studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
265a68d85f2a76a4e750bf4eb799fcd07e33984e
sbbb/base/ingress/pingora-config.yaml

339 lines
11 KiB
YAML
Raw Normal View History

chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
apiVersion: v1
kind: ConfigMap
metadata:
name: pingora-config
namespace: ingress
data:
config.toml: |
feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
2026-03-01 16:25:11 +00:00
# Sunbeam proxy config.
#
# Substitution placeholders (replaced by sed at deploy time):
# DOMAIN_SUFFIX — e.g. <LIMA_IP>.sslip.io (local) or yourdomain.com (production)
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
[listen]
http = "0.0.0.0:80"
https = "0.0.0.0:443"
feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
2026-03-01 16:25:11 +00:00
[tls]
# Cert files are written here by the proxy on startup and on cert renewal
# via the K8s API. The /etc/tls directory is an emptyDir volume.
cert_path = "/etc/tls/tls.crt"
key_path = "/etc/tls/tls.key"
[telemetry]
feat: expose admin APIs behind OIDC auth_request Adds pingora routes for id, hydra, search, vault subdomains. Each gated by auth_request to Hydra userinfo — only valid SSO bearer tokens pass through. Adds new SANs to the TLS certificate.
2026-03-22 18:59:22 +00:00
# OTLP traces → Alloy → Tempo. Requires proxy build with the
# dedicated Tokio runtime in telemetry::init(). To enable:
# 1. sunbeam build proxy --push
# 2. sunbeam k8s exec on server: sudo crictl pull src.sunbeam.pt/studio/proxy:latest
# (pull the new image WHILE Pingora is still running the old one)
# 3. Set otlp_endpoint below and sunbeam apply ingress
# NEVER delete the cached image — Pingora gates the registry.
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
otlp_endpoint = ""
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
metrics_port = 9090
# Kubernetes resource names for cert/config watchers.
# Override these if your namespace or Secret/ConfigMap names differ.
[kubernetes]
namespace = "ingress"
tls_secret = "pingora-tls"
config_configmap = "pingora-config"
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
# DDoS detection — decision tree + MLP ensemble (compiled-in weights).
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
[ddos]
enabled = true
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
observe_only = true
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
threshold = 0.6
window_secs = 60
window_capacity = 1000
min_events = 10
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
# Scanner detection — decision tree + MLP ensemble (compiled-in weights).
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
[scanner]
enabled = true
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
observe_only = true
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
threshold = 0.5
bot_cache_ttl_secs = 86400
[[scanner.allowlist]]
ua_prefix = "Googlebot"
reason = "Google crawler"
dns_suffixes = ["googlebot.com", "google.com"]
cidrs = ["66.249.64.0/19"]
[[scanner.allowlist]]
ua_prefix = "Bingbot"
reason = "Microsoft crawler"
dns_suffixes = ["search.msn.com"]
cidrs = ["40.77.167.0/24", "157.55.39.0/24"]
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
[[scanner.allowlist]]
ua_prefix = "containerd"
reason = "Container registry client (buildkitd/containerd)"
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
# Rate limiting — leaky bucket per-identity throttling.
[rate_limit]
enabled = true
eviction_interval_secs = 300
stale_after_secs = 600
fix(ingress): use 10.0.0.0/8 bypass for all cluster-internal traffic Pod IPs are in 10.0.0.0/24, not 10.42.0.0/16 as assumed. Broadening to 10.0.0.0/8 covers pods, services, and CNI overlays.
2026-03-09 08:00:46 +00:00
bypass_cidrs = ["10.0.0.0/8", "127.0.0.0/8", "::1/128"]
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
[rate_limit.authenticated]
burst = 200
rate = 50.0
[rate_limit.unauthenticated]
burst = 50
rate = 10.0
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
2026-03-01 16:25:11 +00:00
# Host-prefix → backend routing table.
# The prefix is the subdomain before the first dot, so these routes work
# identically for yourdomain.com and *.sslip.io.
# Edit to match your own service names and namespaces.
docs(ingress): document disable_secure_redirection and other per-route options
2026-03-02 18:45:19 +00:00
#
# Per-route options:
# host_prefix — subdomain to match (required)
# backend — upstream URL, e.g. "http://svc.ns.svc.cluster.local:8000" (required)
# websocket — proxy WebSocket upgrades (default: false)
# disable_secure_redirection — when true, plain-HTTP requests are forwarded
# as-is instead of being 301-redirected to HTTPS.
# Default: false (all HTTP → HTTPS redirect enforced).
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
[[routes]]
host_prefix = "docs"
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
backend = "http://collabora.lasuite.svc.cluster.local:9980"
websocket = true
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
[[routes]]
host_prefix = "meet"
feat(infra): Meet integration, La Suite theming, Pingora SSH + meet routes Meet: add backend/frontend/celery deployments and services, meet-config ConfigMap, nginx SPA config, VSO secrets (meet-db-credentials VDS, meet-django-secret and meet-livekit VSS). Wire oidc-meet OAuth2Client. La Suite overlay discipline: move people/docs frontend nginx ConfigMaps and patches from overlays/local to base so both environments share them. Remove values-ory.yaml (folded into base). Add docs-frontend nginx config with sub_filter theming. Add local gitea mkcert CA patch. Pingora: add [ssh] TCP passthrough block (port 22 → Gitea SSH pod) and split meet route into frontend default + backend paths for /api/, /admin/, /oidc/, /static/, /__. Remove now-unused values-pingora.yaml from production overlay (host ports moved to patch-pingora-hostport.yaml). Update both overlay kustomizations to reference all new resources and add meet-backend/meet-frontend image entries.
2026-03-06 12:08:21 +00:00
backend = "http://meet-frontend.lasuite.svc.cluster.local:80"
feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
2026-03-01 16:25:11 +00:00
websocket = true
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
feat(infra): Meet integration, La Suite theming, Pingora SSH + meet routes Meet: add backend/frontend/celery deployments and services, meet-config ConfigMap, nginx SPA config, VSO secrets (meet-db-credentials VDS, meet-django-secret and meet-livekit VSS). Wire oidc-meet OAuth2Client. La Suite overlay discipline: move people/docs frontend nginx ConfigMaps and patches from overlays/local to base so both environments share them. Remove values-ory.yaml (folded into base). Add docs-frontend nginx config with sub_filter theming. Add local gitea mkcert CA patch. Pingora: add [ssh] TCP passthrough block (port 22 → Gitea SSH pod) and split meet route into frontend default + backend paths for /api/, /admin/, /oidc/, /static/, /__. Remove now-unused values-pingora.yaml from production overlay (host ports moved to patch-pingora-hostport.yaml). Update both overlay kustomizations to reference all new resources and add meet-backend/meet-frontend image entries.
2026-03-06 12:08:21 +00:00
[[routes.paths]]
prefix = "/api/"
backend = "http://meet-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/admin/"
backend = "http://meet-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/oidc/"
backend = "http://meet-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/static/"
backend = "http://meet-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/__"
backend = "http://meet-backend.lasuite.svc.cluster.local:80"
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
[[routes]]
host_prefix = "drive"
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
backend = "http://drive-frontend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/api/"
backend = "http://drive-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/admin/"
backend = "http://drive-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/static/"
backend = "http://drive-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/external_api/"
backend = "http://drive-backend.lasuite.svc.cluster.local:80"
# /media/ falls through to frontend nginx which handles auth_request internally
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
[[routes]]
host_prefix = "mail"
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
# Caddy is the unified entry point — proxies /api/, /admin/, /static/, /oidc/ internally.
backend = "http://messages-frontend.lasuite.svc.cluster.local:80"
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
[[routes]]
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
host_prefix = "messages"
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
backend = "http://tuwunel.matrix.svc.cluster.local:6167"
feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
2026-03-01 16:25:11 +00:00
websocket = true
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
# Serve .well-known from tuwunel directly
[[routes.paths]]
prefix = "/.well-known/matrix"
backend = "http://tuwunel.matrix.svc.cluster.local:6167"
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
[[routes]]
host_prefix = "people"
fix: route people.* to frontend; path-route API/admin/oauth2 to backend people.* now routes / to people-frontend (nginx/React SPA). Path prefixes /api/, /admin/, and /o/ are forwarded to people-backend (Django/gunicorn), matching the app's URL structure. Previously all people.* traffic hit people-backend directly, causing Django to return 404 "Page not found at /" for the root path. The [[routes.paths]] mechanism already existed in the proxy (used by the auth route) — only a config update was needed.
2026-03-03 01:04:10 +00:00
backend = "http://people-frontend.lasuite.svc.cluster.local:80"
# Backend handles the API, Django admin, and OAuth2 provider.
[[routes.paths]]
prefix = "/api/"
backend = "http://people-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/admin/"
backend = "http://people-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/o/"
backend = "http://people-backend.lasuite.svc.cluster.local:80"
fix(ingress): fix People backend service name; add find route The People backend service is named people-backend (not people) in the desk chart. Add a route for find-backend to front the future OpenSearch Dashboards service.
2026-03-02 18:33:34 +00:00
[[routes]]
host_prefix = "find"
backend = "http://find-backend.lasuite.svc.cluster.local:8000"
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
[[routes]]
host_prefix = "src"
feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
2026-03-01 16:25:11 +00:00
backend = "http://gitea-http.devtools.svc.cluster.local:3000"
websocket = true
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
# auth: unified IAM dashboard; Hydra handles OAuth2/OIDC; Kratos handles self-service flows.
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
[[routes]]
host_prefix = "auth"
feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain - Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
backend = "http://kratos-admin-ui.ory.svc.cluster.local:3000"
feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
2026-03-01 16:25:11 +00:00
[[routes.paths]]
prefix = "/oauth2"
backend = "http://hydra-public.ory.svc.cluster.local:4444"
[[routes.paths]]
prefix = "/.well-known"
backend = "http://hydra-public.ory.svc.cluster.local:4444"
[[routes.paths]]
prefix = "/userinfo"
backend = "http://hydra-public.ory.svc.cluster.local:4444"
# /kratos prefix is stripped before forwarding so Kratos sees its native paths.
[[routes.paths]]
prefix = "/kratos"
fix: correct Pingora upstream ports and kustomize namespace conflict pingora-config.yaml: kratos-public and people-backend K8s Services expose port 80, not 4433/8000. The wrong ports caused Pingora to return timeouts for /kratos/* and all people.* routes. ory/kustomization.yaml: remove kustomization-level namespace: ory transformer. All non-Helm resources already declare namespace: ory explicitly. The transformer was incorrectly moving hydra-maester's enabledNamespaces Role (generated for the lasuite namespace) into ory, producing a duplicate-name conflict during kustomize build.
2026-03-03 00:57:58 +00:00
backend = "http://kratos-public.ory.svc.cluster.local:80"
feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
2026-03-01 16:25:11 +00:00
strip_prefix = true
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
feat(lasuite): deploy La Suite Docs (impress) Adds the impress Helm chart (suitenumerique/docs, v4.5.0) to the lasuite namespace with full Pingora routing, VSO secrets, and local overlay resource tuning. Routing (pingora-config.yaml): - docs.* frontend -> docs-frontend:80 (nginx, static Next.js export) - /api/* and /admin/* -> docs-backend:80 (Django/uvicorn) - /collaboration/ws/* -> docs-y-provider:4444 (Hocuspocus WebSocket) - integration.* -> integration:80 (La Gaufre hub, same file) Secrets (vault-secrets.yaml): - VaultDynamicSecret docs-db-credentials (DB engine, static role) - VaultStaticSecret docs-django-secret (DJANGO_SECRET_KEY) - VaultStaticSecret docs-collaboration-secret (y-provider shared secret) OIDC client (oidc-clients.yaml): - Fix redirect_uri from /oidc/callback/ to /api/v1.0/callback/ -- impress mounts all OIDC URLs under api/{API_VERSION}/ via lasuite.oidc_login, same pattern as people. Local overlay (values-resources.yaml): - docs-backend: 512Mi limit, WEB_CONCURRENCY=2 (4 uvicorn workers exceeded 384Mi at startup on the arm64 Lima VM) - docs-celery-worker: 384Mi limit, CELERY_WORKER_CONCURRENCY=2 - docs-y-provider: 256Mi limit - seaweedfs-filer: raised from 256Mi to 512Mi (OOMKilled during 188MB multipart S3 upload of impress-y-provider image layer) Local overlay (kustomization.yaml): - Image mirrors for impress-backend, impress-frontend, impress-y-provider (amd64-only images retagged to Gitea via cmd_mirror before deploy)
2026-03-03 14:30:45 +00:00
[[routes]]
host_prefix = "integration"
backend = "http://integration.lasuite.svc.cluster.local:80"
feat(infra): Meet integration, La Suite theming, Pingora SSH + meet routes Meet: add backend/frontend/celery deployments and services, meet-config ConfigMap, nginx SPA config, VSO secrets (meet-db-credentials VDS, meet-django-secret and meet-livekit VSS). Wire oidc-meet OAuth2Client. La Suite overlay discipline: move people/docs frontend nginx ConfigMaps and patches from overlays/local to base so both environments share them. Remove values-ory.yaml (folded into base). Add docs-frontend nginx config with sub_filter theming. Add local gitea mkcert CA patch. Pingora: add [ssh] TCP passthrough block (port 22 → Gitea SSH pod) and split meet route into frontend default + backend paths for /api/, /admin/, /oidc/, /static/, /__. Remove now-unused values-pingora.yaml from production overlay (host ports moved to patch-pingora-hostport.yaml). Update both overlay kustomizations to reference all new resources and add meet-backend/meet-frontend image entries.
2026-03-06 12:08:21 +00:00
[[routes]]
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
host_prefix = "metrics"
feat(infra): Meet integration, La Suite theming, Pingora SSH + meet routes Meet: add backend/frontend/celery deployments and services, meet-config ConfigMap, nginx SPA config, VSO secrets (meet-db-credentials VDS, meet-django-secret and meet-livekit VSS). Wire oidc-meet OAuth2Client. La Suite overlay discipline: move people/docs frontend nginx ConfigMaps and patches from overlays/local to base so both environments share them. Remove values-ory.yaml (folded into base). Add docs-frontend nginx config with sub_filter theming. Add local gitea mkcert CA patch. Pingora: add [ssh] TCP passthrough block (port 22 → Gitea SSH pod) and split meet route into frontend default + backend paths for /api/, /admin/, /oidc/, /static/, /__. Remove now-unused values-pingora.yaml from production overlay (host ports moved to patch-pingora-hostport.yaml). Update both overlay kustomizations to reference all new resources and add meet-backend/meet-frontend image entries.
2026-03-06 12:08:21 +00:00
backend = "http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80"
feat(ingress): add detection pipeline config and metrics port - Add DDoS, scanner, and rate limiter configuration to pingora-config - Add kubernetes config section with configurable namespace/resource names - Expose metrics port 9090 on deployment and service
2026-03-08 20:37:49 +00:00
[[routes]]
host_prefix = "systemmetrics"
backend = "http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090"
[[routes]]
host_prefix = "systemlogs"
backend = "http://loki-gateway.monitoring.svc.cluster.local:80"
[[routes]]
host_prefix = "systemtracing"
backend = "http://tempo.monitoring.svc.cluster.local:3200"
Fix meet: ALLOWED_HOSTS, OIDC callback, and LiveKit connectivity - meet-config: rename ALLOWED_HOSTS → DJANGO_ALLOWED_HOSTS (django-configurations ListValue uses DJANGO_ prefix by default; without it the list was empty and every browser request got 400 DisallowedHost) - meet-config: set LIVEKIT_API_URL to public https://livekit.DOMAIN_SUFFIX so the meet frontend can reach LiveKit for WebSocket signaling - pingora-config: add livekit.DOMAIN_SUFFIX → livekit-server:80 WebSocket route - cert-manager: add livekit.DOMAIN_SUFFIX to TLS cert dnsNames - oidc-clients: fix meet redirect URI /oidc/callback/ → /api/v1.0/callback/ (meet embeds mozilla-django-oidc inside the api/v1.0/ prefix); add postLogoutRedirectUri for clean logout - livekit-values: replace hardcoded devkey:secret-placeholder with key_file loaded from a VSO-managed K8s Secret (secret/livekit in OpenBao) - media/vault-secrets: add VaultAuth + VaultStaticSecret for media namespace to sync livekit API credentials from OpenBao
2026-03-06 13:56:29 +00:00
[[routes]]
host_prefix = "livekit"
backend = "http://livekit-server.media.svc.cluster.local:80"
websocket = true
feat(lasuite): add calendars service deployment manifests Add K8s manifests for calendars backend, frontend (Caddy), CalDAV server, and Celery worker. Wire Pingora routing for cal.sunbeam.pt with path-based backend/caldav/static splits. Add OAuth2Client for OIDC, VaultDynamicSecret for DB credentials, VaultStaticSecret for Django/CalDAV keys, and TLS cert coverage for the cal subdomain. Register calendars in the integration service gaufre widget.
2026-03-18 18:36:05 +00:00
[[routes]]
host_prefix = "cal"
backend = "http://calendars-frontend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/api/"
backend = "http://calendars-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/admin/"
backend = "http://calendars-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/static/"
backend = "http://calendars-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/caldav"
backend = "http://calendars-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/.well-known/caldav"
backend = "http://calendars-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/rsvp/"
backend = "http://calendars-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/ical/"
backend = "http://calendars-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/external_api/"
backend = "http://calendars-backend.lasuite.svc.cluster.local:80"
[[routes.paths]]
prefix = "/__"
backend = "http://calendars-backend.lasuite.svc.cluster.local:80"
feat(lasuite): add Projects (Planka Kanban) service Deploy Planka-based project management at projects.DOMAIN_SUFFIX: - ConfigMap with OIDC, S3, SMTP, La Gaufre widget config - Deployment + Service (init container for DB migrations, Sails on 1337) - OAuth2Client (client_secret_basic, redirect to /oidc-callback) - VaultDynamicSecret for DATABASE_URL, VaultStaticSecret for SECRET_KEY - Pingora route with websocket support (Socket.io) - Image overrides in both local and production overlays - TLS cert dnsNames updated for projects subdomain - Integration service.json updated with Projects entry - seaweedfs-s3-credentials rolloutRestartTargets includes projects
2026-03-20 13:41:54 +00:00
[[routes]]
host_prefix = "projects"
backend = "http://projects.lasuite.svc.cluster.local:80"
websocket = true
chore: initial infrastructure scaffold Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
[[routes]]
host_prefix = "s3"
backend = "http://seaweedfs-filer.storage.svc.cluster.local:8333"
feat(infra): Meet integration, La Suite theming, Pingora SSH + meet routes Meet: add backend/frontend/celery deployments and services, meet-config ConfigMap, nginx SPA config, VSO secrets (meet-db-credentials VDS, meet-django-secret and meet-livekit VSS). Wire oidc-meet OAuth2Client. La Suite overlay discipline: move people/docs frontend nginx ConfigMaps and patches from overlays/local to base so both environments share them. Remove values-ory.yaml (folded into base). Add docs-frontend nginx config with sub_filter theming. Add local gitea mkcert CA patch. Pingora: add [ssh] TCP passthrough block (port 22 → Gitea SSH pod) and split meet route into frontend default + backend paths for /api/, /admin/, /oidc/, /static/, /__. Remove now-unused values-pingora.yaml from production overlay (host ports moved to patch-pingora-hostport.yaml). Update both overlay kustomizations to reference all new resources and add meet-backend/meet-frontend image entries.
2026-03-06 12:08:21 +00:00
feat: expose admin APIs behind OIDC auth_request Adds pingora routes for id, hydra, search, vault subdomains. Each gated by auth_request to Hydra userinfo — only valid SSO bearer tokens pass through. Adds new SANs to the TLS certificate.
2026-03-22 18:59:22 +00:00
# Admin APIs — gated behind OIDC auth_request (Hydra userinfo validates the SSO bearer token).
# CLI passes the token from `sunbeam auth sso` as Authorization: Bearer.
# Kratos admin API (identity, session, recovery, schema, courier management).
[[routes]]
host_prefix = "id"
backend = "http://kratos-admin.ory.svc.cluster.local:80"
[[routes.paths]]
prefix = "/"
backend = "http://kratos-admin.ory.svc.cluster.local:80"
auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
# Hydra admin API (OAuth2 client, JWK, issuer, token management).
# Exposed as a path under auth.{domain} alongside the existing public endpoints.
[[routes]]
host_prefix = "hydra"
backend = "http://hydra-admin.ory.svc.cluster.local:4445"
[[routes.paths]]
prefix = "/"
backend = "http://hydra-admin.ory.svc.cluster.local:4445"
auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
# OpenSearch admin API (document, index, cluster management).
[[routes]]
host_prefix = "search"
backend = "http://opensearch.data.svc.cluster.local:9200"
[[routes.paths]]
prefix = "/"
backend = "http://opensearch.data.svc.cluster.local:9200"
auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
# OpenBao/Vault API (secrets, policies, auth management).
[[routes]]
host_prefix = "vault"
backend = "http://openbao.data.svc.cluster.local:8200"
[[routes.paths]]
prefix = "/"
backend = "http://openbao.data.svc.cluster.local:8200"
auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
feat(infra): Meet integration, La Suite theming, Pingora SSH + meet routes Meet: add backend/frontend/celery deployments and services, meet-config ConfigMap, nginx SPA config, VSO secrets (meet-db-credentials VDS, meet-django-secret and meet-livekit VSS). Wire oidc-meet OAuth2Client. La Suite overlay discipline: move people/docs frontend nginx ConfigMaps and patches from overlays/local to base so both environments share them. Remove values-ory.yaml (folded into base). Add docs-frontend nginx config with sub_filter theming. Add local gitea mkcert CA patch. Pingora: add [ssh] TCP passthrough block (port 22 → Gitea SSH pod) and split meet route into frontend default + backend paths for /api/, /admin/, /oidc/, /static/, /__. Remove now-unused values-pingora.yaml from production overlay (host ports moved to patch-pingora-hostport.yaml). Update both overlay kustomizations to reference all new resources and add meet-backend/meet-frontend image entries.
2026-03-06 12:08:21 +00:00
# SSH TCP passthrough: port 22 → Gitea SSH pod (headless service → pod:2222).
[ssh]
listen = "0.0.0.0:22"
backend = "gitea-ssh.devtools.svc.cluster.local:2222"
Reference in New Issue Copy Permalink