fix: use expose annotation rather than explicit whitelist

2025-06-22 08:48:35 +02:00
parent 383477822a
commit 7607373146
7 changed files with 8 additions and 7 deletions
@@ -223,6 +223,7 @@ configMaps:
           { "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "plausible.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "dapr.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },

           { "name": "rabbitmq.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "rabbitmq.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
@@ -54,7 +54,7 @@ adminIngress:
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
  hostname: keycloak.adm.oceanbox.io
  ingressClassName: nginx
  path: /
@@ -49,7 +49,7 @@ adminIngress:
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
  hostname: auth.adm.oceanbox.io
  ingressClassName: nginx
  path: /
@@ -29,7 +29,7 @@ ingress:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
  hosts:
    - host: openfga.srv.oceanbox.io
      paths:
@@ -29,7 +29,7 @@ ingress:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
  hosts:
    - host: openfga.dev.oceanbox.io
      paths:
@@ -5,7 +5,7 @@ ingress:
    cert-manager.io/cluster-issuer: letsencrypt-staging
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
  hosts:
    - host: plume.ekman.oceanbox.io
      paths:
@@ -12,7 +12,7 @@ metadata:
    # nginx.ingress.kubernetes.io/server-snippet: |
    #   client_header_buffer_size 100k;
    #   large_client_header_buffers 4 100k;
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,128.39.100.131/32,158.36.88.98/32,158.36.21.21/32,192.30.252.0/22,140.82.112.0/20
+    oceanbox.io/expose: internal
  name: hubble-ui
  namespace: kube-system
 spec:
@@ -42,7 +42,7 @@ metadata:
    # nginx.ingress.kubernetes.io/server-snippet: |
    #   client_header_buffer_size 100k;
    #   large_client_header_buffers 4 100k;
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,128.39.100.131/32,158.36.88.98/32,158.36.21.21/32,192.30.252.0/22,140.82.112.0/20
+    oceanbox.io/expose: internal
  name: hubble-ui-oauth2-proxy
  namespace: kube-system
 spec: