.

2026-03-21 19:48:03 +00:00
parent 703acac5cb
commit df11d7c1f9
2 changed files with 70 additions and 0 deletions
--- a/ingress-external-devices/firewall.yaml
+++ b/ingress-external-devices/firewall.yaml
@@ -65,6 +65,65 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  name: firewall-vpn
+  namespace: ingress-external
+spec:
+  ports:
+  - name: https
+    port: 4443
+    targetPort: 4443
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: firewall-vpn
+  namespace: ingress-external
+subsets:
+- addresses:
+  - ip: 10.0.1.1          # Sophos XG IP
+  ports:
+  - port: 4443
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: firewall-vpn
+  namespace: ingress-external
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt
+
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/upstream-vhost: "firewall.undercloud.local"
+    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "true"
+    nginx.ingress.kubernetes.io/proxy-ssl-name: "firewall.undercloud.local"
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
+
+    nginx.ingress.kubernetes.io/proxy-redirect-from: "https://firewall.undercloud.local:4443/"
+    nginx.ingress.kubernetes.io/proxy-redirect-to:   "https://firewall-vpn.apps.undercloud.dev/"
+    nginx.ingress.kubernetes.io/proxy-cookie-domain: "firewall.undercloud.local firewall-vpn.apps.undercloud.dev"
+
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+spec:
+  tls:
+  - hosts: [firewall-vpn.apps.undercloud.dev]
+    secretName: firewall-vpn-tls
+  rules:
+  - host: firewall-vpn.apps.undercloud.dev
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: firewall-vpn
+            port:
+              number: 4443
+---
+apiVersion: v1
+kind: Service
 metadata:
  name: firewall-userportal
  namespace: ingress-external