml @@ -13,7 +13,7 @@ per-proxy annotations always win, with no duplicate YAML keys. {{- range .Values.proxies }} {{- $proxy := . }} {{- $d := $.Values.defaults }} -{{- $proxyName := include "ext-proxy.resourceName" $proxy.name }} +{{- $proxyName := include "ingress-proxypass.resourceName" $proxy.name }} {{/* ── Resolve per-proxy settings with fallback to defaults ────────────────── */}} {{- $ingressClass := $proxy.ingressClass | default $d.ingressClass | default "nginx" }} @@ -99,7 +99,7 @@ metadata: name: {{ $proxyName }} namespace: {{ $.Release.Namespace }} labels: - {{- include "ext-proxy.labels" $ | nindent 4 }} + {{- include "ingress-proxypass.labels" $ | nindent 4 }} app.kubernetes.io/component: {{ $proxyName }} annotations: {{- toYaml $ann | nindent 4 }} diff --git a/addons/ext-proxy/role/chart/templates/secret-auth.yaml b/addons/ingress-proxypass/role/chart/templates/secret-auth.yaml similarity index 90% rename from addons/ext-proxy/role/chart/templates/secret-auth.yaml rename to addons/ingress-proxypass/role/chart/templates/secret-auth.yaml index c92d5c5..7b4e54d 100644 --- a/addons/ext-proxy/role/chart/templates/secret-auth.yaml +++ b/addons/ingress-proxypass/role/chart/templates/secret-auth.yaml @@ -13,7 +13,7 @@ Generate credentials with: {{- range .Values.proxies }} {{- $proxy := . }} {{- $d := $.Values.defaults }} -{{- $proxyName := include "ext-proxy.resourceName" $proxy.name }} +{{- $proxyName := include "ingress-proxypass.resourceName" $proxy.name }} {{- $proxyAuth := $proxy.auth | default dict }} {{- $defAuth := $d.auth | default dict }} @@ -30,7 +30,7 @@ metadata: name: {{ $proxyName }}-auth namespace: {{ $.Release.Namespace }} labels: - {{- include "ext-proxy.labels" $ | nindent 4 }} + {{- include "ingress-proxypass.labels" $ | nindent 4 }} app.kubernetes.io/component: {{ $proxyName }} type: Opaque data: diff --git a/addons/ext-proxy/role/chart/templates/service.yaml b/addons/ingress-proxypass/role/chart/templates/service.yaml similarity index 84% rename from addons/ext-proxy/role/chart/templates/service.yaml rename to addons/ingress-proxypass/role/chart/templates/service.yaml index 46c2547..e14667b 100644 --- a/addons/ext-proxy/role/chart/templates/service.yaml +++ b/addons/ingress-proxypass/role/chart/templates/service.yaml @@ -5,7 +5,7 @@ The Service name MUST match the Endpoints name for K8s to associate them. */}} {{- range .Values.proxies }} {{- $proxy := . }} -{{- $proxyName := include "ext-proxy.resourceName" $proxy.name }} +{{- $proxyName := include "ingress-proxypass.resourceName" $proxy.name }} --- apiVersion: v1 kind: Service @@ -13,7 +13,7 @@ metadata: name: {{ $proxyName }} namespace: {{ $.Release.Namespace }} labels: - {{- include "ext-proxy.labels" $ | nindent 4 }} + {{- include "ingress-proxypass.labels" $ | nindent 4 }} app.kubernetes.io/component: {{ $proxyName }} spec: # ClusterIP with no selector: Kubernetes will not auto-manage endpoints. diff --git a/addons/ext-proxy/role/chart/values.yaml b/addons/ingress-proxypass/role/chart/values.yaml similarity index 100% rename from addons/ext-proxy/role/chart/values.yaml rename to addons/ingress-proxypass/role/chart/values.yaml diff --git a/addons/ext-proxy/role/defaults/main.yml b/addons/ingress-proxypass/role/defaults/main.yml similarity index 88% rename from addons/ext-proxy/role/defaults/main.yml rename to addons/ingress-proxypass/role/defaults/main.yml index 63b2301..757e98d 100644 --- a/addons/ext-proxy/role/defaults/main.yml +++ b/addons/ingress-proxypass/role/defaults/main.yml @@ -1,10 +1,10 @@ --- # ─── Helm release ───────────────────────────────────────────────────────────── -ext_proxy_namespace: "ext-proxy" -ext_proxy_release_name: "ext-proxy" +ingress_proxypass_namespace: "ingress-proxypass" +ingress_proxypass_release_name: "ingress-proxypass" # ─── Global defaults (mirror of chart values.defaults) ──────────────────────── -ext_proxy_defaults: +ingress_proxypass_defaults: ingressClass: nginx tls: enabled: false @@ -30,17 +30,17 @@ ext_proxy_defaults: # ─── Proxy definitions ──────────────────────────────────────────────────────── # Each entry creates: Service + Endpoints + Ingress (+ optional auth Secret) -# All fields support per-entry overrides of ext_proxy_defaults. +# All fields support per-entry overrides of ingress_proxypass_defaults. # # Minimal example: -# ext_proxy_proxies: +# ingress_proxypass_proxies: # - name: plex # hosts: [plex.home.ru] # ips: [192.168.1.50] # port: 32400 # # Full example: -# ext_proxy_proxies: +# ingress_proxypass_proxies: # - name: myapp # hosts: # - myapp.home.ru @@ -67,7 +67,7 @@ ext_proxy_defaults: # # credentials: "admin:$apr1$..." # annotations: # nginx.ingress.kubernetes.io/proxy-body-size: "0" -ext_proxy_proxies: [] +ingress_proxypass_proxies: [] # kube-vip VIP — shown in post-install summary (informational only) -ext_proxy_vip: "" +ingress_proxypass_vip: "" diff --git a/addons/ext-proxy/role/tasks/main.yml b/addons/ingress-proxypass/role/tasks/main.yml similarity index 77% rename from addons/ext-proxy/role/tasks/main.yml rename to addons/ingress-proxypass/role/tasks/main.yml index fe4a069..35742b0 100644 --- a/addons/ext-proxy/role/tasks/main.yml +++ b/addons/ingress-proxypass/role/tasks/main.yml @@ -1,21 +1,21 @@ --- # ── Validate inputs ─────────────────────────────────────────────────────────── -- name: Validate ext_proxy_proxies is defined and non-empty +- name: Validate ingress_proxypass_proxies is defined and non-empty ansible.builtin.assert: that: - - ext_proxy_proxies is defined - - ext_proxy_proxies | length > 0 + - ingress_proxypass_proxies is defined + - ingress_proxypass_proxies | length > 0 fail_msg: > - ext_proxy_proxies is empty. Define at least one proxy in - group_vars/all/addons.yml → ext_proxy_proxies. - success_msg: "ext_proxy_proxies: {{ ext_proxy_proxies | length }} service(s) defined" + ingress_proxypass_proxies is empty. Define at least one proxy in + group_vars/all/addons.yml → ingress_proxypass_proxies. + success_msg: "ingress_proxypass_proxies: {{ ingress_proxypass_proxies | length }} service(s) defined" # ── Create namespace ────────────────────────────────────────────────────────── -- name: Create ext-proxy namespace +- name: Create ingress-proxypass namespace ansible.builtin.command: > - k3s kubectl create namespace {{ ext_proxy_namespace }} + k3s kubectl create namespace {{ ingress_proxypass_namespace }} --dry-run=client -o yaml | k3s kubectl apply -f - become: true changed_when: false @@ -24,13 +24,13 @@ - name: Ensure chart temp directory is clean ansible.builtin.file: - path: /tmp/ext-proxy-chart + path: /tmp/ingress-proxypass-chart state: absent become: true - name: Create chart temp directory ansible.builtin.file: - path: /tmp/ext-proxy-chart + path: /tmp/ingress-proxypass-chart state: directory mode: "0755" become: true @@ -38,7 +38,7 @@ - name: Copy Helm chart to master ansible.builtin.copy: src: "{{ role_path }}/chart/" - dest: /tmp/ext-proxy-chart/ + dest: /tmp/ingress-proxypass-chart/ mode: preserve become: true @@ -96,42 +96,42 @@ proxy['auth'] = auth print(json.dumps({'proxies': proxies, 'def_auth': cleaned_def_auth})) - - "{{ ext_proxy_proxies | to_json }}" - - "{{ ext_proxy_defaults.auth | to_json }}" + - "{{ ingress_proxypass_proxies | to_json }}" + - "{{ ingress_proxypass_defaults.auth | to_json }}" register: _auth_processed changed_when: false no_log: true - name: Set final proxies and defaults with generated credentials ansible.builtin.set_fact: - _ext_proxy_proxies_final: "{{ (_auth_processed.stdout | from_json).proxies }}" - _ext_proxy_def_auth_final: "{{ (_auth_processed.stdout | from_json).def_auth }}" + _ingress_proxypass_proxies_final: "{{ (_auth_processed.stdout | from_json).proxies }}" + _ingress_proxypass_def_auth_final: "{{ (_auth_processed.stdout | from_json).def_auth }}" # ── Template Helm values ────────────────────────────────────────────────────── - name: Template Helm values ansible.builtin.template: src: values.yaml.j2 - dest: /tmp/ext-proxy-values.yaml + dest: /tmp/ingress-proxypass-values.yaml mode: "0640" become: true - name: Show generated Helm values - ansible.builtin.command: cat /tmp/ext-proxy-values.yaml + ansible.builtin.command: cat /tmp/ingress-proxypass-values.yaml become: true changed_when: false - register: _ext_proxy_values + register: _ingress_proxypass_values - name: Debug generated values ansible.builtin.debug: - var: _ext_proxy_values.stdout_lines + var: _ingress_proxypass_values.stdout_lines # ── Lint chart before deploying ─────────────────────────────────────────────── - name: Lint Helm chart ansible.builtin.command: > - helm lint /tmp/ext-proxy-chart - --values /tmp/ext-proxy-values.yaml + helm lint /tmp/ingress-proxypass-chart + --values /tmp/ingress-proxypass-values.yaml become: true changed_when: false register: _helm_lint @@ -139,12 +139,12 @@ # ── Deploy chart ────────────────────────────────────────────────────────────── -- name: Deploy ext-proxy via Helm +- name: Deploy ingress-proxypass via Helm ansible.builtin.command: > - helm upgrade --install {{ ext_proxy_release_name }} - /tmp/ext-proxy-chart - --namespace {{ ext_proxy_namespace }} - --values /tmp/ext-proxy-values.yaml + helm upgrade --install {{ ingress_proxypass_release_name }} + /tmp/ingress-proxypass-chart + --namespace {{ ingress_proxypass_namespace }} + --values /tmp/ingress-proxypass-values.yaml --atomic --wait --timeout 60s @@ -156,14 +156,14 @@ - name: Get Ingress list ansible.builtin.command: > - k3s kubectl -n {{ ext_proxy_namespace }} get ingress -o wide + k3s kubectl -n {{ ingress_proxypass_namespace }} get ingress -o wide become: true changed_when: false register: _ingress_list - name: Get Endpoints list ansible.builtin.command: > - k3s kubectl -n {{ ext_proxy_namespace }} get endpoints + k3s kubectl -n {{ ingress_proxypass_namespace }} get endpoints become: true changed_when: false register: _endpoints_list @@ -177,9 +177,9 @@ - "║ External Services Ingress Proxy — Deployed ║" - "╚══════════════════════════════════════════════════════════════╝" - "" - - " Namespace : {{ ext_proxy_namespace }}" - - " Release : {{ ext_proxy_release_name }}" - - " Services : {{ ext_proxy_proxies | length }}" + - " Namespace : {{ ingress_proxypass_namespace }}" + - " Release : {{ ingress_proxypass_release_name }}" + - " Services : {{ ingress_proxypass_proxies | length }}" - "" - " Ingress resources:" - "{{ _ingress_list.stdout_lines | to_yaml }}" @@ -187,7 +187,7 @@ - " Endpoints:" - "{{ _endpoints_list.stdout_lines | to_yaml }}" - "" - - " kube-vip VIP: {{ ext_proxy_vip | default('') }}" + - " kube-vip VIP: {{ ingress_proxypass_vip | default('') }}" - " → Point all proxy hostnames to the VIP in DNS/hosts file" - "" - - " Verify: kubectl -n {{ ext_proxy_namespace }} describe ingress" + - " Verify: kubectl -n {{ ingress_proxypass_namespace }} describe ingress" diff --git a/addons/ingress-proxypass/role/templates/values.yaml.j2 b/addons/ingress-proxypass/role/templates/values.yaml.j2 new file mode 100644 index 0000000..06e2f6f --- /dev/null +++ b/addons/ingress-proxypass/role/templates/values.yaml.j2 @@ -0,0 +1,9 @@ +# Generated by Ansible — do not edit manually. +# Configure via: group_vars/all/addons.yml → ingress_proxypass_* variables. +# Note: auth.username/password are resolved to htpasswd hashes before this file is written. + +defaults: +{{ (ingress_proxypass_defaults | combine({'auth': _ingress_proxypass_def_auth_final})) | to_yaml | indent(2, True) }} + +proxies: +{{ _ingress_proxypass_proxies_final | to_yaml | indent(2, True) }} diff --git a/docs/addons.md b/docs/addons.md index eacefb6..e2070b4 100644 --- a/docs/addons.md +++ b/docs/addons.md @@ -67,7 +67,7 @@ make addon-netbird | mediaserver | `addon_mediaserver` | Plex, Sonarr, Radarr, Lidarr, Bazarr, Prowlarr + Hysteria2 sidecar, Overseerr, Transmission, Samba | [→](../addons/mediaserver/README.md) | | **Сеть / VPN** | | | | | splitgw | `addon_splitgw` | Прозрачный split-tunnel gateway: sing-box + Hysteria2 TPROXY, YouTube→прокси, RU→прямой | [→](../addons/splitgw/README.md) | -| ext-proxy | `addon_ext_proxy` | Проксировать внешние сервисы (IP:PORT) через ingress-nginx по домену — Service + Endpoints + Ingress | [→](../addons/ext-proxy/README.md) | +| ingress-proxypass | `addon_ingress_proxypass` | Проксировать внешние сервисы (IP:PORT) через ingress-nginx по домену — Service + Endpoints + Ingress | [→](../addons/ingress-proxypass/README.md) | ## Конфигурация addons.yml @@ -119,7 +119,7 @@ addon_mediaserver: false # Plex + *arr + Transmission + Prowlarr/Hyste addon_splitgw: false # sing-box + Hysteria2 TPROXY (host или k8s DaemonSet) # ── External Services Ingress Proxy ─────────────────────────────────────────── -addon_ext_proxy: false # проксировать внешние сервисы через ingress-nginx +addon_ingress_proxypass: false # проксировать внешние сервисы через ingress-nginx ``` ## Зависимости между аддонами @@ -140,7 +140,7 @@ addon_ext_proxy: false # проксировать внешние с | `crowdsec` | `ingress-nginx` | Bouncer интеграция при addon_crowdsec | | `mediaserver` | `csi-nfs` (рекомендуется) | Shared PVC требует RWX StorageClass | | `splitgw` | Hysteria2 сервер (vault_hysteria2_url) | URL из Shadowrocket / NekoBox | -| `ext-proxy` | `ingress-nginx` | Требует работающий Ingress controller | +| `ingress-proxypass` | `ingress-nginx` | Требует работающий Ingress controller | ## MediaServer @@ -186,13 +186,13 @@ Samba получает IP от kube-vip (`LoadBalancer`) — подключен Проксирует внешние сервисы (вне кластера) через ingress-nginx по доменному имени. Для каждого сервиса автоматически создаёт `Service (ClusterIP, no selector)` + `Endpoints` + `Ingress`. Поддерживает TLS, basic auth, WebSocket, несколько хостов и несколько backend IP. ```bash -make addon-ext-proxy +make addon-ingress-proxypass ``` Конфигурация в `group_vars/all/addons.yml`: ```yaml -ext_proxy_proxies: +ingress_proxypass_proxies: - name: plex hosts: [plex.home.ru] ips: [192.168.1.50] @@ -207,7 +207,7 @@ ext_proxy_proxies: secretName: wildcard-cert ``` -Подробнее: [addons/ext-proxy/README.md](../addons/ext-proxy/README.md) +Подробнее: [addons/ingress-proxypass/README.md](../addons/ingress-proxypass/README.md) --- diff --git a/group_vars/all/addons.yml b/group_vars/all/addons.yml index 7492403..34fefce 100644 --- a/group_vars/all/addons.yml +++ b/group_vars/all/addons.yml @@ -41,7 +41,7 @@ addon_netbird: false # NetBird VPN (управляющий сер addon_mediaserver: false # MediaServer — Plex, *arr, Transmission, Prowlarr+Hysteria2, Samba addon_hysteria2_server: false # Hysteria2 VPN сервер на удалённый VPS (группа [hysteria2_server] в inventory) addon_splitgw: false # Split Gateway — прозрачный прокси sing-box+Hysteria2 (группа [splitgw] в inventory) -addon_ext_proxy: false # External Services Ingress Proxy — проксировать внешние сервисы через ingress-nginx +addon_ingress_proxypass: false # External Services Ingress Proxy — проксировать внешние сервисы через ingress-nginx # ─── NFS Server ─────────────────────────────────────────────────────────────── nfs_exports: diff --git a/playbooks/addons.yml b/playbooks/addons.yml index 9bbc25f..a088bd8 100644 --- a/playbooks/addons.yml +++ b/playbooks/addons.yml @@ -300,6 +300,6 @@ hosts: k3s_master[0] gather_facts: false become: true - when: addon_ext_proxy | default(false) | bool + when: addon_ingress_proxypass | default(false) | bool roles: - - role: "{{ playbook_dir }}/../addons/ext-proxy/role" + - role: "{{ playbook_dir }}/../addons/ingress-proxypass/role"